When running the ACFRPTXR report, what do "NC" and "U" next to LOGONID names indicate?

Document ID : KB000025880
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

ACFRPTXR - The Cross-Reference Report reports which users have access to a specified data set or resource, based on standard CA-ACF2 security controls. For each data set or resource specified, ACFRPTXR finds the associated rules and displays the LOGONIDs whose UID strings match the UID parameters in the rule.

 

Answer:

The ACFRPTXR-The Cross-Reference Report output displays the (rc) next to LOGONIDs listed in the report specifying why CA-ACF2 permits this LOGONID to have access to this data set or resource.

If a code does not appear on the report, the user has access because the rule allows access.
Possible codes are:

  • O-Owner ("owned data set" PREFIX matches or $LIDOWNER or $UIDOWNER control statement of eTrust CA-ACF2 for DB2 rules match).
  • NC-Non-Cancelable (NON-CNCL attribute).
  • RA-Read-Only Logonid (READALL attribute). This reason code applies only to data set access rules.
  • SC-Scoped Security Officer (SECURITY attribute and matching SCPLIST value).
  • SE-Unrestricted Security Officer (SECURITY attribute and no SCPLIST value).
  • U-UID match (user's UID matches rule UID parameter). This is not listed if it is the only condition met.

Details can be found in "Chapter 20: ACFRPTXR-The Cross-Reference Report" in the CA-ACF2 Security for z/OS Report and Utilities Guide.