Account Attributes

The Account schema contains the following attributes which describe accounts in the ACF2 application

ACF2 ID of the user

List of groups this user belongs to

Max address space size

Max cputime for a dubbed process

Max files per process

Home directory defines the pathname of the initial directory used when a user enters the OMVS command or enters the ISPF shell

Maximum number of bytes of non-shared memory space that can be allocated by the user

Maximum number of bytes of shared memory space that can be allocated by the user

Max data space pages for HFS mappings - OMVS user profile

OMVS shell program started when the OMVS command is entered or when an OMVS batch job is started using the BPXBATCH program - OMVS user profile

Max number of processes - OMVS user profile

Max number of pthread created threads - OMVS user profile

User identification - OMVS user profile

Operator ID - CICS user profile

Operator priority - CICS user profile

Idle time value - CICS user profile

Indicates whether the user is signed off (FORCE) or not signed off (NOFORCE) when an XRF takeover occurs. - CICS user profile

Operator class values - CICS user profile

User should be automatically signed on to OMVS DCE - DCE user profile

UUID 36 characters - DCE user profile

Home cell UUID - DCE user profile

Home cell name- DCE user profile

Principal name of the user - DCE user profile

Kerberos-principal-name - KERB user profile

Maximum ticket life in seconds - KERB user profile

Number of Kerberos key violations for user

DES encryption type is set for this logonid - KERB user profile

DES3 encryption type is set for this logonid - KERB user profile

DESD encryption type is set for this logonid - KERB user profile

LANGUAGE User Profile

Three-character language code for the primary language of user - LANGUAGE user profile

Three-character language code for the secondary language of user - LANGUAGE user profile

Application-user-id - LNOTES user profile

Application-user-id - NDS user profile

Amount of storage in MB to be used for message queuing - OPERPARM user profile

Authority level to issue console commands (MASTER,ALL,SYSTEM,IO,CONSOLE,INFO) - OPERPARM user profile

Indicates whether to receive unsolicited messages - OPERPARM user profile

Message-format (TIME,SYSID,JOBNAME,MESSAGE,EXEMPT) - OPERPARM user profile

Options when monitoring jobs, TSO users or data set status (JOBNAMES,TSOSESS,TSOTIME,STATUS) - OPERPARM user profile

Routing codes or ranges associated with this console session - OPERPARM user profile

Whether command responses are to be logged in the hard copy log - OPERPARM user profile

Whether a one-byte migration ID is to be assigned to this console - OPERPARM user profile

Delete-operator-message (NORMAL,ALL,NONE) - OPERPARM user profile

Whether undelivered messages are to be received - OPERPARM user profile

Console key - OPERPARM user profile

System name to which commands issued from this console are to be sent - OPERPARM user profile

Console group to be used in recovery - OPERPARM user profile

A list of system names from which this console can receive messages that are not directed to a specific console - OPERPARM user profile

Messages to be received by this console (OPER REPLY, IMMEDIATE, CRITICAL EVENTUAL, EVENTUAL, INFO, NO BROADCAST, ALL) - OPERPARM user profile

User name - WORKATTR user profile

Building name - WORKATTR user profile

Department name - WORKATTR user profile

Room name - WORKATTR user profile

Address line 1 - WORKATTR user profile

Address line 2 - WORKATTR user profile

Address line 3 - WORKATTR user profile

Address line 4 - WORKATTR user profile

Account number - WORKATTR user profile

The initial command to be executed when the user signs on - NETVIEW user profile

Default zOS console identifier - NETVIEW user profile

Security check indicator - NETVIEW user profile

Indicates whether the user can receive unsolicited messages - NETVIEW user profile

Indicates whether the user has administrative authority to the Graphic Monitor Facility - NETVIEW user profile

A list of scope classes - NETVIEW user profile

A list of program identifiers in another domain to which the user has authority - NETVIEW user profile

Default TSO region size in kilobytes

Maximum TSO region size

Revoke type (SUSPEND, CANCEL, Both) of the user

Name of the user

Telephone number of a user

UID pseudo field, concatenation of selected logon ID fields

Multiple values UID

Default group name for a logon ID

Number of cumulative security violations for a user

Date and time that this logon ID record was last updated (read only)

Node name where this logon ID record is stored in a logon ID database in a distributed database network (read only)

Whether a message is sent to the security console and to a designated person each time this user enters the system

Whether CA ACF2 creates SMF loggings for all data set and resource access attempts made by this user

Whether an SMF record is written (for the Invalid Password - Authority Log, ACFRPTPW) each time this user enters the system

Whether CA ACF2 traces all TSO commands issued by this user for the Command Statistics Report (ACFRPTCR)

Activates the logon ID one minute after midnight on the date contained in this field

When the privileges for this logon ID will expire

Date that the CANCEL, SUSPEND, MON-LOG, or MONITOR field was set for this user

Logon ID of the user who set the CANCEL, SUSPEND, MON-LOG, or MONITOR field for this user (read only)

User is a security administrator

User can insert, list, change, and delete logon ID records

User can display and alter certain fields of logon ID records for other users

User can display the records and parameters of the CA ACF2 system

User can display other logon ID records

User can issue the /F ACF2,REFRESH operator command to update GSO

User has read and execute access to all data sets at the site

Program (name or mask) must be used to submit jobs for this logon ID

Scope record that restricts accesses for this privileged user

User can log on to TSO

Batch or background jobs can use this logon ID

Logon ID is for use by started tasks only

User can sign on to CICS

User can sign on to IMS

Address space for this logonid belongs to the Bulk Data Transfer (BDT) product

User can use full bypass label processing (BLP) when accessing tape data sets

User has limited bypass label processing authority when using tapes

Jobs that specify this logon ID can be submitted only through APF-authorized programs

User can use //*JOBFROM control statements

User can access the system outside of the time period specified in the SHIFT field of the logon ID record

CA ACF2 takes an SVC dump whenever a data set or resource violation occurs

User can generate a dump, even in an execute-only environment

Logon ID is for production use only. A restricted logon ID does not require a password for user verification

Access rule must authorize any data set accesses that a user makes

User cannot store or delete rule sets

Network job cannot inherit this logon ID from its submitter

User can bypass step-must-complete (SMC) controls

A logon ID can access data sets without CA ACF2 rule validation or loggings by means of a specified program executed from a specified library

A user with the NON-CNCL privilege defined in their logonid record has full access to any data set or resource despite any security violations that can occur during the access attempt

User can execute the protected programs specified in the GSO PPGM record

Name of the node where the synchronized logonid for a user resides

This node name is the logical node name as defined by a NETNODE record.

User can use the SET TARGET command or the TARGET parameter on the INSERT, CHANGE, LIST, and DELETE commands to override the global CPF target list

System accesses counter made by this logonid since it was created (read only)

The date of the last system access by this user (read only)

Logical or physical input source name or source group name from which this user last accessed the system (read only)

Time of the last system access by this user (read only)

Password has been manually expired

Date and time when a password was last changed

Date of the last invalid password or password phrase attempt (read only)

Last time a user entered an invalid password (read only)

Logical or physical input source name or source group name from which a user last entered an invalid password (read only)

Number of password violations that occurred since the last successful logon (read only)

Number of password violations that occurred on PSWD_DAT

Maximum number of days permitted between password changes before the password expires

Minimum number of days that must elapse before a user can change their password

Default remote destination for TSO-spun SYSOUT data sets

Default TSO prefix that is set in the user profile at logon time

Default TSO SYSOUT class

Default TSO submit class

Default TSO submit hold class

Default TSO submit message class

Permission to specify an account number at logon time

CA ACF2 requires a user to specify an account number at logon time

Permission to specify the TSO procedure name at logon time

CA ACF2 requires a user to specify a TSO procedure name at logon time

Permission to use the recover option of the TSO

User is authorized to specify any region size at logon time (overriding TSOSIZE)

Permission to specify the TSO session time limit at logon time

Permission to specify the TSO unit name at logon time

Permission to specify a remote output destination at TSO logon that overrides the value specified in the DFT-DEST field

User has permission to specify a message class at logon time

Permission to specify a performance group at logon time

User wants to receive modal messages from TSO

User has TSO operator privileges

Permits user to access the TSO CONSOLE facility

User wants a program to pause when a multilevel message is issued by a command executed in a CLIST

CA ACF2 prompts a user for missing or incorrect parameters

Permission to issue mounts for devices

User can specify the recover option of the TSO

Default TSO logon account

TSO command list module name that contains the list of commands that this user is authorized to use

User can use the full-screen logon display

Default TSO performance group

Default TSO procedure name

Mail Index Record Pointer (MIRP) for this user

Default TSO time parameter, which is the CPU time limit (in minutes) associated with the TSO session.

Default TSO unit name

CA ACF2 displays write-to-programmer messages

User is willing to accept messages from other users through the TSO SEND command

Indicates the ability to submit batch jobs from TSO and to use SUBMIT, STATUS, CANCEL, and OUTPUT commands

User can receive mail messages from TSO at logon time

User can receive TSO notices at logon time

TSO line-delete character

TSO character-delete character for this user

Enables a site to do TSO command limiting when you use SYS1.UADS instead of the Logonid database

CA ACF2 should bypass the TSO command list feature for this user

CA ACF2 validates the TSO account number of a user

CA ACF2 validates the TSO procedure name of a user

User wants TSO messages to have message IDs prefixed

User has TSO accounting privileges

Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character

CA ACF2 CICS security is to be initialized in any CICS region running with this address space logon ID

CICS operator class

CICS operator ID

CICS operator priority

CICS resource access key

Maximum time permitted (in minutes) between terminal transactions for this user

Default logon ID for a multiple-user single address space system (MUSASS) address space

Multiple-user single address space ID (MUSASS)

A MUSASS logonid with this privilege has the authority to make calls on behalf of users who are updating the databases

Logical or physical input source name or source group name from which a user must access the system

Shift record name that defines the period during which a user can log on to the system

Zone record name that defines the timezone from which this logonid normally accesses the system

Prefix key of the rule used to validate access to a dataset

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

Extended user authentication (EUA) routine for a user

CONTROL(SMS) record name that contains the default storage management class values for a user

Resource rule must authorize any resource accesses that a user makes

Logon ID is valid for dynamic logon ID privileges

New password is to be upper-case

Current password is case-sensitive

Whether logon ID administrative changes for this user were propagated to all active Lightweight Directory Access Protocol (LDAP) servers in the network

Logon ID is for a multiple-user single address space system, such as CICS or IMS

MUSID field should be used to restrict access to a MUSASS region for CA ACF2 Info type system entry calls

Prevents the user violation counter from incrementing and MAXVIO processing from occurring

User cannot use any z/OS UNIX System Services

Last access statistics on a successful full validation (ACVAMVAL) MUSASS signon request are bypassed

Whether CA ACF2 creates SMF logs that contain the Active Library List for all data set access attempts made by this logon ID in a batch job

Whether CA ACF2 creates SMF logs that contain the Active Library List for all data set access violations made by this logonid in a batch job

Password for the logonid is halfway encrypted and can be extracted by an APF-authorized program

Passticket can be used with a user ID that has the RESTRICT attribute

When the system is active in a sysplex environment, this logon ID record should not be written to the structure

Access rules must exist for all data on temporary disks that this user accesses

User also resides on the CA Common Services (CCS) platform

PROGRAM and SUBAUTH are to be validated even when this RESTRICTed logon ID is inherited

Distinguished name (DN) which will be used in conjunction with the BIND password if the LDAP Server needs to supply an administrator or user identity to BIND with another LDAP server - PROXY user profile

Date and time the BINDPW field was last changed - PROXY user profile

Password for the DN defined in the BINDDN parameter - PROXY user profile

URL of the LDAP server that the zOS LDAP Server will contact when acting as a proxy on behalf of a requester - PROXY user profile

Automatically assigns a LINUXUID value when there is an active GSO AUTOIDLX record that specifies ASSIGNU - LINUX user profile

Name of the LINUX group profile record - LINUX user profile

Pathname of the Initial Directory when a user enters a Linux command or the ISPF shell - LINUX user profile

LINUX Application User Identity - LINUX user profile

LINUX Service Shell Program when Linux command is first entered - LINUX user profile

LINUX uid - LINUX user profile

Record key of a CERTDATA certificate record that is to be used as the default certificate for this key ring

Key ring name

Date when the profile record associating the user to the certificate becomes active - CERTDATA user profile

Serial number and certification authority's distinguished name as extracted from the certificate - CERTDATA user profile

Key pair has been generated using the Digital Signature Algorithm instead of the RSA algorithm - CERTDATA user profile

zOS data set that contains the digital certificate that is inserted into a CERTDATA profile record - CERTDATA user profile

Date which gives the security administrator the ability to specify when the profile record associating the user to the certificate expires - CERTDATA user profile

Certificate is both highly trusted and trusted - CERTDATA user profile

Private key for the certificate is placed in ICSF - CERTDATA user profile

Label to be associated with the certificate - CERTDATA user profile

PCICC was specified on the GENCERT or INSERT command - CERTDATA user profile

Subject distinguished name as extracted from the certificate - CERTDATA user profile

Certificate is trusted - CERTDATA user profile

Current Kerberos key

Current Kerberos key version

Previous Kerberos key

Previous Kerberos key version

Userid that is to be associated with the foreign principal - KERBLINK user profile

Number of previous passwords stored in the record for extended password history - PASSWORD user profile

Date and time of the user current password - PASSWORD user profile

Date and time that a logonid record was created (read only)

Number of Kerberos key violations

Number of password phrase violations that occurred on PSWD-DAT

Password phrase has been manually expired

Date and time when a password phrase was last changed

List of Roles to which this user belongs

List of Role groups to which this user belongs

The direct permissions for account obtained from ROLESET rules

The indirect permissions for account obtained through role membership

Obtained object data is incomplete