What is CA ACF2 command limiting, how is it setup and how can I determine if CA ACF2 TSO command limiting is being used at my site?

Document ID : KB000054064
Last Modified Date : 14/02/2018
Show Technical Document Details


CA ACF2 TSO command limiting allows a site to implement TSO command restrictions for individual logonids or globally for a site. CA ACF2 logonid fields, C(GSO) TSO parameters and a command limiting module are used to implement CA ACF2 TSO command limiting. CA ACF2 commands can be used to determine if CA ACF2 command limiting is in effect.


The CA ACF2 TSO restricted commands lists contains the list of commands that a user is authorized to use. This command list lists the available TSO commands for an individual user or for your entire site. This command limiting applies to TSO commands entered under READY mode or under ISPF.

CA ACF2 TSO command lists can be specified for individual logonids or globally.

To activate this feature for an individual, use the TSOCMDS field of the logonid record; to activate it for your entire site, use the CMDLIST field of the C(GSO) record named TSO. If you do not specify a system-wide default and leave the TSOCMDS field blank, TSO operates without CA-ACF2 command limiting.

To check if CA ACF2 TSO command limiting is being used the following can be done.

  1. To check if any logonids have a command list specified in their TSOCMDS logonid field the following command can be issued from TSO:
  2. To determine if there is a global command list specified in the CA ACF2 C(GSO) TSO record the following command can be issued from TSO:
    Look for "TSO CMD LIST= " which will specifiy the command list module being used, or "NONE" if there is no global command list.

CA ACF2 will first check the logonid record for a TSO command list(TSOCMDS field), if no TSOCMDS is specified, then CA ACF2 will check the C(GSO) TSO record (CMDLIST parameter). If both TSOCMDS for users and the global C(GSO) TSO CMDLIST is blank, then users are not restricted or limited in their TSO commands.

In a LOGONID record the TSOCMDS and ALLCMDS parameters can be used with TSO command limiting:

Specifies the name of a TSO command list module that contains the list of commands that this user is authorized to use. You cannot mask this field. Command limiting is effective for all logonids including privileged ones. It takes place in all modes with the exception of QUIET. (Eight characters)

Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character. The ALLCMDS works in conjunction with the C(GSO) TSO BYPASS character parameter.

In the C(GSO) TSO record there is the CMDLIST and BYPASS parameter:

Specifies the default TSO command limiting list. If you specify a module, no users, even privileged logonids, can run without the command list present in a link list library. This field is optional and has no default. It is effective in all modes with the exception of QUIET.

Defines the TSO command list bypass character. The default value is a pound sign (#).

The restricted commands list module is defined using the $TSOCST, $TSOCEND, and the $TSOCMD macros which can be found ACF2 CAI.CAIMAC library. The restricted commands lists are link edited with the RENT attribute into a library in the system link list. The module name of the restricted command list can be specified in the logonid TSOCMDS field for the CA ACF2 GSO TSO CMDLIST parameter.

For details regarding the TSOCMDS and ALLCMDS see the CA ACF2 Administrator Guide, Chapter 3: Maintaining Logonid Records, section "Logonid Record Fields".

For details regarding the GSO TSO CMDLIST and BYPASS parameter see the CA ACF2 Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Time-Sharing Options and Defaults (TSO)".

For details on creating a TSO command lists see the CAACF2 System Programmer Guide, section "eTrust CA-ACF2 TSO Facilities", sub-section "Restricting TSO Commands".