Description:

You can use the ACF2 GSO STC record to setup a logonid that can be used as a started task when the logonid does not have the STC logonid privilege bit. Logonids that do not have the STC logonid privilege bit can be used to logon to TSO and OMVS.

Solution:

The Started Task (STC) logonid privilege bit specifies that a logonid is for use by started tasks only. ACF2 in all cases but one denies access to started tasks without this privilege; likewise, it prevents logonids with this attribute from submitting batch jobs or logging on to TSO. The one exception is a started task that is assigned a logonid based on the GSO Started Task (STC) record. The GSO STC record assigns a logonid and optional groupid based on the started task ID.

The following example uses the ACF2 GSO STC record to setup the HTTPSRV logonid that can be used as a started task when the logonid does not have the STC logonid privilege bit.

1. Define a logonid IHSV7 without STC, with the required UID and GID.
2. Create a GSO STC record that points the STCNAME for the HTTP server to the IHSV7 logonid: GROUP() LOGONID(IHSV7) STCID(stcname for HTTP server)

      SET CONTROL(GSO)   INSERT STC.http LOGONID(IHSV7) STCID(stcname for HTTP)

   Note: The LOGONID and stcname for HTTP cannot be the same.

With the above example you will be able to logon to TSO and OMVS with the IHS logonid to perform administrative functions and still be able to start the HTTP server STC with the IHSV7 logonid as long as the started task name differs from the logonid to be used.

Details on the ACF2 GSO STC record can be found in the ACF2 Security for z/OS Administrator Guide in Chapter 14: Maintaining Global System Options Records, section "Started Task (STC)".