Previous Topic: Password Statistics Tab

Next Topic: MVS Privileges 2 Tab

MVS Privileges 1 Tab

Use this tab to display and specify logonID record MVS privileges for administration, validation, job submission, and tape processing.

The fields in this tab are listed below:


Lets the user create, change, and delete any asset groups. The user can also update certain fields of logonID records. You can also limit the records that this user can affect with a scope record. A user with this privilege is known as a security administrator.


Lets the user view logonID records. Use a scope record to limit the records that this user can view. A user with this privilege is known as a consultant.


Specifies that a user can issue the CA-ACF2 operator command from the operator console of the server.

Store Rule

Specifies that this user can store or delete asset groups regardless of ownership, SECURITY privilege, or authority delegated through the CA-CHANGE or CA-RCHANGE asset types.


Lets the user view and update certain fields of logonID records for other users. Use a scope record to limit the records that this user can affect.


Lets the user view all parameters, including logonID records and asset groups. The user cannot update or delete the parameters. This privilege can be limited with a scope record. A user with this privilege is known as an auditor.


Lets the user add, update, and delete logonID records. If a user has only the ACCOUNT privilege, however, he or she cannot add or update a logonID record that has the SECURITY privilege. You can also limit the records that this user can affect with a scope list. A user with this privilege is known as an account manager.


Specifies that CA-ACF2 takes an SVC dump whenever this user causes an asset violation to occur. Use this field for debugging only.


Lets the user generate a dump even when the address space of the user is in an execute-only or path-control environment.

Log Shift

Lets the user access the system outside of the time period specified in the calendar field of the logonID record. All accesses that occur outside of this time period are logged.


Specifies the selected logonID is for a Multiple-User Single Address Space, such as CICS, IMS, or IDMS. You must also specify the Bypass SMC field for a MUSASS.

Protect Pgm

Lets this user execute protected programs. In CA-ACF2, this is the same as the PPGM logonID record field. The protected programs are specified in the GSO PPGM record.


Specifies that a user can access assets only if a permission exists allowing the access. This applies even if the user owns the assets or has the SECURITY privilege.

CMD Prop

Specifies that the user can use the SET TARGET command or the TARGET parameter on the INSERT, CHANGE, LIST, and DELETE commands to override the global CPF target list.

Priv Cntl

Specifies that the user is eligible for dynamic logonID privileges. When the user accesses the system (system entry), a special set of logonID privilege resource rules are checked to determine if the logonID should be assigned dynamic privileges or authorities.

Bypass SMC

Lets this logonID bypass Set-Must-Complete (SMC) controls. You cannot cancel a job for the duration of the sensitive VSAM update operation. This field should be specified for a MUSASS.

In CA-ACF2, this is the same as the NO-SMC logonID record field.


Specifies that a network job cannot inherit this logonID from its submitter. For example, if this user submits a job from one node in a network to another node where the logonID is also defined, the logonID is not inherited, the job is canceled, and the user receives an error message.

In CA-ACF2, this is the same as the NO-INH logonID record field.


Lets the user access asset groups without CA-ACF2 validation or loggings. The user must execute a specific program from a specific library. The program and library are defined in the GSO MAINT record.


Specifies that CA-ACF2 cannot cancel this user for security violations. The event log records the access and shows that CA-ACF2 allowed the access, because the user had this privilege.

Use this field with care.


Grants the user READ and EXECUTE access to all asset groups.

Use this field with care.


Specifies that a resource rule must authorize any accesses that this user makes. This field applies even if a user has the SECURITY privilege.

In CA-ACF2, this is the same as the RSRCVLD logonID record field.

Valid Restrict

Specifies that PROGRAM and SUBAUTH are to be validated even when this RESTRICTED logonID is inherited.

In CA-ACF2, this is the same as the VLDRSTCT logonID record field.


Specifies that this is a restricted logonID for production use. The logonID does not need a password for verification. Jobs submitted under the logonID are logged. This field applies to batch logonIDs only.

Submit Authorization

Forces jobs that use this logonID to submit only through APF-authorized programs. Any APF-authorized program can submit these jobs unless you specify certain programs in the SUBAUTH pgm field. For this privilege to be effective, the logonID record must also have the RESTRICT privilege.

In CA-ACF2, this is the same as the SUBAUTH logonID record field.

Submission Authorization Program

Specifies the program name that must be used to submit jobs for this logonID. The logonID should also be defined with the Restrict privilege.

Size/Type: 1-8 alphanumeric characters

In CA-ACF2, this is the same as the PROGRAM logonID record field.

Job From

Lets the user include the //*JOBFROM control statement in jobs. This statement allows a MUSASS to transmit the logonID and source with any jobs submitted by that MUSASS.

Exclude from Sysplex Caching

Check this box to exclude from Sysplex caching.

Bypass Label Processing

Specifies a user can use full bypass label processing (BLP) when accessing tape files. If a user has this privilege and tries to access a tape through BLP, CA-ACF2 allows the access. CA-ACF2 normally performs rule validation on the file name as coded in the JCL. You should tightly control this privilege.

In CA-ACF2, this is the same as the TAPE-BLP logonID record field

Limited Bypass Label Processing

Specifies that this user has limited bypass label processing (LBLP) authority to access tape files. When this user requests tape access through bypass label processing (BLP), CA-ACF2 validates the volume serial number on the tape label, checks for a volume rule, and validates any file names specified in the JCL.

In CA-ACF2, this is the same as the TAPE-LBL logonID record field. Validation depends on the TAPEDSN field of the GSO OPTS record and whether the volser is specified in the GSO SECVOLS record.