STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223483r533198_rule
V-223483
SRG-OS-000480-GPOS-00227
ACF2-ES-000650
CAT II
10
The following user attributes allow update of the ACF2 databases for administering users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record:
ACCOUNT
LEADER
SECURITY
NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
From the ACF command screen enter:
SET LID
LIST IF(ACCOUNT)
LIST IF(LEADER)
LIST IF(SECURITY)
Review all logonids for specific groups with the attributes ACCOUNT, LEADER, or SECURITY.
If each has the SCPLIST attribute specified properly according to job function and areas of responsibility, this is not a finding.
NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
V-223483
False
ACF2-ES-000650
From the ACF command screen enter:
SET LID
LIST IF(ACCOUNT)
LIST IF(LEADER)
LIST IF(SECURITY)
Review all logonids for specific groups with the attributes ACCOUNT, LEADER, or SECURITY.
If each has the SCPLIST attribute specified properly according to job function and areas of responsibility, this is not a finding.
NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
M
4100