How can a help desk user to be setup to unsuspend users and change PASSWORD, PSWD-VIO, and any other fields?
Beginning with Rel 15.0 CA-ACF2 was enhanced to allow end users who do not have any special logonid privileges to issue the ACF CHANGE subcommand in TSO/E or batch (including ACFBATCH) to change certain user related fields if they have the proper access to the ACFCMD.USER.fieldname resource in the CASECAUT class. An end user can only change user related fields for other end users. An end user is a user who does not have SECURITY, ACCOUNT, AUDIT, LEADER or CONSULT, special ACF2 logonid privileges. This is described in the CA-ACF2 documentation set (https://techdocs.broadcom.com/) in section, "Identifying Who Can Maintain Logonid Records".
Here is a list of lid fields that can be changed and the resource name that is validated:
To implement the CASECAUT validations...
Step 1. Add AUT to the INFODIR:
CHANGE INFODIR TYPES(R-RAUT) ADD
Step 2. Write the resource rules:
USER.PASSWORD UID(uid string of user) ALLOW
USER.PSWD-VIO UID(uid string of user) ALLOW
Step 3. After you compile the records, load the new rules into storage: