When a user enters invalid passwords several times in a single day and the number of invalid attempts exceeds the GSO PASSLMT value the user will receive the ACF01013 message at logon time:

ACF01013 LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS

However, when doing a TSO ACF LIST of the user, the SUSPEND attribute is not set. Why is the SUSPEND bit not set?

The suspension is considered a logical condition. When a logonid is suspended due to password violations, the logonid is NOT updated to show SUSPEND. When doing a TSO ACF LIST of the user, the SUSPEND attribute is not displayed. See the note below for an explanation of the SUSPEND logonid field. The suspended condition (as indicated by the ACF01013 message) is determined by the PSWD-VIO field of the user's logonid record exceeding the GSO PSWD PASSLMT value.

There are several different fields that come into play. The GSO PSWD record has MAXTRY and PASSLMT. MAXTRY is the number of prompts after invalid passwords that will be issued in a single logon before the user is returned to VTAM (or session manager). PASSLMT specifies the maximum number of invalid password attempts permitted in a single day before ACF2 denies all accesses to the system by the logonid. Any attempt to logon after the PASSLMT number has been reached will be denied with the message:

"ACF01013 LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS"

In the logonid record, PSWD-DAT specifies the date of the last invalid password attempt. PSWD-TIM is the time of the last invalid password attempt. PSWD-INV is the number of invalid passwords since the last successful logon. A successful logon resets this field to 0.

Security administrators and account managers can reset the invalid password count by entering the following operator command:

F ACF2,RESET(logonid)

The ISPF panels or the ACF CHANGE subcommand can also be used to reduce or change the PSWD-INV count to 0.

PSWD-VIO is the number of password violations on that day (PSWD-DAT). This field is reset to 1 when an invalid password attempt occurs on a different day, and is reset to 0 when the password for the logonid is changed.

ACFRPTPW is a report that identifies invalid password attempts. This can be useful to check to see where and when the invalid attempts occur. If the SOURCE is a foreign or unknown source that could indicate attempted unauthorized/malicious access using that logonid. For details on the ACFRPTPW report see: ACFRPTPW - Invalid Password/Authority Log

Note: The SUSPEND or CANCEL that may be displayed when doing a TSO ACF LIST of a logonid is an indication that this logonid cannot be used to access the system. ACF2 does not differentiate between CANCEL and SUSPEND. The CANCEL/SUSPEND bit can be set by a SECURITY Administrator or by the ACF2/CICS or ACF2/IMS interfaces. The CSWHO and CSDATE fields of the logonid record will indicate which logonid set the SUSPEND/CANCEL bit and the date that the bit was set.

For details on the ACF2/CICS SUSPEND processing see section "SUSPEND-User Suspensions" in Chapter 5: CICS Interface Parameters of the CA-ACF2 Security for z/OS CICS Support Guide.

For details on the ACF2/IMS SUSPEND processing see section "Logonid Suspension (SUSPEND)" in Chapter 6: System Control Options of the CA-ACF2 Security for z/OS IMS Support Guide.