SECVFYFREQ

The SECVFYFREQ system initialization parameter specifies whether or not CICS makes a full verification request at least once a day for each user ID that is used to log on to the CICS region.

SECVFYFREQ={NEVER|USRDELAY}

When a user logs on to CICS by a method that uses password verification, such as the EXEC CICS VERIFY PASSWORD or EXEC CICS VERIFY PHRASE command, instead of a full verification request such as the EXEC CICS SIGNON command, RACF normally does not record the login, and does not write audit information for the user ID. You can use SECVFYFREQ to require that CICS makes a full verification request for each user at least once a day. The full verification request makes RACF record the date and time of last access for the user ID, and write user statistics.

The following login processes in CICS use password verification:
  • HTTP basic authentication with CICS web support
  • Web services authentication
  • IP interconnectivity (IPIC) authentication
You might also have your own login processes that use the EXEC CICS VERIFY PASSWORD or EXEC CICS VERIFY PHRASE command.
NEVER
When the login process uses password verification, CICS makes a full verification request only if an attempt at password verification fails. User IDs that are used only with login processes involving password verification can appear to be unused.
USRDELAY
CICS makes a full verification request at least once a day for each user ID that is used to log on to the CICS region. The USRDELAY system initialization parameter for the CICS region controls the interval between full verification requests for the user IDs.
  • When the user ID is unused for more than the USRDELAY limit and is removed from the system, CICS makes a full verification request when the user next logs in. If USRDELAY is set to 1440 minutes (1 day) or higher, CICS enforces a full verification request at user login for each user ID once a day.
  • If USRDELAY is set to 0, CICS always makes a full verification request when a user logs in, unless the user is currently signed on and running a task in the CICS region.
Additional full verification requests can take place for other reasons, such as a user sign-on using the EXEC CICS SIGNON command.

The full verification request uses the RACROUTE REQUEST=VERIFYX macro, instead of the RACROUTE REQUEST=EXTRACT macro that is used for password verification. The RACROUTE REQUEST=VERIFYX macro has a higher processor cost and response time, so you might notice a slight performance impact when you implement this function. If your USRDELAY parameter is set to less than 1440 minutes, the performance impact is greater, because the full verification request takes place at user login more frequently than once a day.

Restriction: You can specify the SECVFYFREQ system initialization parameter in the SIT, PARM, or SYSIN only.