The following table provides information about ACF2 account attributes.
Resource User Attribute |
Data Type |
Description |
---|---|---|
NAME |
String |
The user name displayed on logging and security violation reports |
PHONE |
String |
The user’s telephone number |
ACCESS.ACC-CNT |
String |
The number of system accesses made by this logonid since it was created |
ACCESS.ACC-DATE |
String |
The date of this user’s last system access |
ACCESS.ACC-SRCE |
String |
The logical or physical input source name or source group name where this logonid last accessed the system |
ACCESS.ACC-TIME |
String |
The time of this user’s last system access |
CANCEL/SUSPEND.CANCEL |
Boolean |
The logonid is canceled and denied access to the system |
CANCEL/SUSPEND.CSDATE |
String |
The date when the CANCEL or SUSPEND field was set |
CANCEL/SUSPEND.CSWHO |
String |
The logonid that set the CANCEL, SUSPEND, or MONITOR field |
CANCEL/SUSPEND.MON-LOG |
Boolean |
ACF2 writes an SMF record each time this user enters the system |
CANCEL/SUSPEND.MONITOR |
Boolean |
CA-ACF2 sends a message to the security console and to a designated person (CSWHO) each time this user enters the system |
CANCEL/SUSPEND.SUSPEND |
Boolean |
The logonid is suspended and denied access to the system |
CANCEL/SUSPEND.TRACE |
Boolean |
All data references by this user are traced and logged |
CICS.ACF2CICS |
Boolean |
Indicates that CA-ACF2 CICS security is to be initialized in any CICS/ESA 4.1 or later region running with this address space logonid |
CICS.CICSCL |
String |
CICS operator class |
CICS.CICSID |
String |
CICS operator ID |
CICS.CICSKEY |
String |
The first three bytes of transaction security key values to support CICS Release 1.6 and later |
CICS.CICSKEYX |
String |
The last five bytes of transaction security key values to support CICS Release 1.6 and later |
CICS.CICSPRI |
String |
CICS operator priority |
CICS.CICSRSL |
String |
CICS resource access key |
CICS.IDLE |
String |
The maximum number of minutes permitted between terminal transactions for this user |
IMS.MUSDLID |
String |
The default logonid for a MUSASS address space. |
IDMS.IDMSPROF |
String |
The name of the sign-on profile CLIST executed when the user signs on to CA-IDMS |
IDMS.IDMSPRVS |
String |
The version of the sign-on profile CLIST executed when the user sign on to CA-IDMS |
MUSASS.MUSID |
String |
Groups IMS records in the Infostorage database to ensure that IMS records are associated with the proper control region |
MUSASS.MUSIDINF |
Boolean |
The MUSID field should be used to restrict access to a MUSASS region for CA-ACF2 Info type system entry calls. |
MUSASS.MUSOPT |
String |
The name of the CA-ACF2 CA-IDMS options module that controls the CAIDMS address space |
MUSASS.MUSPGM |
String |
The name of the CA-IDMS start up program |
MUSASS.MUSUPDT |
Boolean |
Allows the user to update the CA-ACF2 databases |
PRIVILEGES.ACCOUNT |
Boolean |
The user can insert, delete, and change logonids, as limited by a scope |
PRIVILEGES.ACTIVE |
String |
The logonid is automatically activated one minute after midnight on the date contained in this field |
PRIVILEGES.AUDIT |
Boolean |
With this privilege, a user can inspect, but not modify, the parameters of the CAACF2 system. |
PRIVILEGES.AUTODUMP |
Boolean |
Dump created when a data set or resource violation occurs |
PRIVILEGES.AUTONOPW |
Boolean |
This virtual machine can be autologged without specifying a password. |
PRIVILEGES.BDT |
Boolean |
This logonid’s address space belongs to the Bulk Data Transfer (BDT) product. |
PRIVILEGES.CICS |
Boolean |
The logonid has the authority to sign on to CICS. |
PRIVILEGES.CMD-PROP |
Boolean |
This indicates that the user can override the global CPF target list by using the SET TARGET command or the TARGET parameter. |
PRIVILEGES.CONSULT |
Boolean |
The user can display other logonids. |
PRIVILEGES.DUMPAUTH |
Boolean |
This user can generate a dump even when the address space is in an execute-only or path control environment. |
PRIVILEGES.EXPIRE |
String |
The date when temporary logonids expire. |
PRIVILEGES.IDMS |
Boolean |
The logonid has the authority to sign on to CA-IDMS. |
PRIVILEGES.JOB |
Boolean |
The user can enter batch and background Terminal Monitor Program (TMP) jobs. |
PRIVILEGES.JOBFROM |
Boolean |
The user can use the //*JOBFROM control statement. |
PRIVILEGES.LEADER |
Boolean |
The user can display and alter certain fields of other logonids for other users. |
PRIVILEGES.LOGSHIFT |
Boolean |
A user can access the system outside the time period specified in the SHIFT field of the logonid record. |
PRIVILEGES.MAINT |
Boolean |
A user can use a specified program executed from a specified library to access resources without loggings or validation. |
PRIVILEGES.MUSASS |
Boolean |
This logonid is a multiple user single address space system (MUSASS). |
PRIVILEGES.NO-INH |
Boolean |
A network job cannot inherit this logonid from its submitter. |
PRIVILEGES.NO-SMC |
Boolean |
Step-must-complete (SMC) controls are bypassed; a job is considered noncancelable for the duration of the sensitive VSAM update operation. |
PRIVILEGES.NO-STORE |
Boolean |
This user is unauthorized to store or delete rule sets. |
PRIVILEGES.NON-CNCL |
Boolean |
A user can access all data, even if a rule prohibits this access. |
PRIVILEGES.PGM |
String |
The specified APF-authorized program to submit jobs for this logonid. |
PRIVILEGES.PPGM |
Boolean |
The user can execute those protected programs specified in the GSO PPGM record. |
PRIVILEGES.PRIV-CTL |
Boolean |
Checks privilege control resource rules when the user accesses the system to see what additional privileges and authorities the user has. |
PRIVILEGES.PROGRAM |
String |
The specified APF-authorized program to submit jobs for this logonid. |
PRIVILEGES.READALL |
Boolean |
The logonid has only read access to all data at the site. |
PRIVILEGES.REFRESH |
Boolean |
This user is authorized to issue the F ACF2,REFRESH operator command from the operator.s console. |
PRIVILEGES.RESTRICT |
Boolean |
This restricted logonid is for production use and does not require a password for user verification. |
PRIVILEGES.RSRCVLD |
Boolean |
Specifies that a resource rule must authorize any accesses that a user makes. |
PRIVILEGES.RULEVLD |
Boolean |
An access rule must exist for all data this user accesses. |
PRIVILEGES.SCPLIST |
String |
The infostorage scope record that restricts accesses for this privileged user. |
PRIVILEGES.SECURITY |
Boolean |
This user is a security administrator who, in the limits of his scope, can create, maintain, and delete access rules, resource rules, and infostorage records. |
PRIVILEGES.STC |
Boolean |
Only started tasks use this logonid. |
PRIVILEGES.SUBAUTH |
Boolean |
Only an APF-authorized program can submit jobs specifying this logonid. |
PRIVILEGES.SYNCNODE |
String |
The node where the synchronized logonid for this logonid is found in the Logonid database |
PRIVILEGES.TAPE-BLP |
Boolean |
This user can use full bypass label processing (BLP) when accessing tape data sets |
PRIVILEGES.TAPE-LBL |
Boolean |
This user has limited BLP when accessing tape data sets. |
PRIVILEGES.TSO |
Boolean |
This user is authorized to sign on to TSO. |
PRIVILEGES.VAX |
Boolean |
This logonid has associated VAX (UAF) infostorage records. |
PRIVILEGES.VLDRSTCT |
Boolean |
Turning on this field for a RESTRICT logonid indicates that PROGRAM and SUBAUTH are to be validated even when the logonid is inherited. |
PASSWORD.MAXDAYS |
String |
The maximum number of days permitted between password changes before the password expires. If the value is zero, no limit is enforced. |
PASSWORD.MINDAYS |
String |
The minimum number of days that must elapse before the user can change the password |
PASSWORD.PSWD-DAT |
String |
The date of the last invalid password attempt |
PASSWORD.PSWD-EXP |
Boolean |
The user’s password was manually expired (forced to expire). |
PASSWORD.PSWD-INV |
String |
The number of password violations that occurred since the last successful logon |
PASSWORD.PSWD-SRCE |
String |
The logical or physical input source name or source group name where the last invalid password for this logonid was received |
PASSWORD.PSWD-TIM |
String |
The time when the last invalid password for this logonid was received |
PASSWORD.PSWD-TOD |
String |
The date and time the password was last changed |
PASSWORD.PSWD-VIO |
String |
The number of password violations occurring on PSWD-DAT |
PASSWORD.PSWD-XTR |
Boolean |
The password for this logonid is halfway-encrypted and can be extracted by an APF-authorized program. |
RESTRICTIONS.AUTHSUP1 through AUTHSUP8 |
Boolean |
These fields can activate extended user authentication (EUA) for each designated system user. |
RESTRICTIONS.GROUP |
String |
The group or project name associated with this user |
RESTRICTIONS.PREFIX |
String |
The high-level index of the data sets that this user owns and can access |
RESTRICTIONS.SHIFT |
String |
The shift record that defines when a user is permitted to log on to the system |
RESTRICTIONS.SOURCE |
String |
The logical or physical input source name or source group name where this logonid must access the system |
RESTRICTIONS.VMACCT |
String |
A loginid field that holds the default account number for a virtual machine |
RESTRICTIONS.VMIDLEMN |
String |
The number of minutes that this user can be idle on the system before idle terminal processing begins |
RESTRICTIONS.VMIDLEOP |
String |
The type of idle terminal processing to perform when the user exceeds the idle time limit |
RESTRICTIONS.ZONE |
String |
The name of the Infostorage Database zone record defining the time zone where this logonid normally accesses the system (that is, the user’s local time zone) |
STATISTICS.SEC-VIO |
String |
The total number of security violations for this user |
STATISTICS.UPD-TOD |
String |
The date and time that this logonid record was last updated |
TSO.ACCTPRIV |
Boolean |
Indicates whether the user has TSO accounting privileges |
TSO.ALLCMDS |
Boolean |
The user can enter a special prefix character to bypass the CA-ACF2 restricted command lists |
TSO.ATTR2 |
String |
The IBM program control facility (PCF) uses the PSCBATR2 field for command limiting and data set protection. |
TSO.CHAR |
String |
The TSO character-delete character for this user |
TSO.CMD-LONG |
Boolean |
Indicates that only the listed command and aliases are accepted when using TSO command lists. |
TSO.DFT-DEST |
String |
The default remote destination for TSO spun SYSOUT data sets |
TSO.DFT-PFX |
String |
The default TSO prefix that is set in the user’s profile at logon time. |
TSO.DFT-SOUT |
String |
The default TSO SYSOUT class |
TSO.DFT-SUBC |
string |
The default TSO submit class |
TSO.DFT-SUBH |
string |
The default TSO submit hold class |
TSO.DFT-SUBM |
string |
The default TSO submit message class |
TSO.INTERCOM |
Boolean |
This user is willing to accept messages from other users through the TSO SEND command. |
TSO.JCL |
Boolean |
This user can submit batch jobs from TSO and use the SUBMIT, STATUS, CANCEL, and OUTPUT commands |
TSO.LGN-ACCT |
Boolean |
This user can specify an account number at logon time. |
TSO.LGN-DEST |
Boolean |
The user can specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field. |
TSO.LGN-MSG |
Boolean |
This user can specify message class at logon time. |
TSO.LGN-PERF |
Boolean |
This user can specify a performance group at logon time. |
TSO.LGN-PROC |
Boolean |
This user can specify the TSO procedure name at logon time. |
TSO.LGN-RCVR |
Boolean |
This user can use the recover option of the TSO or TSO/E command package. |
TSO.LGN-SIZE |
Boolean |
This user is authorized to specify any region size at logon time. |
TSO.LGN-TIME |
Boolean |
This user can specify the TSO session time limit at logon time. |
TSO.LGN-UNIT |
Boolean |
This user can specify the TSO unit name at logon time. |
TSO.LINE |
String |
The TSO line-delete character |
TSO.MAIL |
Boolean |
Receive mail messages from TSO at logon time |
TSO.MODE |
Boolean |
Receive modal messages from TSO |
TSO.MOUNT |
Boolean |
This user can issue mounts for devices. |
TSO.MSGID |
Boolean |
Prefix TSO message IDs |
TSO.NOTICES |
Boolean |
Receive TSO notices at logon time |
TSO.OPERATOR |
Boolean |
This user has TSO operator privileges |
TSO.PAUSE |
Boolean |
Causes a program to pause when a command executed in a CLIST issues a multilevel message |
TSO.PMT-ACCT |
Boolean |
Forces this user to specify an account number at logon time |
TSO.PMT-PROC |
Boolean |
Forces this user to specify a TSO procedure name at logon time |
TSO.PROMPT |
Boolean |
Prompt for missing or incorrect parameters |
TSO.RECOVER |
Boolean |
Use the recover option of the TSO or TSO/E command package |
TSO.TSOACCT |
String |
The user’s default TSO logon account |
TSO.TSOCMDS |
String |
The name of the TSO command list module that contains the list of the commands that this user is authorized to use. |
TSO.TSOFSCRN |
Boolean |
This user has the full-screen logon display. |
TSO.TSOPERF |
String |
The user’s default TSO performance group |
TSO.TSOPROC |
String |
The user’s default TSO procedure name |
TSO.TSORBA |
String |
The mail index record pointer (MIRP) for this user |
TSO.TSORGN |
String |
The user’s default TSO region size (in K bytes) if the user does not specify a size at logon time |
TSO.TSOSIZE |
String |
The user’s maximum TSO region size (in K bytes) unless the user has the LGS-SZE field specified |
TSO.TSOTIME |
String |
The user’s default TSO time parameter |
TSO.TSOUNIT |
String |
The user’s default TSO unit name |
TSO.VLD-ACCT |
Boolean |
Indicates CA-ACF2 is to validate the TSO account number |
TSO.VLD-PROC |
Boolean |
Indicates CA-ACF2 is to validate the TSO procedure name |
TSO.WTP |
Boolean |
Displays write-to-programmer (WTP) messages |