If you have the SPECIAL attribute, you can specify the
WARNING/NOWARNING, HISTORY/NOHISTORY, and REVOKE/NOREVOKE options.
Use the PASSWORD option on the SETROPTS command to provide the
following functions:
- WARNING: The WARNING suboperand enables you to specify that RACF® should issue warnings about
expiring passwords and password phrases.
When you specify WARNING, RACF issues a message each time
a user logs on to TSO or submits a batch job with an expiring password
or password phrase, beginning the specified number of days before
expiration. The following example specifies that RACF issue a warning message 5 days before a
password or password phrase expires:
SETROPTS PASSWORD(WARNING(5))
If
NOWARNING is in effect, RACF does
not issue a warning message before a password or password phrase expires.
- HISTORY: The HISTORY suboperand enables you to specify the
number of previous passwords and password phrases (1 - 32) that RACF saves for each user and compares
with an intended new value. When RACF finds
a match with a previous value, or with the current password or password
phrase, RACF rejects the new
intended value.
For passwords, RACF stores
only previous passwords in each user's history. For password phrases, RACF saves the user's current password
phrase in addition to the user's previous password phrases.
Therefore, for password phrases, RACF saves
one fewer previous value than the number you specify for history.
Example: If
you specify 12 for your HISTORY number, RACF saves
up to 12 previous passwords and up to 11 previous password phrases
for each user.
SETROPTS PASSWORD(HISTORY(12))
If
you increase the HISTORY number, RACF saves
and compares that number of passwords and password phrases to the
new intended value. If you subsequently reduce the HISTORY number,
any previous passwords and password phrases stored in the user profile
in excess of the newly specified HISTORY number are not deleted and
continue to be used for comparison. For example, if you specify 12
for your HISTORY number and subsequently reduce it to 8, RACF compares the old passwords and password
phrases 9 - 12 with the new intended value.
NOHISTORY specifies
that new passwords and password phrases are compared only to the current
password or password phrase. Any prior history information in the
user profile is neither deleted nor changed.
- REVOKE: The REVOKE suboperand enables you to specify how
many consecutive attempts to use incorrect passwords and password
phrases RACF permits before
it revokes the user ID on the next attempt.
Example: If
you specify 4 for your REVOKE number, RACF allows
four consecutive attempts to use incorrect passwords or password phrases
to access the system. For example, three incorrect passwords followed
by one incorrect password phrase is allowed. But a fifth attempt,
with either an incorrect password or incorrect password phrase, revokes
the user ID.
SETROPTS PASSWORD(REVOKE(4))
After RACF revokes the user ID, you can
activate the
user ID with the RESUME operand of the ALTUSER command if you have
the SPECIAL or group-SPECIAL attribute or are the owner of the profile.
If SETROPTS NOREVOKE is in effect, consecutive incorrect passwords
and password phrases are ignored.
Protected user IDs are not
revoked based on consecutive incorrect passwords and password phrases.
See Defining protected user IDs for more information.