Security Admin gets ACF04056 violation changing GROUP on logonid record

book

Article ID: 37702

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Question:

Security Administrators are getting ACF04056 violation changing GROUP on logonid record.  We just added RSRCVLD bit to protect resources from Security Admins. After this change, all Security Admins trying to change a GROUP on the logonid record and got an ACF04056 violation.  Why?

Cause:

ACF2 validates the group rules for changes to the GROUP field on the logonid record.  This will only effect a Security Admins that have RSRCVLD or are scoped and not in the group.

 Answer:

First you need to decide if the Security Admin needs the access or if a full, unscoped Security Admin should make the change.  If you decide that all SECURITY logonids should be able to change all GROUP fields, then you need to add a rule.

 TSO ACF

SET RESOURCE(TGR)

COMPILE

.$KEY(********) TYPE(TGR)

. UID(uid string or group of the SECURITY ids) ALLOW

.end

STORE

SET CONTROL(GSO)

CHANGE INFODIR TYPES(R-RTGR) ADD

F ACF2,REFRESH(INFODIR)

F ACF2,REBUILD(TGR)

 

 

Environment

Release:
Component: ACF2MS