How can a help desk user be setup to unsuspend users and change PASSWORD, PSWD-VIO, and any other logonid fields in ACF2?
Beginning with R15.0, ACF2 was enhanced to allow end users who do not have any special logonid privileges to issue the ACF CHANGE subcommand in TSO/E or batch (including ACFBATCH) to change certain user related fields if they have the proper access to the ACFCMD.USER.fieldname resource in the CASECAUT class.
An end user can only change user related fields for other end users. An end user is a user who does not have SECURITY, ACCOUNT, AUDIT, LEADER or CONSULT which are special ACF2 logonid privileges. This is described in the ACF2 documentation section Review Logonid Privileges.
Here is a list of lid fields that can be changed and the resource name that is validated:
PASSWORD ACFCMD.USER.PASSWORD
PWPHRASE ACFCMD.USER.PWPHRASE
PWP-VIO ACFCMD.USER.PWP-VIO
PSWD-VIO ACFCMD.USER.PSWD-VIO
PSWDCVIO ACFCMD.USER.PSWDCVIO
KERB-VIO ACFCMD.USER.KERB-VIO
CANCEL ACFCMD.USER.CANCEL
SUSPEND ACFCMD.USER.SUSPEND
To implement the CASECAUT validations:
Note that a user with authority to the CASECAUT resource can only change other users at the same level or lower which means that a user with ACCOUNT authority can only modify users with ACCOUNT or lesser authority (e.g. ACCOUNT, AUDIT, LEADER, or CONSULT will be needed).
There should always be at least two un-scoped security administrators defined in an ACF2 database so that there is always someone available that can change an un-scoped security administrator if needed.