IBM Security zSecure, Version 2.3.0

Policy profiles for user password and phrase management

This section summarizes all the keywords and controlling profiles that are related to a user's password and password phrase.

Although the PROTECTED attribute is also controlled by the (NO)PASSWORD and (NO)PHRASE keywords, it is described in User attributes and access level descriptions, together with other attributes.

Of the policy profiles described here, one policy profile is used to control the authority to set or change passwords and another one is used for setting or changing password phrases. To provide limited quality control for passwords set by an administrator, two special policy profiles are provided. The remaining password policies control the setting of the password/phrase interval and the use of the expired/noexpired keyword.
Attention: This control does not enforce any standards on the passwords as set by users when they change their password during logon.

zSecure™ Command Verifier also provides two policy profiles to control who can use the PWCONVERT and PWCLEAN keywords on the ALTUSER command. Because these two options are not used for regular password administration, the policy profiles are described in the general section about other user-related policy profiles. See Other user-related policy profiles.

The following table lists the policy profiles available to manage RACF® user passwords and phrases. Although the policy profiles for interval and expiration suggest that they apply only to passwords, they apply to passwords and phrases. There are no separate policies to control the password interval and the phrase interval. Detailed descriptions for each profile in the table are provided following the table.

Table 1. Profiles used for RACF passwords. The entries in this table reflect the keywords that are specified on the ADDUSER, ALTUSER, and PASSWORD commands
Command Keyword Profile
ADDUSER ALTUSER PASSWORD C4R.USER.PASSWORD.owner.userid
ADDUSER ALTUSER PASSWORD C4R.USER./PASSWORD.owner.userid
PASSWORD PASSWORD C4R.USER.PASSWORD.=RACUID
ADDUSER ALTUSER PHRASE C4R.USER.PHRASE.owner.userid
PASSWORD PHRASE C4R.USER.PHRASE.=RACUID
ADDUSER ALTUSER PASSWORD C4R.USER.PASSWORD.=DFLTGRP
PASSWORD USER(userid) C4R.USER.PASSWORD.=DFLTGRP
ADDUSER ALTUSER PASSWORD C4R.USER.PASSWORD.=USERID
PASSWORD PHRASE (NO)INTERVAL C4R.USER.=PWINT.owner.userid
PASSWORD PHRASE (NO)INTERVAL C4R.USER.PWINT.owner.userid
ALTUSER (NO)EXPIRED C4R.USER.PWEXP.owner.userid
The following entries describe the policy profiles and access levels that are used to control the password-related functions of zSecure Command Verifier.
  • C4R.USER.PASSWORD.owner.userid

    This policy profile controls the setting of the password by an administrator through the ADDUSER or ALTUSER command. Setting your own password through the PASSWORD command is controlled by the =RACUID profile. Some levels of RACF allow setting the password of another user through the PASSWORD command. This is controlled by the password quality profile for value =DFLTGRP.

    If the use of the (NO)PASSWORD keyword does not change the protected status, the current profile is used. If these keywords make the user protected, or remove the protected status, the C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see User attributes and access level descriptions. The profile described here controls the authorization to manage passwords for normal (non-protected) users.

    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to specify the PASSWORD operand. When using the ADDUSER command, and depending on the level of RACF, this access level can result in users with a RACF default password (=DFLTGRP) or in PROTECTED users. Both can be prevented by defining adequate policies for password quality or the protected status.
    READ
    Same as NONE.
    UPDATE
    The terminal user is authorized to specify the PASSWORD operand on the ALTUSER command to reset the password for an existing user. However, if the target user currently has the PROTECTED attribute, the PASSWORD operand is not authorized. This access level allows for normal password maintenance, but prevents PROTECTED userids from becoming NON-PROTECTED.
    CONTROL
    The control is not implemented for the terminal user. The terminal user is authorized to specify the PASSWORD keyword, unless the target userid currently has the PROTECTED attribute.
  • C4R.USER./PASSWORD.owner.userid

    This policy profile is used when the ADDUSER or ALTUSER command is used with the PASSWORD keyword, but without a value for the password. In this case, the DFLTGRP of the target user would be used as password. Depending on the level of RACF, such an ADDUSER command could also result in the definition of a PROTECTED user. For the ADDUSER command, it is possible to force the current policy to apply by using the PASSWORD keyword without a value for the password. It is also possible to automatically insert the PASSWORD keyword using the mandatory attribute policy as described in Mandatory value profiles for user attributes.

    If the current policy applies, it is possible to automatically assign a value for the password. Using the value RANDOM for the APPLDATA instructs Command Verifier to insert a random value for the password. The generated password is always eight characters long and each character is selected from all available types:
    • By default, the password characters are selected from the set consisting of the uppercase alphabetic characters, numerics, and the three national characters (@, #, and $).
    • If mixed case passwords are enabled (SETROPTS PASSWORD(MIXEDCASE)), lowercase alphabetic characters can also be used.
    • If special characters are enabled (SETROPTS PASSWORD(SPECIALCHARS)), the special characters as documented in the RACF Security Administrator's Guide can also be used.
    Password rules that are specified through the SETROPTS command are mainly intended to force users to choose characters from each set or to prevent the use of common words. Command Verifier-generated passwords are truly random. Therefore, they are not guaranteed to adhere to password rules that limit the length or the choice of characters. If the installation has defined password rules, or uses a new password exit, RACF might not accept the generated random password if used in combination with the NOEXPIRE option. An example random password that violates the mixedall password rule is $%QyaFXi, because it lacks a numeric character. Forcing a numeric character would reduce the time that is needed for a brute force attack of the password by approximately a factor eight.

    If the ADDUSER or ALTUSER command specifies a value for the PASSWORD, the /PASSWORD policy profile is not used.

    The qualifier /PASSWORD in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.
    No profile found
    This control is not implemented. No action is performed.
    NONE
    No default value is supplied.
    READ
    The generated value for the password is inserted in the command. The password is not disclosed to the terminal user.
    UPDATE
    The generated value for the password is inserted in the command. A message is issued to the terminal user that shows the new password.
    CONTROL
    The control is not implemented for the terminal user. No default value for the password is supplied. RACF uses the DFLTGRP of the target user as the new value of the password.
    The following values for APPLDATA are supported.
    BLANK
    This value is used to indicate that RACF default processing must be used. This can trigger other policies, like those for password quality or creation of protected users.
    RANDOM
    zSecure Command Verifier generates a random value for the password. The generated password is always eight characters long and selects characters from all available types.
    Other
    Although this value must be considered an error, processing continues as if no value for the APPLDATA was specified. This can trigger other policies, like those for password quality or creation of protected users.
  • C4R.USER.PASSWORD.=RACUID

    This profile describes the authority of a user to change its own password by using the PASSWORD command. You cannot use generic characters to cover the =RACUID qualifier in the policy profile; it must be present in the exact form shown.

    Use care when you define a generic value for the PASSWORD qualifier because the resulting policy profile might also match the authority to change your own non-base segments. For more information about the policy profiles for non-base segments, see Profiles for controlling management of non-base segments.

    The following access rules apply:
    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to specify the PASSWORD operand. This setting means that the user can change its password only during logon.
    READ
    Same as NONE.
    UPDATE
    The terminal user is authorized to specify the PASSWORD operand on the PASSWORD command to change its password.
    CONTROL
    The control is not implemented for the terminal user.
  • C4R.USER.PHRASE.owner.userid

    This policy profile controls the setting of the password phrase through the ADDUSER or ALTUSER command. Setting your own password phrase through the PASSWORD or PHRASE command is controlled by the =RACUID profile.

    If the usage of the PHRASE keyword in the command does not affect the PROTECTED status, the current profile is used. If the use of the phrase keyword makes the user protected or removes the protected status, the C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see User attributes and access level descriptions. The profile described here controls the authorization to manage password phrases for normal (non-protected) users.

    The following access levels apply to changing the protected status:

    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to specify the PHRASE operand.
    READ
    Same as NONE.
    UPDATE
    The terminal user is authorized to specify the PHRASE operand on the ADDUSER or ALTUSER command to set the password phrase.
    CONTROL
    The control is not implemented for the terminal user. The terminal user is authorized to specify the PHRASE keyword.
  • C4R.USER.PHRASE.=RACUID

    This profile describes the authority of a user to change its own password phrase by using the PASSWORD or PHRASE command. RACF does not allow adding a password phrase through the PASSWORD or PHRASE command. You can change only the value of existing password phrases. You cannot use generic characters to cover the =RACUID qualifier in the policy profile; it must be present in the exact form shown.

    Use care when you define a generic value for the PHRASE qualifier because the resulting policy profile might also match the authority to change your own non-base segments. For more information about the policy profiles for non-base segments, see Profiles for controlling management of non-base segments.

    The following access rules apply:
    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to specify the PHRASE operand. This setting means that the user can change only its password phrase during logon, if and when this setting is supported by the application.
    READ
    Same as NONE.
    UPDATE
    The terminal user is authorized to specify the PHRASE operand on the PASSWORD or PHRASE command to change its password phrase.
    CONTROL
    The control is not implemented for the terminal user.
  • C4R.USER.PASSWORD.=DFLTGRP

    This profile is used to control the authorization to leave the password value blank at the ADDUSER and ALTUSER command. Leaving the password value blank results in RACF using the DFLTGRP of the user for the new password. Explicitly setting the PASSWORD to the DFLTGRP is also controlled by this policy.

    Depending on the level of RACF, the PASSWORD command, when issued for another user without the INTERVAL keyword, resets the password to the default group of that user. This policy profile does also apply to that form of the PASSWORD command.

    The qualifier =DFLTGRP in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.

    Activation of the preceding /PASSWORD policy preempts this policy. Implementation of the default value policy can result in setting a value for the password. In that case, the password value no longer matches the DFLTGRP, and the current policy profile does not apply.
    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to use the ADDUSER command without explicitly specifying a value for the password. If you use the PASSWORD keyword on the ALTUSER command without specifying a value, the command is rejected as well.
    READ
    The terminal user is authorized to leave the password value blank or explicitly specify the DFLTGRP on the ADDUSER command. On the ALTUSER command, use of the PASSWORD keyword without an explicit value is not allowed.
    UPDATE
    The terminal user is authorized to leave the password value blank or explicitly specify the DFLTGRP on both the ADDUSER and the ALTUSER command.
    CONTROL
    The control is not implemented for the terminal user. A password equal to the DFLTGRP is acceptable.
  • C4R.USER.PASSWORD.=USERID

    This profile is used to control the authorization to specify the userid as part of the new password on the ADDUSER, ALTUSER, and PASSWORD commands.

    The qualifier =USERID in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.
    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to use the userid as part of the value for the new password. The command is rejected.
    READ
    Same as NONE.
    UPDATE
    The terminal user is authorized to use the user ID as part of the new value for the password.
    CONTROL
    The control is not implemented for the terminal user. A password equal to the user ID is acceptable.
  • C4R.USER.=PWINT.owner.userid

    This policy profile can be used to enforce a particular value for the password and phrase interval for a user. The interval that is defined by this policy profile is used to override any value that is specified by the terminal user. If the PASSWORD or PHRASE command is used without the INTERVAL keyword, the interval is not changed. Although the qualifier =PWINT suggests that this policy profile applies only for the password interval, RACF uses the same interval for the password and phrase. Therefore, this policy profile also applies to both.

    The qualifier =PWINT in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.
    No profile found
    This control is not implemented. No action is performed.
    NONE
    No action. No mandatory value is enforced.
    READ
    The APPLDATA field is retrieved and used for the new interval for the user.
    UPDATE
    Same as READ.
    CONTROL
    The control is not implemented for the terminal user. No mandatory value is enforced.
    The values possible for the APPLDATA field are given as following.
    BLANK
    This value is used to indicate that the RACF SETROPTS value must be used as a default.
    interval
    The interval must be specified by 3 digits that include leading zeros. Ensure that this value is less or equal to the RACF SETROPTS value. Otherwise, the resulting command might fail.
    NEVER
    The password interval is set to never. This setting results in a password and phrase that never expire. RACF requires extra authorization to specify this value. If the terminal user lacks this authorization, the command is rejected by RACF.
    other
    This value is an error. The RACF SETROPTS value is used as maximum.
  • C4R.USER.PWINT.owner.userid

    This profile can be used to control the maximum value of the password and phrase interval. In the best fitting profile, the maximum value for the interval must be specified by the APPLDATA. The interval must be specified by 3 digits that include leading zeros. The terminal user specified value is compared against the value that is defined in the APPLDATA. If the value in the command is higher than the value in the profile, the command is rejected. If the terminal user has CONTROL access the defined maximum value is ignored. Although the qualifier PWINT suggests that this policy profile applies only for the password interval, RACF uses the same interval for the password and phrase. Therefore, this policy profile also applies to both.

    No profile found
    This control is not implemented. No action is performed.
    NONE
    Changing the interval is not allowed. Any value that is specified by the terminal user is rejected.
    READ
    Same as NONE.
    UPDATE
    The value from the APPLDATA is used as a maximum value for the interval. If the terminal user specified value is less than or equal to the defined value, the command is accepted. The interval cannot be set higher than the system-wide default.
    CONTROL
    The control is not implemented for the terminal user. Any terminal user specified value is accepted.
    The values possible for the APPLDATA field are given as follows.
    BLANK
    This value is used to indicate that the RACF SETROPTS value must be used as a maximum.
    interval
    The interval must be specified by 3 digits that include leading zeros.
    NEVER
    The interval can be set to NEVER. This setting results in a password and phrase that never expire. RACF requires extra authorization for this value. It is also possible to specify an interval that is less than or equal to the SETROPTS value.
    other
    This value is an error. The RACF SETROPTS value is used as maximum.
  • C4R.USER.PWEXP.owner.userid

    This policy profile can be used to control usage of the EXPIRED and NOEXPIRED options on the ALTUSER command. RACF already restricts the NOEXPIRED option to terminal users with the system special attribute and users with UPDATE access to the IRR.PASSWORD.RESET profile. The current policy profile allows further restriction on the target user. It also controls the authority to expire a password or phrase without setting a new value of a password or phrase. Although the qualifier PWEXP suggests that this policy profile applies only for expiration of passwords, it also applies to phrases.

    The following access rules apply:

    No profile found
    This control is not implemented. No action is performed.
    NONE
    The terminal user is not authorized to expire the current password and phrase through use of the EXPIRED keyword on the ALTUSER command. If a new value for the password or phrase is specified, the default value of EXPIRED is allowed. When specifying a new value for the password or phrase, the terminal user is not authorized to specify NOEXPIRED.
    READ
    Same as NONE
    UPDATE
    The terminal user is authorized to expire the current password and phrase through use of the EXPIRED keyword without specifying a new value for the password or phrase. When specifying a new value for the password or phrase, the terminal user is authorized to specify EXPIRED as well as NOEXPIRED. This access level allows regular maintenance of password and phrases.
    CONTROL
    The policy is not implemented for the terminal user. This access level allows regular maintenance of password and phrases.
Parent topic: Profiles for managing user IDs

Feedback