Should a CA ACF2 logonid ever have both the STC and the RESTRICT privilege?
search cancel

Should a CA ACF2 logonid ever have both the STC and the RESTRICT privilege?

book

Article ID: 52678

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

Description:

No, STC is only meant for started tasks. Logonids with RESTRICT should not have the STC setting. The STC and RESTRICT settings are mutually exclusive and should not both be specified for a logonid.

Solution:

The RESTRICT logonid setting is meant to be used for production BATCH logonids. The RESTRICT attribute should not be specified with the STC attribute.

The RESTRICT logonid setting specifies that a logonid is primarily for batch use only. A restricted logonid does not require a password for user verification. ACF2 logs all jobs submitted by restricted logonids, except for jobs submitted by those jobs. When ACF2 reads the restricted logonid it will validate the access by the restricted logonid and create a logging record. You can display these loggings using the Restricted Logonid Job Log report, ACFRPTJL. Do not specify this field for online user logonids or for logonids with the STC attribute.

The STC logonid setting specifies that a logonid is for use by started tasks only. ACF2 for z/OS denies access to started tasks without this privilege unless the LOGONID is specified in the GSO STC record as the logonid that will be assigned to the started task. The STC attribute prevents logonids with this attribute from being inherited by submitted batch jobs or logging on to TSO.

You do not need to specify the RESTRICT, MON-LOG, or MONITOR with the STC attribute. ACF2 does not check for these fields for logonids with the STC privilege.

Details on the RESTRICT and STC logonid settings can be found in the CA-ACF2 Security for z/OS Administrator Guide section: Maintaining Logonid Records, section "Logonid Record Fields".

Details on the GSO STC record can be found in the CA-ACF2 Security for z/OS Administrator Guide section: Maintaining Global System Options Records, section "Started Task (STC)".

Environment

Release:
Component: ACF2MS

Resolution

-

Additional Information

Audited by Michael Blaha on 10/17/2023