Reports for ACF2

From the navigation bar at the top of the window, you can select and display different types of information in BMC AMI Security Policy Manager:

Data sets
Sensitive Commands
Resources
System Settings
Users
Compliance
ACF2

Data sets

Click Data sets and select one of the following reports to display information about sensitive data sets:

Non-Fully Qualified Generic > APF
Non-Fully Qualified Generic > Other
Sensitive Data Sets > Other datasets with ID(*) Access > None
Sensitive Data Sets > Uncatalogued
APF Data Sets > APF datasets with ID(*) Access > None
APF Data Sets > APF libraries with inappropriate logging
APF Data Sets > APF libraries with no */NOACCESS entry

Non-Fully Qualified Generic > APF

The APF Data Sets without Fully Qualified Generic profile report lists sensitive data sets that are specified as Authorized Program Facility (APF) libraries and are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). Executable code within these data sets can perform sensitive system functions and has access to sensitive data.

Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure they grant appropriate access to the data sets.

System	Dataset Name	Volser	Create Date	Refer Date
TSOP	TCPIP.SEZALOAD	RSM44A	2019-07-08	2021-06-30

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced

Non-Fully Qualified Generic > Other

The Other Data Sets with Non-Fully Qualified Generic profiles report lists system data sets that are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). These data sets might contain sensitive system parameters that could affect system integrity. They might also include executable modules that provide sensitive system services, reporting or monitoring.

Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure that they grant appropriate access to the data sets.

System	Dataset Name	Volser	Create Date	Refer Date	Type
TSOP	SYS1.RSM4.PPLIB	RSM4W1	2020-09-10	2021-06-30	LINK

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
TYPE	Type of authorization table, such as UCAT or LINK

Sensitive Data Sets > Other datasets with ID(*) Access > None

The All sensitive datasets with ID(*) ACCESS > None report lists all sensitive data sets with default user ID access—that is, ID(*) access—greater than none:

System	Dataset Name	Volser	Create Date	Refer Date	Read	Write	Alloc	Exec
TSOP	CBC.SCLBDLL	RSM44A	2019-07-08	2021-06-30	A			A

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

Sensitive Data Sets > Uncatalogued

The Uncatalogued Sensitive Data Sets report lists sensitive data sets that are not cataloged. Use this information to make sure that all sensitive data sets are properly cataloged, allowing for centralized monitoring and access management. We recommend that you catalog these data sets or remove from the system.

System	Dataset Name	Volume	Dataset Type	Create Date	Refer Date	Type	Cat
TSOP	SYS1.IPLPARM		IPL			IPL	N
TSOP	SYS1.CLOCK.PARMLIB	HCD002	PARM	2014-10-29	2021-06-30	PARM	N

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
VOLUME	Volume serial number
DATASET TYPE	Type of sensitive data set being reported on, such as APF, IPL, or User
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
TYPE	Type of sensitive data set being reported on, such as APF, IPL, or User
CAT	Confirmation that the data set is not cataloged

APF Data Sets > APF datasets with ID(*) Access > None

The APF libraries with id(*) access > None report lists all APF data sets with default user ID access—that is, ID(*) access—greater than none:

System	Dataset	UID	Read	Write	Alloc	Exec
TSOP	TCPIP.SEZALOAD	*	A			A

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

APF Data Sets > APF libraries with inappropriate logging

The APF libraries with Inappropriate Logging - should be WRITE(L) and ALLOC(L) option lists all APF libraries set logging that does not comply with the recommended best practices—that is, data sets that should be WRITE(L) and ALLOC(L):

System	Dataset	UID	Read	Write	Alloc	Exec
TSOP	TSGDM.RSSV21.LOADLIB	STC	A	A	A	A

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

APF Data Sets > APF libraries with no */NOACCESS entry

The APF libraries with no */NOACCESS entry report lists all APF libraries with no * or NOACCESS entry:

System	Dataset	UID	Read	Write	Alloc	Exec
TSOP	ASM.SASMMOD1		A	L	L	A

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

Sensitive Commands

Click Sensitive Commands and select one of the following reports to display information about sensitive commands:

z/OS.SETPROG
All z/OS Commands

z/OS.SETPROG

The z/OS.SETPROG Commands report lists all z/OS.SETPROG commands issued in the system, who issued the command, and related information. Use this information to review the impact of the SETPROG commands on critical system configuration, security, stability, and performance. A decline in these factors can occur because of unauthorized changes to the APF list, incorrect LPA modifications, enabling or disabling of protection of REFR programs, incorrect tracking settings of directed load modules, and so on.

As a security administrator, you can rely on this report to monitor authorized changes and prevent unauthorized modifications.

System	Date	Time	Userid	Name	From	Event	Command	Details
TSOP	12/02/2019	13:37:46	CPWREXIT	COMPUWARE EXITS	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSSLOAD,VOL=NC3998	System Command

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
NAME	Name of the user, if available
FROM	Where the command was entered
EVENT	Internal event type or SMF Event and Event Qualifier Event refers to the SMF Event/Code Qualifier documented in the IBM SMF manuals, or CONS for a command entered at the system console.
COMMAND	Command that was entered
DETAILS	Internal event type

All z/OS Commands

The All z/OS Commands report lists all z/OS commands issued in the system, who issued the command, and related information. Use this information to perform a security audit and report anomalies. This helps you monitor commands, detect unauthorized or suspicious activities, assess compliance with security policies, and identify potential vulnerabilities.

As a security administrator, you can investigate any unexpected or high-impact commands, and take corrective actions as needed to assert system integrity and security.

System	Date	Time	Userid	User Name	Port Of Entry	Event	Description	Command
TSOP	2021-06-29	11:14:03	MVSPPS	BERT WILLIAMS	CONSOLE	CONS	System Command	F BASPMSM,LRS

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
USER NAME	Name of the user, if available
PORT OF ENTRY	Where the command was entered
EVENT	Internal event type or SMF Event and Event Qualifier Event refers to the SMF Event/Code Qualifier documented in the IBM SMF manuals, or CONS for a command entered at the system console.
DESCRIPTION	Command that was entered
COMMAND	Internal event types

Resources

Click Resources and select one of the following reports to display information about ACF2 general resources:

Missing Profiles > OPERCMD
Missing Profiles > STGADMIN
Missing Profiles > UNIXPRIV
Missing Profiles > Certificate
Certificates > Expiring
Certificates > Expired
Certificates > All
Misconfigured Settings > CICS SIT
Misconfigured Settings > IMS
Misconfigured Settings > DB2
Misconfigured Settings > MQ
Software Security Settings > CICS SIT
Software Security Settings > IMS
Software Security Settings > DB2
Software Security Settings > MQ

Missing Profiles > OPERCMD

The Missing OPERCMD Profiles report identifies profiles associated with the OPERCMD resource class that are missing or not properly defined. Use this information to identify and review inadequately configured OPERCMD profiles, define and configure the required profiles, and assign appropriate access and permissions to only users authorized for each action.

As a security administrator, you can address security concerns arising out of unauthorized access to critical system commands.

System	Class	Profile	Purpose	Recommended
TSOP	OPERCMDS	MVS.SET.PROG.**	Modify APF Libraries	Access must be limited to authorized personnel only. Preferably only accessible via PAM ids. Should have UACC(NONE) and AUDIT(SUC(READ) FAIL(READ))

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
CLASS	ACF2 class
PROFILE	OPERCMDS profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles > STGADMIN

The Missing STGADMIN Profiles report lists storage administration profiles in the FACILITY and XFACILIT classes related to the STGADMIN resource class that are absent or incorrectly set up. Use this information to verify that STGADMIN profiles are properly defined and that storage administration tasks are restricted to authorized personnel only. Defining and configuring these profiles reduces the need for superuser authority and minimizes security risks.

As a security administrator, you can ensure that storage management functions, such as compression, ACL overrides, and changing permissions, are protected and secure.

System	Class	Profile	Purpose	Recommended
TSOP	FACILITY	STGADMIN.ADR.CONVERTV	Convert VTOC to SMS	Require READ access to use. Restrict access to this
TSOP	FACILITY	STGADMIN.ADR.COPY.BYPASSACS	Copy data sets bypassing ACS routines	Require READ access to use. Restrict access to this
TSOP	FACILITY	STGADMIN.ADR.COPY.INCAT	INCAT processing	Require READ access to use. Restrict access to this
TSOP	FACILITY	STGADMIN.ADR.COPY.PROCESS.SYS	Copy SYS1 data sets	Require READ access to use. Restrict access to this

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
CLASS	ACF2 class
PROFILE	STGADMIN profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles > UNIXPRIV

The Missing UNIXPRIV Profiles report lists profiles with z/OS UNIX privileges related to the UNIXPRIV resource class that are missing or misconfigured. Use this information to validate that UNIXPRIV profiles are correctly set up.

This ensures proper access control for UNIX-related resources. You can create user profiles without superuser authority and grant them specific privileges using these UNIXPRIV profiles with fine granularity. This enhances security of your mainframe environment by ensuring user privileges are granted only where necessary.

As a security administrator, you can ensure controlled access to superuser-level actions, such as changing ownership or managing ACLs. You can activate and inactivate the UNIXPRIV class and define profiles with the necessary permissions to authorized UNIX administrators.

System	Class	Profile	Purpose	Recommended
TSOP	UNIXPRIV	SUPERUSER.IPC.RMID	Release IPC resources (ipcrm)	Require READ access to use. Limit to UNIX processes/debuggers
TSOP	UNIXPRIV	SUPERUSER.PROCESS.KILL	Issue kill to processes	Require READ access to use. Limit to UNIX processes/debuggers
TSOP	UNIXPRIV	SUPERUSER.PROCESS.PTRACE	Use ptrace through dbx debugger	Require READ access to use. Limit to UNIX processes/debuggers
TSOP	UNIXPRIV	SUPERUSER.SETPRIORITY	Increase own priority	Require READ access to use. Limit to Storage Admin Group

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
CLASS	ACF2 class
PROFILE	UNIXPRIV profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles > Certificate

The Missing Certificate Profiles report lists RACF certificate management-related profiles in the FACILITY class, which are not defined. It includes all the recommended general resource profiles related to digital certificates that are not defined to RACF. Use this information to ensure that only authorized personnel have access to commands used to store and maintain digital certificate information in RACF.

As a security administrator, you can ensure that digital certificate information is stored securely without any unauthorized access or change attempts.

System	Class	Profile	Recommended Setting
TSOP	FACILITY	IRR.DIGTCERT.**	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates
TSOP	FACILITY	IRR.DIGTCERT.CHECKCERT	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
CLASS	ACF2 class
PROFILE	Missing ACF2 profile
RECOMMENDED SETTING	BMC recommended profile

Certificates > Expiring

The Expiring Certificates report lists all digital certificates defined to ACF2 that are expiring in 365 days or less:

System	Label	Owner	Start Date	End Date	Days to Expiry	Profile
TSOP	DefaultzOSMFCert.IZUDFLT.QAP5	AVUSTR	2018/03/11	2023/05/17	5	12.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT
TSOP	DefaultzOSMFCert.IZUDFLT.QAP2	AVUSTR	2018/03/16	2023/05/17	5	13.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT
TSOP	DefaultzOSMFCert.IZUDFLT.QAP3	AVUSTR	2018/03/16	2023/05/17	5	14.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
LABEL	Digital certificate label
OWNER	Certificate owner, CERTAUTH (CA), or SITE (site certificate)
START DATE	Certificate start date, if available
END DATE	Certificate expiration date
EXPIRY DATE	Number of days until the certificate expires
PROFILE	ACF2 key of the certificate

Certificates > Expired

The Expired Certificates report lists all digital certificates defined to ACF2 that have expired and not been deleted:

System	Label	Owner	Start Date	End Date	Days After Expiry	Profile
TSOP	ZBASIL_TEST.NEW	AVUSTR	2022/05/04	2023/05/04	7	01.CN=ZBASIL.CA.OU=ZBASIL�CA.O=EC�TEST.L=ALTON.SP=HANTS.C=GB

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
LABEL	Digital certificate label
OWNER	Certificate owner, CERTAUTH (CA), or SITE (site certificate)
START DATE	Certificate start date, if available
END DATE	Certificate expiration date
DAYS AFTER EXPIRY	Number of days after the certificate expired
PROFILE	ACF2 key of the certificate

Certificates > All

The All Certificates report lists all digital certificates defined to ACF2:

System	Label	Owner	Start Date	End Date	Profile
TSOP	ZBASIL_TEST.NEW	AVUSTR	2022/05/04	2023/05/04	01.CN=ZBASIL.CA.OU=ZBASIL�CA.O=EC�TEST.L=ALTON.SP=HANTS.C=GB

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
LABEL	Digital certificate label
OWNER	Certificate owner, CERTAUTH (CA), or SITE (site certificate)
START DATE	Certificate start date, if available
END DATE	Certificate expiration date
PROFILE	ACF2 key of the certificate

Misconfigured Settings > CICS SIT

The Misconfigured CICS SIT Settings report lists the security settings defined in the CICS system initialization table (SIT) that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes
TSOP	CICSTS55	CONFDATA	Show	HIDETC	Determines whether user data appears in traces or dumps. This data could be used to penetrate the system.	Default is SHOW. This may have SOX implications
TSOP	CICSTS55	CONFTXT	No	Yes	Determines whether user data appears in traces or dumps. This data could be used to penetrate the system.	Default is NO VTAM can trace user data.
TSOP	CICSTS55	GMTRAN	CESN	CSGM	Specifies the initial transaction that will be executed.	Default is CSGM. Specify an ATI transaction that will be run.
TSOP	CICSTS55	SECPRFX	No	Yes	This parameter allows for segregation of access to separate regions. CICS will prefix all resource names with the CICS userid ID when talking to the ESM	YES is generally recommended if multiple CICS systems are running.

Column	Description
System	Name of the LPAR on which the report is generated
Region	CICS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the BMC recommendation

Misconfigured Settings > IMS

The Misconfigured IMS Settings report lists the security settings defined in the IMS system initialization table (SIT) that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	Name of the LPAR on which the report is generated
Region	IMS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings > DB2

The Misconfigured DB2 Settings report lists the security settings defined in the DB2 SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	Name of the LPAR on which the report is generated
Region	Db2 region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings > MQ

The Misconfigured MQ Settings report lists the security settings defined in the MQ SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	Name of the LPAR on which the report is generated
Region	MQ region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Software Security Settings > CICS SIT

The CICS SIT Settings report lists the security settings defined in the CICS system initialization table (SIT) of each active CICS region:

System	Region	Parameter	Current setting
TSOP	CICSTS51	AIEXIT	DFHZATDX
TSOP	CICSTS51	APPLIDG	A05CICS1
TSOP	CICSTS55	APPLIDG	A

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
REGION	CICS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings > IMS

The IMS Settings report lists the security settings defined in the IMS SIT of each active IMS region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
REGION	IMS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings > DB2

The DB2 Settings report lists the security settings defined in the DB2 SIT of each active DB2 region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
REGION	IMS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings > MQ

The MQ Settings report lists the security settings defined in the MQ SIT of each active MQ region:

System	Region	Parameter	Current setting
TSOP	QCBAMSTR	ACTIVE	Yes
TSOP	QCBAMSTR	ACTIVE	No
TSOP	QCBAMSTR	ACTIVE	No
TSOP	QCBAMSTR	ACTIVE	No

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
REGION	MQ region name
PARAMETER	Parameter name
CURRENT SETTING	Current setting

System Settings

Click System Settings and select one of the following reports to display information about your ACF2 and z/OS environment:

PPT > Entries Specifying NOPASS
PPT > Entries Defined as NOSWAP
All Settings
Inactive Monitored Jobs

PPT > Entries Specifying NOPASS

The PPT Entries Specifying NOPASS in Parmlib report lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx:

System	Program
TSOP	EPWINIT

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
PROGRAM	Program that has NOPASS in the PPT

PPT > Entries Defined as NOSWAP

The PPT Entries Specifying NOSWAP in Parmlib report lists all Program Properties Table (PPT) entries that have NOSWAP defined in z/OS PARMLIB member SCHEDxx:

System	Program	Key
TSOP	AZFSTCMN	2
TSOP	BNJLINTX	8
TSOP	BPEINI00	7
TSOP	BPXBATA2	2

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
PROGRAM	Program name in the PPT
KEY	MVS storage protect key that the program runs under and has been defined in the MVS PPT

All Settings

The All Settings report lists all ACF2 and z/OS settings:

System	Type	Setting	Current Value
TSOP	PASSWORD	HISTORY	6
TSOP	PASSWORD	INTERVAL	30
TSOP	PASSWORD	MINCHANGE	0
TSOP	PASSWORD	MIXEDCASE	MIXEDCASE

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
TYPE	Setting type
SETTING	Setting name
CURRENT VALUE	Current value of the setting from storage

Inactive Monitored Jobs

The Inactive Monitored Jobs report lists all jobs marked for monitoring in SPM that are not currently running:

System	Job not running
TSOP	RSSTAM
TSOP	CICSTS42

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
JOB NOT RUNNING	Name of the monitored job that appears not to be running

Users

Click Users and select one of the following reports to display information about ACF2 users:

Specific User Activity
ACF2 Privileges
UID(0)
Password interval<30
Sharing non-zero uid
USER attribute
File Transfers

Specific User Activity

Select Users > Specific User Activity to fetch information about a specific user. Enter the user ID you want to query, and click Submit.

The Detailed User Activity report is displayed as in the following example:

ACF2 Privileges

The Users with ACF2 Privileges report lists users with ACF2 privileges:

System	Logonid	Uid	Name	Access Count	Last Access	ACCOUNT	NON-CNCL	SECURITY	LEADER	CONSULT
TSOP	ACFSTCID	ACFSTCID	ACFSTCID STC	88	05/22/21 04:23		NON-CNCL

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
LOGONID	ACF2 user ID
UID	ACF2 UID string
NAME	User name, if available
ACCESS COUNT	Number of accesses
LAST ACCESS	Last time the privileged user used the system
ACCOUNT	User has the account privilege
NON-CNCL	User has the non-cncl privilege
SECURITY	User has the security privilege
LEADER	User has the leader privilege
CONSULT	User has the consult privilege

UID(0)

The Users with UID(0) report lists all ACF2 users that have UID(0) defined, that is, superuser attribute in Unix System Services (USS):

System	Userid	Name
TSOP	ADCDMST	ADCD MASTER
TSOP	BATCH01	BATCH PROCESSING
TSOP	BPXOINIT	BPXOINIT
TSOP	AUSER	Brian Small

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
USERID	User ID
NAME	Associated name, if available
UID	ACF2 UID string

Password interval<30

The Users with password interval<30 report lists all ACF2 users that have who have a password interval of less than 30:

System	Userid	Name	UID	Maxdays
TSOP	ACFTCID	ACFTCID STC	ACFTCID	0

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
USERID	User ID
NAME	Associated name, if available
UID	ACF2 UID string
MAXDAYS	Number of days of the password interval

Sharing non-zero uid

The Users sharing non-zero uid report lists all ACF2 users that share a non-zero OMVS user ID:

System	Userid	Name	UID

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
USERID	ACF2 log-on ID
NAME	Associated user name, if available
UID	Number of the OMVS UID that is being shared

USER attribute

The Users with USER attribute report lists all ACF2 users that have the USER attribute:

System	Userid	Name	UID

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
USERID	ACF2 log-on ID
NAME	Associated user name, if available
UID	Uid string

File Transfers

The User File Transfers report lists the following:

System	Date	Time	System	User	Action	Program	Dataset	Jobname

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATE	Date the file transfer was run
TIME	Time the file transfer was run
SYSTEM	System the file transfer was run from
USER	User ID performing the file transfer
ACTION	PUT (Send) or GET (Receive)
PROGRAM	Name of the program used to transfer the file
DATASET	Name of the data set that was transferred
JOBNAME	Name of the job that ran the file transfer

Compliance

Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:

Access Violations

Access Violations

The Access Violations report lists all security access violations detected in your ACF2 z/OS environment:

System	Date	Time	Userid	Name	Class	Resource
TSOP	2019-02-19	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY
TSOP	2019-02-19	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBB.DISPLAY.SECURITY
TSOP	2019-02-19	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY
TSOP	2019-02-19	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.ARCHIVE

Column	Description
SYSTEM	Name of the LPAR where the violation was detected
DATE	Event date
TIME	Event time
USERID	User ID who caused the violation
NAME	User ID's name
CLASS	Class of the resource that generated the violation
RESOURCE	Resource that generated the violation
EVENT
VOLSER	Volume serial number if appropriate
DD
PROGRAM
LIBRARY

Allowlists

Many of the SPM queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.

For example, if only one user ID is allowed to update APF libraries, then an allowlist containing that one user ID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')

The allowlist defined would be:

* TSO allowlists
Allowlist APF
TSGAPF Userid allowed to update APF data sets.

For an example of the allowlist, see Sample-index-member.

Compliance Reports

Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.

Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.

Select one of the following report categories:

DISA STIG
z/OS
DB2
RACF (RACF users, only)
TSS (TSS users, only)
USS
TCP/IP
CICS
REXX
(SPE2410)CIS RACF (RACF users, only)
(SPE2501)PCI DSS RACF (RACF users, only)

The list of categories might change, depending on your system configuration.

If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and the All Compliance Reports table. For an example of the index member, see Sample-index-member.

ACF2

Click ACF2 and select one of the following reports to display information about issues on your ACF2 environment:

Access Rules
Resource Rules
GSO/Password/Phrase Settings
Profiles with > * access > None

Access Rules

The Access Rules report lists all ACF2 data set access rules:

System	Key	Prefix	Mode	User data	Last Update By	Last Update Date	Last Update Time	Roleset	Length	% Used

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
KEY	ACF2 key
PREFIX	ACF2 prefix
MODE	ACF2 mode for this rule, Abort, Log or blank
USER DATA	ACF2 user data
LAST UPDATE BY	ID of last user who last updated access rule
LAST UPDATE DATE	Last date that access rule was updated
LAST UPDATE TIME	Last time that access rule was updated
ROLESET	ACF2 roleset rule
LENGTH	Rule length
% USED	Percentage of space used in the rule definition

Resource Rules

The Resource Rules report lists all ACF2 data set resource rules:

System	Key	Type	Prefix	Mode	User data	Last Update By	Last Update Date	Last Update Time	Roleset	Length	% Used

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
KEY	ACF2 key
TYPE
PREFIX	ACF2 prefix
MODE	ACF2 mode for this rule, Abort, Log or blank
USER DATA	ACF2 user data
LAST UPDATE BY	ID of last user who last updated access rule
LAST UPDATE DATE	Last date that access rule was updated
LAST UPDATE TIME	Last time that access rule was updated
ROLESET	ACF2 roleset rule
LENGTH	Rule length
% USED	Percentage of space used in the rule definition

GSO/Password/Phrase Settings

The GSO/Password/Phrase Settings report lists the Global System Options (GSO), password, and passphrase settings

System	Type	Setting	Current value

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
TYPE	GSO
SETTING	Value from the ACF2 configuration
CURRENT VALUE	Current value of the setting

Profiles with > * access > None

The Profiles with * access > None report lists ACF2 profiles in which * access that is greater than NONE:

System	Dataset	UID	Read	Write	Alloc	Exec

Column	Description
SYSTEM	Name of the LPAR on which the report is generated
DATASET	Name of the data set
UID	ACF2 UID string
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)