ACF2 command limiting, benefits, how is it setup and how to determine if active
search cancel

ACF2 command limiting, benefits, how is it setup and how to determine if active


Article ID: 54064


Updated On:


ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC



CA ACF2 TSO command limiting allows a site to enhance security in the TSO environment by implementing TSO command restrictions for individual logonids or globally for a site. CA ACF2 logonid fields, C(GSO) TSO parameters and a command limiting module are used to implement CA ACF2 TSO command limiting. CA ACF2 commands can be used to determine if CA ACF2 command limiting is in effect.



Component: ACF2MS


 The CA ACF2 TSO restricted commands lists contains the list of commands that a user is authorized to use. This command list lists the available TSO commands for an individual user or for your entire site. This command limiting applies to TSO commands entered under READY mode or under ISPF.

CA ACF2 TSO command lists can be specified for individual logonids or globally.

To activate this feature for an individual, use the TSOCMDS field of the logonid record; to activate it for your entire site, use the CMDLIST field of the C(GSO) record named TSO. If you do not specify a system-wide default and leave the TSOCMDS field blank, TSO operates without CA-ACF2 command limiting.

To check if CA ACF2 TSO command limiting is being used the following can be done.

  1. To check if any logonids have a command list specified in their TSOCMDS logonid field the following command can be issued from TSO:
  2. To determine if there is a global command list specified in the CA ACF2 C(GSO) TSO record the following command can be issued from TSO:
    Look for "TSO CMD LIST= " which will specify the command list module being used, or "NONE" if there is no global command list.

CA ACF2 will first check the logonid record for a TSO command list(TSOCMDS field), if no TSOCMDS is specified, then CA ACF2 will check the C(GSO) TSO record (CMDLIST parameter). If both TSOCMDS for users and the global C(GSO) TSO CMDLIST is blank, then users are not restricted or limited in their TSO commands.

In a LOGONID record the TSOCMDS and ALLCMDS parameters can be used with TSO command limiting:

Specifies the name of a TSO command list module that contains the list of commands that this user is authorized to use. You cannot mask this field. Command limiting is effective for all logonids including privileged ones. It takes place in all modes with the exception of QUIET. (Eight characters)

Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character. The ALLCMDS works in conjunction with the C(GSO) TSO BYPASS character parameter.

In the C(GSO) TSO record there is the CMDLIST and BYPASS parameter:

Specifies the default TSO command limiting list. If you specify a module, no users, even privileged logonids, can run without the command list present in a link list library. This field is optional and has no default. It is effective in all modes with the exception of QUIET.

Defines the TSO command list bypass character. The default value is a pound sign (#).

The restricted commands list module is defined using the $TSOCST, $TSOCEND, and the $TSOCMD macros which can be found ACF2 CAI.CAIMAC library. The restricted commands lists are link edited with the RENT attribute into a library in the system link list. The module name of the restricted command list can be specified in the logonid TSOCMDS field for the CA ACF2 GSO TSO CMDLIST parameter. A sample TSO command list can be found in the CAI.CAX1MAC0 member ACF$CMDS.

Sample JCL:

//SYSLIB   DD  DISP=SHR,DSN=SYS1.MODGEN                  
//         DD  DISP=SHR,DSN=SYS1.MACLIB                  
//         DD  DISP=SHR,DSN=SECMF.ACFR16.CAX1MAC0        
//SYSUT1   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSUT2   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSUT3   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSLIN   DD  DUMMY                                     
//SYSPRINT DD  SYSOUT=*                                  
//SYSTERM  DD  SYSOUT=*                                  
//         UNIT=SYSDA                                    
//SYSPRINT DD SYSOUT=*                                   
//SYSPUNCH DD  DISP=(OLD,PASS),DSN=&&TEMP                
//SYSUT1  DD UNIT=DISK,SPACE=(CYL,10)                    
//SYSIN   DD DUMMY                                       
//SYSLIN   DD *                                          
 INCLUDE SYSPUNCH                                        
 NAME    TSOCMDMO(R)                                     

- your.ACFR16.CAX1MAC0(ACF$CMDS) This is the library that contains your copy of modified sample TSO command list member ACF$CMDS.
- your.ACF2R16.LINKLST This is a LINKLIST library that your modified TSO command list module will be linked into.
- TSOCMDMO is the TSO command limiting module that is specified in a logonid TSOCMDS(module) field.                

When adding new entries to a command list, the user must logoff and log back onto the system to see the new table entries.
After adding new entries to the command list, an LLA Refresh will be required.


Sample ACF$CMDS member :

*  LICENSE:                                                  
*     THIS IS A PART OF THE ACF2 SYSTEM.                     
*     Copyright (c) 2015 CA, INC. All rights reserved.       
ACF$CMDS CSECT                                               
         $TSOCST  ,                                          
         $TSOCMD  ACF                                        
         $TSOCMD  ACFCOMP                                    
         $TSOCMD  ACFDEL                                     
         $TSOCMD  (ACFN,ACFNRULE)                            
         $TSOCMD  ACFSUB                                     
         $TSOCMD  ACCOUNT                                    
         $TSOCMD  ALLOCATE                                   
         $TSOCMD  (ATTRIB,ATTR)                              
         $TSOCMD  (PRINT,REPRO,VERIFY,VFY)                   


         $TSOCMD  WHEN               
         $TSOCMD  ,                  
         $TSOCMD  ,                  
         $TSOCEND ,                  

Additional Information

For details regarding the TSOCMDS and ALLCMDS see the CA ACF2 Administrator Guide, Chapter 3: Maintaining Logonid Records, section "Logonid Record Fields".

For details regarding the GSO TSO CMDLIST and BYPASS parameter see the CA ACF2 Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Time-Sharing Options and Defaults (TSO)".

For details on creating a TSO command lists see the CAACF2 System Programmer Guide, section "eTrust CA-ACF2 TSO Facilities", sub-section "Restricting TSO Commands".