How can one prevent signon to TPX if the userid has the ACF2 RESTRICT attribute

Document ID : KB000095245
Last Modified Date : 16/05/2018
Show Technical Document Details
Introduction:
TPX does not authenticate a user if the if the userid in ACF2 has the RESTRICT flag.
Restrict is an attribute in the ACF2 logonid record that states the logonid does not have a password.
It is in the ACF2 defined logonid record at Offset x’10’ with a value of x’80’.
Question:
I discovered that it is possible to log on to TPX with an ACF2 Restricted userid. That is, one with no password.
Is there an option to prevent a userid with no password from logging on to TPX?

That would be my preferred approach. If not, how should I approach this?
I'd (obviously) prefer not to have to write an exit since that's just one more thing to maintain.

I assume I could set up the userids in question and give them no profile, which would allow a logon, but then no application access. But not allowing logon would be preferable and more in line with normal security practice.
Answer:
TPX uses the LOGON ID and USER NAME only to validate access.

Since the ACF2 user Privilege flags such as RESTRICT are in the LIDREC, the TPXUSNSF exit needs to be customized to limit access to userid's with the ACF2 RESTRICT flag.

The customer can reject a signon in the 'TPXUSNSF' exit at call point 12, since the customer can interrogate the LIDREC.

Here is some sample code. Please verify in your environment and make the necessary modifications.
_________________________________________
LIDREC      DSECT LOGONID RECORD
LIDLID      DC CL8' ' LOGON ID
            DC 4X'00'
LIDNAME     DC CL20' ' USER NAME
            DC 992X'00'
LIDLEN      EQU *-LIDREC LENGTH OF RECORD

----------------------------------------------------------------------------