UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM z/OS ACF2 Security Technical Implementation Guide


Overview

Date Finding Count (225)
2021-03-29 CAT I (High): 24 CAT II (Med): 199 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-223505 High ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
V-223422 High CA-ACF2 OPTS GSO record must be set to ABORT mode.
V-223589 High IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-223588 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-223538 High IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-223439 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-223450 High CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
V-223493 High IBM z/OS UID(0) must be properly assigned.
V-223442 High CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
V-223443 High CA-ACF2 access to the System Master Catalog must be properly protected.
V-223464 High CA-ACF2 must be installed, functional, and properly configured.
V-223463 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-223448 High CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
V-223449 High CA-ACF2 must limit Update and Allocate access to all APF-authorized libraries to system programmers only.
V-223440 High IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
V-223441 High CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
V-223446 High CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-223447 High CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
V-223445 High CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-223561 High Unsupported IBM z/OS system software must not be installed and/or active on the system.
V-223456 High CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-223453 High CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
V-223514 High ACF2 security data sets and/or databases must be properly protected.
V-223616 High IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-223485 Medium ACF2 LOGONIDs assigned for started tasks must have the STC attribute specified in the associated LOGONID record.
V-223509 Medium ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices.
V-223508 Medium ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.
V-223507 Medium ACF2 PSWD GSO record value must be set to require 24 hours/1 day as the minimum password lifetime.
V-223506 Medium ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction.
V-223504 Medium ACF2 PSWD GSO record value must be set to require the change of at least 50% of the total number of characters when passwords are changed.
V-223503 Medium ACF2 PSWD GSO record value must be set to require at least one lower-case character be used.
V-223502 Medium ACF2 PSWD GSO record value must be set to require at least one numeric character be used.
V-223501 Medium ACF2 PSWD GSO record value must be set to require at least one upper-case character be used.
V-223500 Medium CA-ACF2 must enforce password complexity by requiring that at least one special character be used.
V-223420 Medium IBM z/OS must not use Expired Digital Certificates.
V-223421 Medium All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
V-223423 Medium The number of ACF2 users granted the special privilege PPGM must be justified.
V-223424 Medium The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
V-223425 Medium The number of ACF2 users granted the special privilege CONSOLE must be justified.
V-223426 Medium The number of ACF2 users granted the special privilege ALLCMDS must be justified.
V-223427 Medium IBM z/OS system commands must be properly protected.
V-223428 Medium IBM z/OS Sensitive Utility Controls must be properly defined and protected.
V-223429 Medium CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
V-223620 Medium IBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined.
V-223621 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-223626 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-223627 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-223624 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-223625 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-223587 Medium IBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-223586 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-223585 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-223584 Medium ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-223583 Medium IBM z/OS must employ a session manager configured for users to directly initiate a session lock for all connection types.
V-223582 Medium IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-223581 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-223580 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-223438 Medium CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
V-223532 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-223533 Medium IBM z/OS JES2 output devices must be properly controlled for Classified Systems.
V-223530 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-223531 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-223536 Medium IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
V-223537 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-223534 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-223535 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-223539 Medium IBM z/OS Inapplicable PPT entries must be invalidated.
V-223433 Medium CA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users.
V-223432 Medium CA-ACF2 must limit update and allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
V-223431 Medium CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-223430 Medium CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.
V-223437 Medium Access to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified.
V-223436 Medium ACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE.
V-223435 Medium CA-ACF2 allocate access to system user catalogs must be properly protected.
V-223434 Medium CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
V-223635 Medium IBM z/OS UNIX user accounts must be properly defined.
V-223634 Medium IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
V-223636 Medium IBM z/OS UNIX groups must be defined with a unique GID.
V-223631 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-223630 Medium IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
V-223633 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-223632 Medium IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.
V-223596 Medium IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
V-223628 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected or specified.
V-223629 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-223597 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-223525 Medium IBM z/OS FTP Server daemon must be defined with proper security parameters.
V-223524 Medium The IBM z/OS TFTP Server program must be properly protected.
V-223527 Medium IBM z/OS FTP.DATA configuration for the FTP Server must have INACTIVE statement properly set.
V-223526 Medium IBM z/OS startup parameters for the FTP Server must be defined in the SYSTCPD and SYSFTPD DD statements for configuration files.
V-223521 Medium IBM z/OS warning banner for the FTP Server must be properly specified.
V-223520 Medium IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner.
V-223523 Medium IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
V-223522 Medium IBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement.
V-223529 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-223528 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-223622 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-223623 Medium IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
V-223451 Medium CA-ACF2 must limit Update and Allocate access to LINKLIST libraries to system programmers only.
V-223489 Medium ACF2 MAINT GSO record value if specified must be restricted to production storage management user.
V-223486 Medium ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
V-223487 Medium ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
V-223484 Medium ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
V-223643 Medium IBM z/OS UNIX Telnet Server Startup parameters must be properly specified to display the banner.
V-223482 Medium ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
V-223645 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-223480 Medium ACF2 REFRESH attribute must be restricted to security administrators only.
V-223481 Medium ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.
V-223637 Medium IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
V-223591 Medium IBM z/OS Syslog daemon must be started at z/OS initialization.
V-223419 Medium IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-223459 Medium ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.
V-223595 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-223458 Medium CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
V-223550 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).
V-223551 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-223552 Medium IBM z/OS SNTP daemon (SNTPD) must be active.
V-223553 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly.
V-223554 Medium IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
V-223555 Medium IBM z/OS system administrator must develop a process to notify ISSOs of account enabling actions.
V-223556 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-223557 Medium IBM z/OS must configure system waittimes to protect resource availability based on site priorities.
V-223558 Medium IBM z/OS Emergency LOGONIDs must be properly defined.
V-223559 Medium IBM z/OS DFSMS control data sets must reside on separate storage volumes.
V-223491 Medium IBM z/OS must properly protect MCS console userid(s).
V-223490 Medium ACF2 LINKLST GSO record if specified must only contains trusted system data sets.
V-223492 Medium ACF2 BLPPGM GSO record must not be defined.
V-223495 Medium IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-223494 Medium IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-223497 Medium CA-ACF2 defined user accounts must uniquely identify system users.
V-223496 Medium ACF2 LOGONIDs must be defined with the required fields completed.
V-223499 Medium CA-ACF2 PWPHRASE GSO record must be properly defined.
V-223498 Medium CA-ACF2 userids found inactive for more than 35 days must be suspended.
V-223593 Medium IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements.
V-223468 Medium The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.
V-223469 Medium IBM z/OS TSO GSO record values must be set to the values specified.
V-223465 Medium CA-ACF2 must limit update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-223467 Medium The EXITS GSO record value must specify the module names of site written ACF2 exit routines.
V-223462 Medium The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.
V-223543 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are created.
V-223542 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are deleted.
V-223541 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are modified.
V-223540 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are removed.
V-223547 Medium IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-223546 Medium IBM z/OS must specify SMF data options to assure appropriate activation.
V-223545 Medium IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
V-223544 Medium IBM z/OS Required SMF data record types must be collected.
V-223549 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-223548 Medium IBM z/OS system administrators must develop an automated process to collect and retain SMF data.
V-223594 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-223479 Medium CA-ACF2 database must be backed up on a scheduled basis.
V-223478 Medium CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets.
V-223477 Medium CA-ACF2 must prevent the use of dictionary words for passwords.
V-223476 Medium The CA-ACF2 GSO OPTS record value must be properly specified.
V-223475 Medium CA-ACF2 RULEOPTS GSO record values must be set to the values specified.
V-223474 Medium IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
V-223473 Medium IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.
V-223472 Medium IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
V-223471 Medium IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
V-223470 Medium IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
V-223576 Medium IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.
V-223483 Medium ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
V-223574 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-223575 Medium IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-223572 Medium IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-223573 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-223570 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASD.
V-223571 Medium IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
V-223590 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
V-223578 Medium IBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-223579 Medium IBM z/OS system administrator must develop a procedure to notify system administrators and ISSOs of account enabling actions.
V-223592 Medium IBM z/OS Syslog daemon must be properly defined and secured.
V-223610 Medium IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-223569 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption.
V-223568 Medium IBM z/OS must use SAF Key Rings for key management.
V-223444 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-223560 Medium IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-223563 Medium IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.
V-223562 Medium IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.
V-223565 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-223564 Medium IBM z/OS must not have inaccessible APF libraries defined.
V-223567 Medium IBM z/OS must properly configure CONSOLxx members.
V-223566 Medium Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
V-223604 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-223605 Medium IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-223606 Medium IBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack.
V-223644 Medium IBM z/OS System data sets used to support the VTAM network must be properly secured.
V-223600 Medium IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-223601 Medium IBM z/OS TCP/IP resources must be properly protected.
V-223602 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-223603 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-223608 Medium IBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds.
V-223609 Medium IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
V-223455 Medium CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-223454 Medium CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
V-223457 Medium IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-223518 Medium IBM z/OS data sets for the FTP Server must be properly protected.
V-223519 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
V-223452 Medium CA-ACF2 must limit update and allocate access to all system-level product installation libraries to system programmers only.
V-223515 Medium ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
V-223516 Medium The operating system must enforce a minimum 8-character password length.
V-223517 Medium IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-223510 Medium ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices.
V-223511 Medium ACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices.
V-223512 Medium ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.
V-223513 Medium ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.
V-223607 Medium IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-223617 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-223615 Medium IBM z/OS TSOAUTH resources must be restricted to authorized users.
V-223614 Medium IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet Server must have INACTIVE statement properly specified.
V-223613 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
V-223612 Medium IBM z/OS warning banner for the TN3270 Telnet Server must be properly specified.
V-223611 Medium IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
V-223577 Medium IBM z/OS System Administrator must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
V-223598 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-223599 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
V-223619 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-223618 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-223640 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
V-223641 Medium IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-223639 Medium IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly.
V-223642 Medium IBM z/OS UNIX Telnet Server warning banner must be properly specified.
V-223638 Medium IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-223488 Low ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
V-223466 Low CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.