Resource User Attribute
|
Data Type
|
Description
|
NAME
|
string
|
The user name displayed on logging and security violation reports
|
PHONE
|
string
|
The user’s telephone number
|
ACCESS.ACC-CNT
|
string
|
The number of system accesses made by this logonid since it was created
|
ACCESS.ACC-DATE
|
string
|
The date of this user’s last system access
|
ACCESS.ACC-SRCE
|
string
|
The logical or physical input source name or source group name where this logonid last accessed the system
|
ACCESS.ACC-TIME
|
string
|
The time of this user’s last system access
|
CANCEL/SUSPEND.CANCEL
|
boolean
|
The logonid is canceled and denied access to the system
|
CANCEL/SUSPEND.CSDATE
|
string
|
The date when the CANCEL or SUSPEND field was set
|
CANCEL/SUSPEND.CSWHO
|
string
|
The logonid that set the CANCEL, SUSPEND, or MONITOR field
|
CANCEL/SUSPEND.MON-LOG
|
boolean
|
ACF2 writes an SMF record each time this user enters the system
|
CANCEL/SUSPEND.MONITOR
|
boolean
|
CA-ACF2 sends a message to the security console and to a designated person (CSWHO) each time this user enters the system
|
CANCEL/SUSPEND.SUSPEND
|
boolean
|
The logonid is suspended and denied access to the system
|
CANCEL/SUSPEND.TRACE
|
boolean
|
All data references by this user are traced and logged
|
CICS.ACF2CICS
|
boolean
|
Indicates that CA-ACF2 CICS security is to be initialized in any CICS/ESA 4.1 or later region running with this address space logonid
|
CICS.CICSCL
|
string
|
CICS operator class
|
CICS.CICSID
|
string
|
CICS operator ID
|
CICS.CICSKEY
|
string
|
The first three bytes of transaction security key values to support CICS Release 1.6 and later
|
CICS.CICSKEYX
|
string
|
The last five bytes of transaction security key values to support CICS Release 1.6 and later
|
CICS.CICSPRI
|
string
|
CICS operator priority
|
CICS.CICSRSL
|
string
|
CICS resource access key
|
CICS.IDLE
|
string
|
The maximum number of minutes permitted between terminal transactions for this user
|
IMS.MUSDLID
|
string
|
The default logonid for a MUSASS address space.
|
IDMS.IDMSPROF
|
string
|
The name of the sign-on profile CLIST executed when the user signs on to CA-IDMS
|
IDMS.IDMSPRVS
|
string
|
The version of the sign-on profile CLIST executed when the user sign on to CA-IDMS
|
MUSASS.MUSID
|
string
|
Groups IMS records in the Infostorage database to ensure that IMS records are associated with the proper control region
|
MUSASS.MUSIDINF
|
boolean
|
The MUSID field should be used to restrict access to a MUSASS region for CA-ACF2 Info type system entry calls.
|
MUSASS.MUSOPT
|
string
|
The name of the CA-ACF2 CA-IDMS options module that controls the CAIDMS address space
|
MUSASS.MUSPGM
|
string
|
The name of the CA-IDMS start up program
|
MUSASS.MUSUPDT
|
boolean
|
Allows the user to update the CA-ACF2 databases
|
PRIVILEGES.ACCOUNT
|
boolean
|
The user can insert, delete, and change logonids, as limited by a scope
|
PRIVILEGES.ACTIVE
|
string
|
The logonid is automatically activated one minute after midnight on the date contained in this field
|
PRIVILEGES.AUDIT
|
boolean
|
With this privilege, a user can inspect, but not modify, the parameters of the CAACF2 system.
|
PRIVILEGES.AUTODUMP
|
boolean
|
Dump created when a data set or resource violation occurs
|
PRIVILEGES.AUTONOPW
|
boolean
|
This virtual machine can be autologged without specifying a password.
|
PRIVILEGES.BDT
|
boolean
|
This logonid’s address space belongs to the Bulk Data Transfer (BDT) product.
|
PRIVILEGES.CICS
|
boolean
|
The logonid has the authority to sign on to CICS.
|
PRIVILEGES.CMD-PROP
|
boolean
|
This indicates that the user can override the global CPF target list by using the SET TARGET command or the TARGET parameter.
|
PRIVILEGES.CONSULT
|
boolean
|
The user can display other logonids.
|
PRIVILEGES.DUMPAUTH
|
boolean
|
This user can generate a dump even when the address space is in an execute-only or path control environment.
|
PRIVILEGES.EXPIRE
|
string
|
The date when .temporary. logonids expire.
|
PRIVILEGES.IDMS
|
boolean
|
The logonid has the authority to sign on to CA-IDMS.
|
PRIVILEGES.JOB
|
boolean
|
The user can enter batch and background Terminal Monitor Program (TMP) jobs.
|
PRIVILEGES.JOBFROM
|
boolean
|
The user can use the //*JOBFROM control statement.
|
PRIVILEGES.LEADER
|
boolean
|
The user can display and alter certain fields of other logonids for other users.
|
PRIVILEGES.LOGSHIFT
|
boolean
|
A user can access the system outside the time period specified in the SHIFT field of the logonid record.
|
PRIVILEGES.MAINT
|
boolean
|
A user can use a specified program executed from a specified library to access resources without loggings or validation.
|
PRIVILEGES.MUSASS
|
boolean
|
This logonid is a multiple user single address space system (MUSASS).
|
PRIVILEGES.NO-INH
|
boolean
|
A network job cannot inherit this logonid from its submitter.
|
PRIVILEGES.NO-SMC
|
boolean
|
Step-must-complete (SMC) controls are bypassed; a job is considered noncancelable for the duration of the sensitive VSAM update operation.
|
PRIVILEGES.NO-STORE
|
boolean
|
This user is unauthorized to store or delete rule sets.
|
PRIVILEGES.NON-CNCL
|
boolean
|
A user can access all data, even if a rule prohibits this access.
|
PRIVILEGES.PGM
|
string
|
The specified APF-authorized program to submit jobs for this logonid.
|
PRIVILEGES.PPGM
|
boolean
|
The user can execute those protected programs specified in the GSO PPGM record.
|
PRIVILEGES.PRIV-CTL
|
boolean
|
Checks privilege control resource rules when the user accesses the system to see what additional privileges and authorities the user has.
|
PRIVILEGES.PROGRAM
|
string
|
The specified APF-authorized program to submit jobs for this logonid.
|
PRIVILEGES.READALL
|
boolean
|
The logonid has only read access to all data at the site.
|
PRIVILEGES.REFRESH
|
boolean
|
This user is authorized to issue the F ACF2,REFRESH operator command from the operator.s console.
|
PRIVILEGES.RESTRICT
|
boolean
|
This restricted logonid is for production use and does not require a password for user verification.
|
PRIVILEGES.RSRCVLD
|
boolean
|
Specifies that a resource rule must authorize any accesses that a user makes.
|
PRIVILEGES.RULEVLD
|
boolean
|
An access rule must exist for all data this user accesses.
|
PRIVILEGES.SCPLIST
|
string
|
The infostorage scope record that restricts accesses for this privileged user.
|
PRIVILEGES.SECURITY
|
boolean
|
This user is a security administrator who, in the limits of his scope, can create, maintain, and delete access rules, resource rules, and infostorage records.
|
PRIVILEGES.STC
|
boolean
|
Only started tasks use this logonid.
|
PRIVILEGES.SUBAUTH
|
boolean
|
Only an APF-authorized program can submit jobs specifying this logonid.
|
PRIVILEGES.SYNCNODE
|
string
|
The node where the synchronized logonid for this logonid is found in the Logonid database
|
PRIVILEGES.TAPE-BLP
|
boolean
|
This user can use full bypass label processing (BLP) when accessing tape data sets
|
PRIVILEGES.TAPE-LBL
|
boolean
|
This user has limited BLP when accessing tape data sets.
|
PRIVILEGES.TSO
|
boolean
|
This user is authorized to sign on to TSO.
|
PRIVILEGES.VAX
|
boolean
|
This logonid has associated VAX (UAF) infostorage records.
|
PRIVILEGES.VLDRSTCT
|
boolean
|
Turning on this field for a RESTRICT logonid indicates that PROGRAM and SUBAUTH are to be validated even when the logonid is inherited.
|
PASSWORD.MAXDAYS
|
string
|
The maximum number of days permitted between password changes before the password expires. If the value is zero, no limit is enforced.
|
PASSWORD.MINDAYS
|
string
|
The minimum number of days that must elapse before the user can change the password
|
PASSWORD.PSWD-DAT
|
string
|
The date of the last invalid password attempt
|
PASSWORD.PSWD-EXP
|
boolean
|
The user’s password was manually expired (forced to expire).
|
PASSWORD.PSWD-INV
|
string
|
The number of password violations that occurred since the last successful logon
|
PASSWORD.PSWD-SRCE
|
string
|
The logical or physical input source name or source group name where the last invalid password for this logonid was received
|
PASSWORD.PSWD-TIM
|
string
|
The time when the last invalid password for this logonid was received
|
PASSWORD.PSWD-TOD
|
string
|
The date and time the password was last changed
|
PASSWORD.PSWD-VIO
|
string
|
The number of password violations occurring on PSWD-DAT
|
PASSWORD.PSWD-XTR
|
boolean
|
The password for this logonid is halfway-encrypted and can be extracted by an APF-authorized program.
|
RESTRICTIONS.AUTHSUP1 through AUTHSUP8
|
boolean
|
These fields can activate extended user authentication (EUA) for each designated system user.
|
RESTRICTIONS.GROUP
|
string
|
The group or project name associated with this user
|
RESTRICTIONS.PREFIX
|
string
|
The high-level index of the data sets that this user owns and can access
|
RESTRICTIONS.SHIFT
|
string
|
The shift record that defines when a user is permitted to log on to the system
|
RESTRICTIONS.SOURCE
|
string
|
The logical or physical input source name or source group name where this logonid must access the system
|
RESTRICTIONS.VMACCT
|
string
|
A loginid field that holds the default account number for a virtual machine
|
RESTRICTIONS.VMIDLEMN
|
string
|
The number of minutes that this user can be idle on the system before idle terminal processing begins
|
RESTRICTIONS.VMIDLEOP
|
string
|
The type of idle terminal processing to perform when the user exceeds the idle time limit
|
RESTRICTIONS.ZONE
|
string
|
The name of the Infostorage Database zone record defining the time zone where this logonid normally accesses the system (that is, the user’s local time zone)
|
STATISTICS.SEC-VIO
|
string
|
The total number of security violations for this user
|
STATISTICS.UPD-TOD
|
string
|
The date and time that this logonid record was last updated
|
TSO.ACCTPRIV
|
boolean
|
Indicates whether the user has TSO accounting privileges
|
TSO.ALLCMDS
|
boolean
|
The user can enter a special prefix character to bypass the CA-ACF2 restricted command lists
|
TSO.ATTR2
|
string
|
The IBM program control facility (PCF) uses the PSCBATR2 field for command limiting and data set protection.
|
TSO.CHAR
|
string
|
The TSO character-delete character for this user
|
TSO.CMD-LONG
|
boolean
|
Indicates that only the listed command and aliases are accepted when using TSO command lists.
|
TSO.DFT-DEST
|
string
|
The default remote destination for TSO spun SYSOUT data sets
|
TSO.DFT-PFX
|
string
|
The default TSO prefix that is set in the user’s profile at logon time.
|
TSO.DFT-SOUT
|
string
|
The default TSO SYSOUT class
|
TSO.DFT-SUBC
|
string
|
The default TSO submit class
|
TSO.DFT-SUBH
|
string
|
The default TSO submit hold class
|
TSO.DFT-SUBM
|
string
|
The default TSO submit message class
|
TSO.INTERCOM
|
boolean
|
This user is willing to accept messages from other users through the TSO SEND command.
|
TSO.JCL
|
boolean
|
This user can submit batch jobs from TSO and use the SUBMIT, STATUS, CANCEL, and OUTPUT commands
|
TSO.LGN-ACCT
|
boolean
|
This user can specify an account number at logon time.
|
TSO.LGN-DEST
|
boolean
|
The user can specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field.
|
TSO.LGN-MSG
|
boolean
|
This user can specify message class at logon time.
|
TSO.LGN-PERF
|
boolean
|
This user can specify a performance group at logon time.
|
TSO.LGN-PROC
|
boolean
|
This user can specify the TSO procedure name at logon time.
|
TSO.LGN-RCVR
|
boolean
|
This user can use the recover option of the TSO or TSO/E command package.
|
TSO.LGN-SIZE
|
boolean
|
This user is authorized to specify any region size at logon time.
|
TSO.LGN-TIME
|
boolean
|
This user can specify the TSO session time limit at logon time.
|
TSO.LGN-UNIT
|
boolean
|
This user can specify the TSO unit name at logon time.
|
TSO.LINE
|
string
|
The TSO line-delete character
|
TSO.MAIL
|
boolean
|
Receive mail messages from TSO at logon time
|
TSO.MODE
|
boolean
|
Receive modal messages from TSO
|
TSO.MOUNT
|
boolean
|
This user can issue mounts for devices.
|
TSO.MSGID
|
boolean
|
Prefix TSO message IDs
|
TSO.NOTICES
|
boolean
|
Receive TSO notices at logon time
|
TSO.OPERATOR
|
boolean
|
This user has TSO operator privileges
|
TSO.PAUSE
|
boolean
|
Causes a program to pause when a command executed in a CLIST issues a multilevel message
|
TSO.PMT-ACCT
|
boolean
|
Forces this user to specify an account number at logon time
|
TSO.PMT-PROC
|
boolean
|
Forces this user to specify a TSO procedure name at logon time
|
TSO.PROMPT
|
boolean
|
Prompt for missing or incorrect parameters
|
TSO.RECOVER
|
boolean
|
Use the recover option of the TSO or TSO/E command package
|
TSO.TSOACCT
|
string
|
The user’s default TSO logon account
|
TSO.TSOCMDS
|
string
|
The name of the TSO command list module that contains the list of the commands that this user is authorized to use.
|
TSO.TSOFSCRN
|
boolean
|
This user has the full-screen logon display.
|
TSO.TSOPERF
|
string
|
The user’s default TSO performance group
|
TSO.TSOPROC
|
string
|
The user’s default TSO procedure name
|
TSO.TSORBA
|
string
|
The mail index record pointer (MIRP) for this user
|
TSO.TSORGN
|
string
|
The user’s default TSO region size (in K bytes) if the user does not specify a size at logon time
|
TSO.TSOSIZE
|
string
|
The user’s maximum TSO region size (in K bytes) unless the user has the LGS-SZE field specified
|
TSO.TSOTIME
|
string
|
The user’s default TSO time parameter
|
TSO.TSOUNIT
|
string
|
The user’s default TSO unit name
|
TSO.VLD-ACCT
|
boolean
|
Indicates CA-ACF2 is to validate the TSO account number
|
TSO.VLD-PROC
|
boolean
|
Indicates CA-ACF2 is to validate the TSO procedure name
|
TSO.WTP
|
boolean
|
Displays write-to-programmer (WTP) messages
|