Logonid Record Fields

About the Logonid Record › Logonid Record Fields

Logonid Record Fields

This section contains all the CA ACF2 for VM‑defined logonid fields that a user can have. The fields below are arranged according to group number. For an alphabetized list of all the CA ACF2 for VM logonid fields and their descriptions (including z/OS‑defined fields), see the Logonid Record Field Descriptions section.

Logonid Record Field Groups	Fields
Identification (Group 0)	LOGONID NAME PASSWORD PHONE UID
Cancel/Suspend (Group 1)	CANCEL CSDATE CSWHO SUSPEND TRACE
Privileges (Group 2)	ACCOUNT AUDIT AUTOALL AUTONOPW AUTOONLY CONSULT DG84DIR DIALBYP DUMPAUTH EXPIRE GRPLOGON GRP‑OPT LEADER LDEV LIDSCOPE LOGSHIFT NOSPOOL NO‑STORE NON‑CNCL PGM PSWD-UPP READALL RESTRICT RULEVLD VMD4FSEC SCPLIST SECURITY SRF STC SYNERR TDISKVLD USER VLDVMACT VM VMD4AUTH VMD4FSEC VMD4RSET VMD4TARG VMESM VMSAF VMSFS VMXA VSESRF
Access (Group 3)	ACC‑CNT ACC‑DATE ACC‑SRCE ACC‑TIME GRP‑USER
Password (Group 4)	LIDTEMP LIDZMAX LIDZMIN MAXDAYS MINDAYS PSWD‑DAT PSWD‑EXP PSWD-MIX PSWD‑TOD PSWD‑VIO PSWDCVIO
TSO (Group 5)	MODE
Statistics (Group 6)	CRE-TOD SEC‑VIO UPD‑TOD
CICS (Group 7)	All the fields in this group are only active for z/OS sites. If you need additional information on these fields, refer to the CA ACF2 for VM for z/OS CICS Support Guide. CICSCL CICSID CICSPRI CICSRSL IDLE
IMS (Group 8)	This group contains any fields developed for the CA ACF2 for VM IMS security subsystem.
IDMS (Group 9)	All the fields in this group are active only for z/OS sites. For more nformation on these fields, see the CA ACF2 for VM for z/OS Administrator Guide.
MUSASS (Group 10)	The fields in this group are active only for OS/390 sites. See the Administrator Guide for information on these fields. MUSDLID MUSID MUSUPDT
Restrictions (Group 11)	PREFIX SHIFT SOURCE VMACCT VMIDLEMN VMIDLEOP ZONE
DFP (Group 12)	The fields in this group are active only for OS/390 sites. See the Administrator Guide for information on these fields. DATACLAS MGMTCLAS STORCLAS

Logonid Record Field Descriptions

The logonid record fields listed below are arranged in alphabetical order. For a list of the logonid record fields according to group number, see the Logonid Record Fields section.

ACF2CICS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

ACC‑CNT

Indicates the number of system accesses this logonid made since it was created. The maximum number is 999,999. This is a binary field.

ACC‑DATE

Indicates the date of this user's last system access. The date is specified in the dd/mm/yy, mm/dd/yy, or yy/mm/dd format, depending on the DATE parameter in the OPTS VMO record. This is a date field.

ACC‑SRCE

Indicates the address of the input device used to enter the system. This is a character field.

ACC‑TIME

Indicates the time that this user last accessed the system. The format is hh.mm.ss. This is a binary field.

ACCOUNT

Indicates that this user is an account manager. With this privilege, an account manager can insert, delete, and change logonids as limited by the SCPLIST privilege. A user with the ACCOUNT only or SECURITY only privilege cannot list or change a logonid record for a user who has both ACCOUNT and SECURITY. This is a bit field.

ACCTPRIV

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

ACTIVE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

ALLCMDS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

ATTR2

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUDIT

Indicates that this user is an auditor. An auditor can inspect (but not modify) the parameters of CA ACF2 for VM. The SCPLIST privilege limits this privilege. This is a bit field.

AUTHSUP1

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP2

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP3

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP4

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP5

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP6

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP7

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTHSUP8

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTOALL

Indicates that this user can autolog any machine without entering a password. No autolog resource rules are required, but CA ACF2 for VM generates a logging record if no rules exist. This is a bit field.

AUTODUMP

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

AUTONOPW

Indicates that this logonid can be autologged without requiring a password. Autolog resource rules must exist. This is a bit field.

AUTOONLY

Indicates that this logonid can be autologged, but no one can log onto this ID. This is a bit field.

BDT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CANCEL

Indicates that this logonid has been canceled. This user cannot access the system. This is a bit field.

CHAR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CICS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CICSCL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CICSID

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CICSPRI

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CICSRSL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CMD‑LONG

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CMD-PROP

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CONSOLE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

CONSULT

Indicates that this user can display other logonid records, The SCPLIST privilege limits this privilege. This is a bit field.

CRE-TOD(date-time)

Indicates the date and time that a logonid record was created. CA ACF2 for VM displays the date in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on the DATE field of the VMO OPTS record. Year designations of 70-99 assume a date in the 20th century (1970-1999); year designations of 00-42 assume a date in the 21st century (2000-2042). You can change the date, but you cannot change the time. You cannot specify a date past the current day's date. You must have the SECURITY or ACCOUNT privilege to alter this field. (Eight-byte binary field)

CSDATE

Indicates the date that the CANCEL or SUSPEND field has been set for this user. The format is in mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on the OPTS VMO record. This is a date field.

CSWHO

Indicates the logonid of the user who set the CANCEL or SUSPEND for this user.

DFT‑DEST

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DFT‑PFX

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DFT‑SOUT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DFT‑SUBC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DFT‑SUBH

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DFT‑SUBM

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

DG84DIR

Indicates that this virtual machine has diagnose 84 passwords validated against the VM directory. If the virtual machine does not have this attribute, diagnose 84 passwords are validated against the Logonid database. This attribute is usually assigned to VM class B users that do directory management or system backup functions.

DIALBYP

Indicates that this logonid bypasses DIAL command validation for dials to this ID. When a user dials to a secured target machine with this privilege, standard DIAL validation and logging does not occur. If this privilege is not granted, the dialer is prompted for a logonid and password and standard DIAL validation occurs.

DSNSCOPE(logonid mask)

Specifies a logonid mask limiting the scope of SECURITY access. (Eight-byte character field)

Important! This is an old field left over from pre-3.1 release of CA ACF2 for VM. This field should not be used. To limit a user's administrative authority over the CA ACF2 for VM logonid, rule, and Infostorage databases, use the SCPLIST field in the logonid record with scope records to limit a user's administrative authority. For more information on how to create scope records, see the chapter "Processing Scope Records."

DUMPAUTH

Indicates that this user can use the CP DISPLAY, DUMP, PER, TRACE, and VMDUMP commands to display storage and trace programs, EXEC files, and XEDIT macros, even when an execute‑only EXEC or MODULE is in storage. It also allows EXEC tracing when an execute‑only EXEC or MODULE is in storage.

EXPIRE

Indicates the date that this logonid expires. On this date, the user cannot log on or submit jobs. This date must be in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on how your site defined the format in the OPTS VMO record. You can remove this EXPIRE restriction with the ACF CHANGE subcommand. For example, change the user's logonid record to specify EXPIRE(0).

GROUP

Defines the user's primary group for the POSIX environment. Refer to the chapter “OpenExtensions VM Support” for more information.

GRP‑OPT

Designates an ID as an optional group ID. A logonid with this attribute can be logged onto as the primary ID, or a group ID. To access a virtual machine with this attribute as a group ID, this privilege must be present and a group resource rule must exist. If the GRP‑OPT and the GRPLOGON field are present, then the GRPLOGON attribute takes precedence. GRP‑OPT requires using LOGON BY when logging on as a group user.

GRP‑USER

Indicates the last user (logonid) to use the group virtual machine. If this machine is not a group machine, CA ACF2 for VM does not display this field.

GRPLOGON

Indicates that this logonid is a group virtual machine. This attribute is typically assigned to shared user IDs, such as MAINT. When a user accesses a virtual machine with the GRPLOGON attribute, he is prompted for his own logonid and password. Group logon resource rules control access to a group ID. This is a special access privilege. (For more information about the GRPLOGON privilege, see the “Logging onto CA‑ACF2 Group Machines” chapter.

HOMENODE

This field is not active for VM sites. For additional information on this field, see the CA ACF2 for VM for z/OS Administrator Guide.

IDLE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

IDMS

This field is not active for VM sites. For more information on this field, see the CA ACF2 for VM for z/OS Administrator Guide.

IMS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

INTERCOM

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

JCL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

JOB

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

JOBFROM

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

KERB-CUR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

KERB-CURV

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

KERB-PRE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

KERB-VIO

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

KERB-PREV

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LDS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LDEV

Indicates that this user can create logical devices when using the IBM Passthru Virtual Machine (PVM) product. This privilege applies only when the optional CA ACF2 for VM intercept is in place.

LEADER

Indicates that this user can display and alter certain fields of other logonids. The SCPLIST privilege limits this privilege.

LGN‑ACCT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑DEST

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑MSG

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑PERF

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑PROC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑RCVR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑SIZE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑TIME

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LGN‑UNIT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LID

Indicates the key to the logonid record. In VM, this is usually also the user ID.

LIDSCOPE(logonid mask)

Specifies a logonid mask limiting the scope of SECURITY/ACCOUNT/LEADER access. (Eight-byte character field)

LIDTEMP

Specifies that the current password is a temporary password. This bit will be set if the current password was set by a non-owner of the LOGONID (security administrator or account manager), and the password was immediately expired. This bit cannot be modified using the ACF command, and is not displayed by default. It is used for internal processing.

LIDZMAX

Specifies that a zero value for the MAXDAYS field in the LIDREC will override the global PSWDMAX value in the PSWD VMO record.

LIDZMIN

Specifies that a zero value for the MINDAYS field in the LIDREC will override the global PSWDMIN value in the VMO PSWD record.

LINE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

LOGSHIFT

Indicates that this user can access the system outside of the time period specified in the SHIFT field of his logonid record. All such system accesses are logged in SMF records and are listed in the ACFRPTPW report.

MAIL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MAINT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MAXDAYS

Indicates the number of days (up to 255) that will elapse before this user is forced to change his password. If you set this field to zero, no limit is enforced.

MINDAYS

Indicates the number of days (up to 255) that must elapse before this user can change his password. This field prevents a user from immediately changing his password back to the previous password.

MODE

Indicates that the ACF command prompts the user with the current ACF command setting instead of the default ?. This is a bit field.

MULTSIGN

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MON‑LOG

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MONITOR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MOUNT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MSGID

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MUSASS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MUSDLID

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MUSID

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MUSIDINF

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

MUSUPDT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NAME

Indicates the user's name.

NO‑INH

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NO‑OMVS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NO‑SMC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NO-STATS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NO‑STORE

Indicates that this logonid cannot store rule sets (cannot make rule changes active) regardless of ownership (PREFIX values), SECURITY attribute, or delegation through %CHANGE.

NOMAXVIO

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

NON‑CNCL

Indicates that this logonid has access to all data, but the PREFIX field or access rules would log all accesses that would not normally be allowed. The ACFRPTDS report shows the request was allowed because the user had the NON‑CNCL attribute. CA ACF2 for VM never cancels a user with this privilege for security violations. The NON‑CNCL privilege overrides RULEVLD.

NOSPOOL

Indicates how CA ACF2 for VM responds when a user with this privilege enters a command that results in the SPOOL FILE NOT FOUND condition.

Values for this field are PREVENT (CA ACF2 for VM rejects the command), PREVENT‑LOG (CA ACF2 for VM rejects and logs the command), LOG

(CA ACF2 for VM passes the command to CP for normal syntax checking and generates a logging record), or ALLOW (CA ACF2 for VM passes the command to CP for normal syntax checking). If this field is null (or blank), NOSPOOL processing is passed to the command model COMMAND clause, then to the CMDLIM VMO record. The default value is a null.

NOTICES

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

OPERATOR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PASSWORD

Specifies a 1‑ to 8‑character password that is not displayed and is stored in encrypted format.

PAUSE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PGM

This field is not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PHONE

Specifies the user's telephone number or extension.

PMT‑ACCT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PMT‑PROC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PP-TRC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PP-TRCV

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PPGM

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PREFIX

Indicates the ID associated with the user's minidisks. The user's access to CMS files on a minidisk whose ID matches the PREFIX is always allowed. The PREFIX also identifies the access rule sets that the user can decompile and store. By default, PREFIX is the same as the user's logonid. You can mask this eight character field with asterisks (*), but not with dashes (-).

PRIV-CTL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PROGRAM

This field is not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PROMPT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PRVPSWD1 through PRVPSWD4

These fields are not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PRV‑TOD1 through PRV‑TOD4

These fields are not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWD‑DAT

Indicates the date of this user's last invalid password attempt.

PSWD‑EXP

Indicates that the user's password has manually expired. This forces users to change their passwords. This is a bit field.

PSWD‑INV

This field is not active for VM sites. For more information on this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWD-MIX

Indicates the current password is case sensitive. This means the PSWDMIXD setting in the PSWD VMO record was in effect when the current password was created or changed. This field is display only and cannot be changed.

PSWD‑SRC

This field is not active for VM sites. For more information on this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWD‑TIM

This field is not active for VM sites. For more information on this field, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWD‑TOD

Indicates the date and time the password was last changed. This is a display‑only field. You cannot change it.

PSWD-UPP|NOPSWD-UPP

Specifies that the new password is to be upper-case. PSWD-UPP does not affect the current password in any way. This field can be used in conjunction with the VMO PSWD record field PSWDMIXD. PSWDMIXD is the global specification that says passwords are case-sensitive. When PSWDMIXD is on, PSWD-UPP can be turned on to specify for this user that their new passwords will not be case-sensitive. PSWD-UPP should only be used as a means to exclude some users from having case-sensitive passwords. The default is NOPSWD-UPP. (Bit field)

PSWD‑VIO

Indicates the number of password violations that occurred on PSWD‑DAT. This is a binary field.

PSWD‑XTR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWD‑XTV

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PSWDCVIO(nn)

Indicates the number of cumulative invalid password attempts for a user that occurred since the logonid record was created. The only time this field is physically set to zero (0) is when the CA ACF2 for VM security administrator resets the field. (Two-byte binary field)

PTICKET

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

PWP-DATE(date)

Specifies the date the user made the last invalid password phrase attempt. The date is displayed in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on the DATE field of the VMO OPTS record. Year designations of 70-99 assume a date in the 20th century (1970‑1999); year designations of 00‑69 assume a date in the 21st century (2000‑2069). (Four byte packed field)

PWP-VIO(count)

Specifies the number of password phrase violations that occurred on PWP-DATE. The PWP-VIO field is incremented by one for every password phrase violation incurred within the same date. Any password phrase violations incurred after the current value in PWP-DATE will cause the PWP-VIO count to be reset to 1 and the PWP-DATE field will be updated to reflect the current date. The only time the PWP-VIO field is physically set to zero (0) is when the CA ACF2 for VM security administrator resets the field. (2-byte binary).

PWPALLOW|NOPWPALLOW

Specifies whether a user can be authenticated using a password phrase even when the VMO PWPHRASE record does not specify ALLOW to enable all users to use password phrases. The default is NOPWPALLOW, the user can only use a password phrase if the VMO PWPHRASE record specifies ALLOW

READALL

Indicates that this logonid has read access to all data. This is similar to NON‑CNCL, but grants read access only and enforces any existing rules for other types of accesses. This attribute is usually assigned to system backup products. The READALL privilege overrides RULEVLD.

RECOVER

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

REFRESH

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

RESTRICT

Indicates that a password cannot be supplied for logging onto a user ID with this privilege. This is compatible with the OS/390 setting. In VM, we suggest that you use the AUTOONLY setting.

Although you can use RESTRICT, you should consider the following:

No user can log onto a user ID with the RESTRICT privilege active.
CA ACF2 for VM aborts the logon and sends an error message.
A user ID with RESTRICT can be autologged without a password from a user ID with AUTOALL.
A user ID with RESTRICT can be autologged with a password if the AUTOLOG resource rules allow access.
If a target user ID is GRPLOGON and RESTRICT, the group logon fails and CA ACF2 for VM sends an error message.
If a group user ID has RESTRICT, CA ACF2 for VM prevents a group logon.
CA ACF2 for VM allows a dial to a user ID with RESTRICT.

RSRCVLD

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

RSTDACC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

RULEVLD

Indicates that access rules must exist for all of this user's data accesses, even if the access is in a security administrator's SCPLIST or a user's SCPLIST. However, if this user defined a temporary disk, CA ACF2 for VM does not check temporary disks against rules unless TDISKVLD is in effect. NON‑CNCL and READALL override RULEVLD. This is a bit field.

SCPLIST

Indicates the name of a scopelist record that limits this user from displaying or modifying CA ACF2 for VM records and rules. You must predefine scopelist records in the Infostorage database under the type code SCP. This field, in part, determines the user's limitations when displaying or modifying CA ACF2 for VM records and rules. If this field is null, no scoping is done. A user without a SCPLIST field is unscoped.

SEC‑VIO

Indicates the total number of security violations that this user has. This is a binary field.

SECURITY

Indicates that this user is a security administrator. A security administrator can create and inspect access rules and update certain fields in logonid records. He can also access all data in the limits of his SCPLIST field. CA ACF2 for VM logs all accesses that his PREFIX field or access rules would not normally allow. He can also create and inspect records on the Infostorage database in the limits of his SCPLIST. This is a bit field.

SHIFT

Indicates the name of the shift record used for system entry validation. Shift records indicate time, days, or dates when a user can log on. If this field is null (or blank), CA ACF2 for VM does not validate the shift. You must predefine valid shift records in the Infostorage database. You cannot mask this field.

SOURCE

Indicates the name of the source or group record that limits the location where this user must log on. You must predefine valid source records to
CA ACF2 for VM entry lists under the type code SRC. If this field is null (or blank), CA ACF2 for VM does not check the source. You cannot mask this field.

SMSINFO(recid)

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

SRF

Indicates that this user can issue System Request Facility (SRF) requests to the CA ACF2 for VM service machine. These SRF requests can validate the accesses of other users and perform direct maintenance of the CA ACF2 for VM databases. To fully utilize SRF, the user must also have an @SRF definition in the ACFFDR. This is a bit field.

STC

A logonid with this attribute cannot log onto the VM system, but can be autologged if the AUTOONLY attribute is turned on for the logonid.

SUBAUTH

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

SUSPEND

Indicates that this logonid is suspended. This user cannot access the system. This is a bit field.

SYNCNODE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

SYNERR

Indicates how CA ACF2 for VM responds when a user with this field enters a command that results in a command syntax error. Values for this field are PREVENT (CA ACF2 for VM rejects the command), PREVENT‑LOG (CA ACF2 for VM rejects and logs the command), LOG (CA ACF2 for VM passes the command to CP for normal syntax checking and generates a logging record), ALLOW (CA ACF2 for VM passes the command to CP for normal syntax checking). If this field is null, error processing is passed to the command model COMMAND clause, then to the CMDLIM VMO record. The default value is a null.

SYSPEXCL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TAPE‑BLP

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TAPE‑LBL

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TDISKVLD

Indicates that access rules must exist for all data on temporary disks that this user accesses. This is a bit field. TDISKVLD is a method that lets you control which files a user can write to or read from his own T‑disks to create a "padded cell" environment. For TDISKVLD to be effective, a user cannot change his own access rule. A special access rule syntax is required for files on T‑disks. See the chapter “About access Rules” in this guide for more information.

TRACE

Traces and logs all data and resources this user references through access and resource validations. This is a bit field.

TSO

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSO‑TRC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOACCT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOCMDS

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOFSCRN

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOPERF

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOPROC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSORBA

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSORGN

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOSIZE

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

TSOTIME

This field is not active for VM sites. For more information, see theVM CA ACF2 for VM for z/OS Administrator Guide.

TSOUNIT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

UID

A pseudo‑field concatenating selected information from the logonid record, including information from user‑defined fields, such as company code, department, job function, and the logonid field. You cannot modify this field.

UIDSCOPE(UID mask)

Specifies a UID mask limiting logonid access. (24-byte character field)

UNICNTR

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

UPD‑TOD

Indicates the date and time that this logonid record was last updated.

USER

Indicates that this logonid belongs to a regular user. All logonids defined to CA ACF2 for VM are automatically users. This field is never displayed and no one should alter it. This is a bit field.

VLD‑ACCT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

VLD‑PROC

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

VLDRSTCT

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

VLDVMACT

Indicates that CA ACF2 for VM performs VM account validation under the LID account mode setting.

VM

Indicates that this user can log onto VM. A user must have this attribute to log on if the VMCHK field in the OPTS VMO record is set to VM. This field controls which systems a user can access in a multi‑CPU environment when sharing databases. This is a bit field.

VMACCT

Indicates the default account number for a virtual machine.

VMD4AUTH

A user with this attribute can issue diagnose d4 to surrogate virtual machines with the VMD4TARG attribute. Use extreme caution when you assign this privilege. The VMD4TARG and VMD4AUTH privileges are very powerful. A typical class B user with both of these attributes could potentially surrogate itself to any user ID on the system and have access to anything on the system. In previous releases, this privilege was the VMBATMON privilege.

VMD4FSEC

This is the Diagnose D4 CMS File Level Security attribute. It indicates that CA ACF2 for VM should keep track of the surrogated id that is in use when minidisks are linked. This saved information is then used to validate CMS file accesses using the surrogated ID, even if the CMS file accesses are done after the surrogation is no longer in place. This only applies to CMS file accesses through standard CMS interfaces, not through services such as the *BLOCKIO System Service.

For example, FTPSERVE uses Diagnose D4 to link minidisks under the authority of the user requesting FTP services, but resets surrogation before actually transferring the CMS files. With the VMD4FSEC attribute on in the FTPSERVE logonid, CA ACF2 for VM will validate access to the CMS files on the minidisk using the authority of the user that was surrogated when the minidisk was linked.

VMD4RSET

Indicates that this user can be the target of the diagnose d4 reset after the logonid was surrogated to another ID. Use extreme caution when assigning this privilege. Never give this logonid attribute to a batch worker machine.

The combination of VMD4RSET, VMD4AUTH, and VMDTARG lets products like TCP/IP and VMBACKUP function properly. To track the use of the diagnose d4, you can write a diagnose limiting rule to log each time the diagnose d4 is issued. In previous releases of CA ACF2 for VM (releases 3.2 and below), this attribute was called VMRESET.

VMD4TARG

A user ID with this attribute can be the target of diagnose d4 (the alternate user diagnose). Use extreme caution when you assign this attribute. In previous releases, this privilege was the VMBATCH privilege.

VMESM

Indicates that this server can use the CA ACF2 for VM security interface.

VMIDLEMN

Specifies the number of minutes (from 1 to 240) that this user can be idle on the system before idle terminal processing begins. This value overrides the system‑wide IDLEMN value defined in the OPTS VMO record.

VMIDLEOP

Specifies the type of idle terminal processing to perform when this user exceeds the idle time limit. This value overrides the system‑wide IDLEOP value defined in the OPTS VMO record. Values for this field are:

OFF: Disables idle terminal processing for this user
DISC: Forces disconnection from the system when this user exceeds the idle terminal limit
LOGOFF: Forces this user off the system when he exceeds the idle terminal limit
NOLOGOFF: Prompts the user for his password when he exceeds the idle terminal limit. Incorrect passwords are counted as a password violation. The user can also disconnect from the system at this prompt. Similar to REPROMPT, but the option to logoff is not allowed.
REPROMPT: Prompts the user for his password when he exceeds the idle terminal limit. Incorrect passwords are counted as password violations. The user can also logoff or disconnect from the system at this prompt.

VMSAF

Indicates that this logonid can use VM interfaces to validate CA ACF2 for VM passwords. Supported interfaces are diagnose code x'A0' subfunction 4 and an APPC connect with password. This is a bit field.

Diagnose A0 subfunction 4 lets users validate passwords from their own unique applications.

APPC connect with password allows APPC/VM VTAM support (AVS) service machines to validate CA ACF2 for VM passwords.

VMSFS

Indicates that this SFS server can use the CA ACF2 for VM security interface.

VMXA

Indicates that this user can access the system if VMCHK (VMXA) is defined in the OPTS VMO record. During DIAL and GRPLOGON processing, CA ACF2 for VM bypasses the VMCHK authorization. See the VM attribute above for more information.

VSESRF

Indicates that this logonid (for a CA ACF2 for VM VSE controlled system) can issue System Request Facility (SRF) requests to the service machine. SRF requests validate the accesses of users and perform direct maintenance of the CA ACF2 for VM databases. This field works with the ACFFDR @SRF definition.

WTP

This field is not active for VM sites. For more information, see the CA ACF2 for VM for z/OS Administrator Guide.

ZONE

Indicates the time zone where this user normally accesses the system. You must have predefined time zones of three characters in the Infostorage database. If this field is null or blank, CA ACF2 for VM does not check the zone.