How can I give a special privilege, like NON-CNCL, to a user for a short period of time?
There is a PRIV-CTL attribute you can add to a user's lidrec, At signon it causes a series
of validations with the resource class of PRIVCTL and the resource names of the privileges/
attributes that can be "temporarily" assigned to the user. The in-storage copy of the user's
lidrec will then be updated with the privileges allowed by the rules.
You would first have to define a CLASMAP record to map PRIVCTL to PRV---or some other 3
characters of your choice. If you want to give the user NON-CNCL for 5 days, the rule would
look similar to this:
ACF
SET R(PRV) <------new TYPE code defined in CLASMAP record
$KEY(NON-CNCL) TYPE(PRV)
UID(uid of user) FOR(5) ALLOW
where the FOR value is the number of days from the rule compile date. A value of 0 indicates
"today only".
If the user gains access to a resource because of the NON-CNCL privilege on his lidrec,
(whether it is permanent or temporary), ACF2 will generate a logging SMF record that would
show up in the ACFRPTDS or ACFRPTRV reports. If the user gains access to a resource because
a rule exists that gives him that access, no SMF record is generated---unless the rule specifies
LOG instead of ALLOW.
More information can be found in the CA ACF2 for z/OS Administration Guide, Chapter 2,
under the topic "Providing Dynamic Logonid Privileges".