Protecting Special Resources › Account Support through CA ACF2 for VM › Important Information

Important Information

You should keep in mind the following information about VM account support through CA ACF2 for VM when creating account resource rules:

• The ACCOUNT field of the RESCLASS VMO record defines the type code required for account resource rule validation. The default specification is ACT, implementing the typecode ACT. You can modify this value.
• By default, you can implement account number masking for ACCOUNT resource rules. Masking lets you use asterisks (*) as $KEY masking characters, but not the dash (-).

  The ACCOUNT field of the RESTYPE VMO record lets you mask the account numbers in the $KEY. This macro must contain the same value specified in the ACT operand of the TYPES field of the RESTYPE VMO record for masking to occur. The default TYPES field of the RESTYPE VMO record includes type code ACT.

• Specifying a resource rule's type code in the RESTYPE VMO record also makes the resource rule directory resident for the rule set's type code. This improves system performance.
• CA ACF2 for VM ignores the SERVICE and VERIFY keywords in ACCOUNT resource rules.
• Normal source and shift controls apply to the validation process for ACCOUNT resource rules.

  During system IPL, the system operator and any user ID specified in the AUTOLOG operand list of the VMXAOPTS macro (in HCPAC0) bypass CA ACF2 for VM account validation. However, when the ACF2 service machine startup completes, CA ACF2 for VM validates and initializes the account numbers of all users already on the system. Any user accessing the system with an unauthorized or invalid account number is automatically forced off.

  Any user ID with the VMD4TARG logonid privilege bypasses account validation when logging on.

  With CA ACF2 for VM, you can command limit the LOGON command. Preventing or logging the ACCOUNT operand of the LOGON command depends on the CA ACF2 for VM account mode setting:

• If account support is turned on (ACCTVLD=(FULL) or ACCTVLD=(LID)) in the OPTS VMO record, you cannot prevent or log the ACCOUNT operand of the LOGON command through command limiting.
• If account support is turned off (ACCTVLD=(NO)), you prevent or log the ACCOUNT operand of the LOGON command through command limiting.