z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Extending password and user ID processing (PASSWORD option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, you can specify the WARNING/NOWARNING, HISTORY/NOHISTORY, and REVOKE/NOREVOKE options.

Use the PASSWORD option on the SETROPTS command to provide the following functions:
  • WARNING: The WARNING suboperand enables you to specify that RACF® should issue warnings about expiring passwords and password phrases.
    When you specify WARNING, RACF issues a message each time a user logs on to TSO or submits a batch job with an expiring password or password phrase, beginning the specified number of days before expiration. The following example specifies that RACF issue a warning message 5 days before a password or password phrase expires: 
    SETROPTS PASSWORD(WARNING(5))
    If NOWARNING is in effect, RACF does not issue a warning message before a password or password phrase expires.
  • HISTORY: The HISTORY suboperand enables you to specify the number of previous passwords and password phrases (1 - 32) that RACF saves for each user and compares with an intended new value. When RACF finds a match with a previous value, or with the current password or password phrase, RACF rejects the new intended value.

    For passwords, RACF stores only previous passwords in each user's history. For password phrases, RACF saves the user's current password phrase in addition to the user's previous password phrases. Therefore, for password phrases, RACF saves one fewer previous value than the number you specify for history.

    Example: If you specify 12 for your HISTORY number, RACF saves up to 12 previous passwords and up to 11 previous password phrases for each user.

    SETROPTS PASSWORD(HISTORY(12))

    If you increase the HISTORY number, RACF saves and compares that number of passwords and password phrases to the new intended value. If you subsequently reduce the HISTORY number, any previous passwords and password phrases stored in the user profile in excess of the newly specified HISTORY number are not deleted and continue to be used for comparison. For example, if you specify 12 for your HISTORY number and subsequently reduce it to 8, RACF compares the old passwords and password phrases 9 - 12 with the new intended value.

    NOHISTORY specifies that new passwords and password phrases are compared only to the current password or password phrase. Any prior history information in the user profile is neither deleted nor changed.

  • REVOKE: The REVOKE suboperand enables you to specify how many consecutive attempts to use incorrect passwords and password phrases RACF permits before it revokes the user ID on the next attempt.
    Example: If you specify 4 for your REVOKE number, RACF allows four consecutive attempts to use incorrect passwords or password phrases to access the system. For example, three incorrect passwords followed by one incorrect password phrase is allowed. But a fifth attempt, with either an incorrect password or incorrect password phrase, revokes the user ID. 
    SETROPTS PASSWORD(REVOKE(4))

    After RACF revokes the user ID, you can activate the user ID with the RESUME operand of the ALTUSER command if you have the SPECIAL or group-SPECIAL attribute or are the owner of the profile. If SETROPTS NOREVOKE is in effect, consecutive incorrect passwords and password phrases are ignored.

    Protected user IDs are not revoked based on consecutive incorrect passwords and password phrases. See Defining protected user IDs for more information.

Parent topic: SETROPTS options for initial setup

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014