Additional specificity through ACL and UACC

For all three scenarios, you can further qualify which specific application users are allowed for IBM® MFA or bypassed by using an ACL or UACC.

You can bypass IBM MFA authentication for an application if the user being authenticated has a minimum of READ access to the profile in the MFADEF class for the application. If the user does not have a minimum of READ access to the profile in the MFADEF class for the application, IBM MFA is required.

RACF® considers ACL's first:

  • If the user is on the access list (either explicitly or using the group names in which the user is a member), return that access.
  • If the user is not on the access list, return the access defined by UACC.