Policy profiles for user password and phrase management
This section summarizes all the keywords and controlling profiles that are related to a user's password and password phrase.
Although the PROTECTED
attribute
is also controlled by the (NO)PASSWORD and (NO)PHRASE keywords,
it is described in User attributes and access level descriptions,
together with other attributes.
zSecure Command
Verifier
also provides two policy profiles to control who can use the PWCONVERT and
PWCLEAN keywords on the ALTUSER
command. Because these two
options are not used for regular password administration, the policy profiles are described in the
general section about other user-related policy profiles. See Other user-related policy profiles.
The following table lists the policy profiles available to manage RACF® user passwords and phrases. Although the policy profiles for interval and expiration suggest that they apply only to passwords, they apply to passwords and phrases. There are no separate policies to control the password interval and the phrase interval. Detailed descriptions for each profile in the table are provided following the table.
Command | Keyword | Profile |
---|---|---|
ADDUSER ALTUSER | PASSWORD | C4R.USER.PASSWORD.owner.userid |
ADDUSER ALTUSER | PASSWORD | C4R.USER./PASSWORD.owner.userid |
PASSWORD | PASSWORD | C4R.USER.PASSWORD.=RACUID |
ADDUSER ALTUSER | PHRASE | C4R.USER.PHRASE.owner.userid |
PASSWORD | PHRASE | C4R.USER.PHRASE.=RACUID |
ADDUSER ALTUSER | PASSWORD | C4R.USER.PASSWORD.=DFLTGRP |
PASSWORD | USER(userid) | C4R.USER.PASSWORD.=DFLTGRP |
ADDUSER ALTUSER | PASSWORD | C4R.USER.PASSWORD.=USERID |
PASSWORD PHRASE | (NO)INTERVAL | C4R.USER.=PWINT.owner.userid |
PASSWORD PHRASE | (NO)INTERVAL | C4R.USER.PWINT.owner.userid |
ALTUSER | (NO)EXPIRED | C4R.USER.PWEXP.owner.userid |
- C4R.USER.PASSWORD.owner.userid
This policy profile controls the setting of the password by an administrator through the ADDUSER or ALTUSER command. Setting your own password through the PASSWORD command is controlled by the
=RACUID
profile. Some levels of RACF allow setting the password of another user through the PASSWORD command. This is controlled by the password quality profile for value=DFLTGRP
.If the use of the (NO)PASSWORD keyword does not change the protected status, the current profile is used. If these keywords make the user protected, or remove the protected status, the C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see User attributes and access level descriptions. The profile described here controls the authorization to manage passwords for normal (non-protected) users.
- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to specify
the PASSWORD operand. When using the ADDUSER command,
and depending on the level of RACF, this access level can result
in users with a RACF default password (
=DFLTGRP
) or in PROTECTED users. Both can be prevented by defining adequate policies for password quality or the protected status. - READ
- Same as NONE.
- UPDATE
- The terminal user is authorized to specify the PASSWORD operand
on the ALTUSER command to reset the password for
an existing user. However, if the target user currently has the
PROTECTED
attribute, the PASSWORD operand is not authorized. This access level allows for normal password maintenance, but preventsPROTECTED
userid
s from becomingNON-PROTECTED
. - CONTROL
- The control is not implemented for the terminal user. The terminal
user is authorized to specify the PASSWORD keyword,
unless the target
userid
currently has thePROTECTED
attribute.
- C4R.USER./PASSWORD.owner.userid
This policy profile is used when the ADDUSER or ALTUSER command is used with the PASSWORD keyword, but without a value for the password. In this case, the
DFLTGRP
of the target user would be used as password. Depending on the level of RACF, such an ADDUSER command could also result in the definition of a PROTECTED user. For the ADDUSER command, it is possible to force the current policy to apply by using the PASSWORD keyword without a value for the password. It is also possible to automatically insert the PASSWORD keyword using the mandatory attribute policy as described in Mandatory value profiles for user attributes.If the current policy applies, it is possible to automatically assign a value for the password. Using the value RANDOM for theAPPLDATA
instructs Command Verifier to insert a random value for the password. The generated password is always eight characters long and each character is selected from all available types:- By default, the password characters are selected from the set consisting of the uppercase alphabetic characters, numerics, and the three national characters (@, #, and $).
- If mixed case passwords are enabled (
SETROPTS PASSWORD(MIXEDCASE)
), lowercase alphabetic characters can also be used. - If special characters are enabled (
SETROPTS PASSWORD(SPECIALCHARS)
), the special characters as documented in the RACF Security Administrator's Guide can also be used.
SETROPTS
command are mainly intended to force users to choose characters from each set or to prevent the use of common words. Command Verifier-generated passwords are truly random. Therefore, they are not guaranteed to adhere to password rules that limit the length or the choice of characters. If the installation has defined password rules, or uses a new password exit, RACF might not accept the generated random password if used in combination with the NOEXPIRE option. An example random password that violates the mixedall password rule is $%QyaFXi, because it lacks a numeric character. Forcing a numeric character would reduce the time that is needed for a brute force attack of the password by approximately a factor eight.If the
ADDUSER
orALTUSER
command specifies a value for the PASSWORD, the /PASSWORD policy profile is not used.The qualifier /PASSWORD in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.- No profile found
- This control is not implemented. No action is performed.
- NONE
- No default value is supplied.
- READ
- The generated value for the password is inserted in the command. The password is not disclosed to the terminal user.
- UPDATE
- The generated value for the password is inserted in the command. A message is issued to the terminal user that shows the new password.
- CONTROL
- The control is not implemented for the terminal user. No default value for the password is
supplied. RACF uses the
DFLTGRP
of the target user as the new value of the password.
The following values forAPPLDATA
are supported.- BLANK
- This value is used to indicate that RACF default processing must be used. This can trigger other policies, like those for password quality or creation of protected users.
- RANDOM
- zSecure Command Verifier generates a random value for the password. The generated password is always eight characters long and selects characters from all available types.
- Other
- Although this value must be considered an error, processing continues as if no
value for the
APPLDATA
was specified. This can trigger other policies, like those for password quality or creation of protected users.
- C4R.USER.PASSWORD.=RACUID
This profile describes the authority of a user to change its own password by using the PASSWORD command. You cannot use generic characters to cover the
=RACUID
qualifier in the policy profile; it must be present in the exact form shown.Use care when you define a generic value for the PASSWORD qualifier because the resulting policy profile might also match the authority to change your own non-base segments. For more information about the policy profiles for non-base segments, see Profiles for controlling management of non-base segments.
The following access rules apply:- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to specify the PASSWORD operand. This setting means that the user can change its password only during logon.
- READ
- Same as NONE.
- UPDATE
- The terminal user is authorized to specify the PASSWORD operand on the PASSWORD command to change its password.
- CONTROL
- The control is not implemented for the terminal user.
- C4R.USER.PHRASE.owner.userid
This policy profile controls the setting of the password phrase through the ADDUSER or ALTUSER command. Setting your own password phrase through the PASSWORD or PHRASE command is controlled by the
=RACUID
profile.If the usage of the PHRASE keyword in the command does not affect the PROTECTED status, the current profile is used. If the use of the phrase keyword makes the user protected or removes the protected status, the C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see User attributes and access level descriptions. The profile described here controls the authorization to manage password phrases for normal (non-protected) users.
The following access levels apply to changing the protected status:
- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to specify the PHRASE operand.
- READ
- Same as NONE.
- UPDATE
- The terminal user is authorized to specify the PHRASE operand on the ADDUSER or ALTUSER command to set the password phrase.
- CONTROL
- The control is not implemented for the terminal user. The terminal user is authorized to specify the PHRASE keyword.
- C4R.USER.PHRASE.=RACUID
This profile describes the authority of a user to change its own password phrase by using the PASSWORD or PHRASE command. RACF does not allow adding a password phrase through the PASSWORD or PHRASE command. You can change only the value of existing password phrases. You cannot use generic characters to cover the
=RACUID
qualifier in the policy profile; it must be present in the exact form shown.Use care when you define a generic value for the
PHRASE
qualifier because the resulting policy profile might also match the authority to change your own non-base segments. For more information about the policy profiles for non-base segments, see Profiles for controlling management of non-base segments.The following access rules apply:- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to specify the PHRASE operand. This setting means that the user can change only its password phrase during logon, if and when this setting is supported by the application.
- READ
- Same as NONE.
- UPDATE
- The terminal user is authorized to specify the PHRASE operand on the PASSWORD or PHRASE command to change its password phrase.
- CONTROL
- The control is not implemented for the terminal user.
- C4R.USER.PASSWORD.=DFLTGRP
This profile is used to control the authorization to leave the password value blank at the ADDUSER and ALTUSER command. Leaving the password value blank results in RACF using the
DFLTGRP
of the user for the new password. Explicitly setting thePASSWORD
to theDFLTGRP
is also controlled by this policy.Depending on the level of RACF, the PASSWORD command, when issued for another user without the INTERVAL keyword, resets the password to the default group of that user. This policy profile does also apply to that form of the PASSWORD command.
The qualifier
=DFLTGRP
in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.Activation of the preceding /PASSWORD policy preempts this policy. Implementation of the default value policy can result in setting a value for the password. In that case, the password value no longer matches theDFLTGRP
, and the current policy profile does not apply.- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to use the ADDUSER command without explicitly specifying a value for the password. If you use the PASSWORD keyword on the ALTUSER command without specifying a value, the command is rejected as well.
- READ
- The terminal user is authorized to leave the password value blank
or explicitly specify the
DFLTGRP
on the ADDUSER command. On the ALTUSER command, use of the PASSWORD keyword without an explicit value is not allowed. - UPDATE
- The terminal user is authorized to leave the password value blank
or explicitly specify the
DFLTGRP
on both the ADDUSER and the ALTUSER command. - CONTROL
- The control is not implemented for the terminal user. A password
equal to the
DFLTGRP
is acceptable.
- C4R.USER.PASSWORD.=USERID
This profile is used to control the authorization to specify the
userid
as part of the new password on the ADDUSER, ALTUSER, and PASSWORD commands.The qualifier=USERID
in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to use the
userid
as part of the value for the new password. The command is rejected. - READ
- Same as NONE.
- UPDATE
- The terminal user is authorized to use the user ID as part of the new value for the password.
- CONTROL
- The control is not implemented for the terminal user. A password equal to the user ID is acceptable.
- C4R.USER.=PWINT.owner.userid
This policy profile can be used to enforce a particular value for the password and phrase interval for a user. The interval that is defined by this policy profile is used to override any value that is specified by the terminal user. If the PASSWORD or PHRASE command is used without the INTERVAL keyword, the interval is not changed. Although the qualifier
=PWINT
suggests that this policy profile applies only for the password interval, RACF uses the same interval for the password and phrase. Therefore, this policy profile also applies to both.The qualifier=PWINT
in the policy profile cannot be covered by generic characters. It must be present in the exact form shown.- No profile found
- This control is not implemented. No action is performed.
- NONE
- No action. No mandatory value is enforced.
- READ
- The APPLDATA field is retrieved and used for the new interval for the user.
- UPDATE
- Same as READ.
- CONTROL
- The control is not implemented for the terminal user. No mandatory value is enforced.
The values possible for the APPLDATA field are given as following.- BLANK
- This value is used to indicate that the RACF
SETROPTS
value must be used as a default. - interval
- The interval must be
specified by 3 digits that include leading zeros. Ensure that this
value is less or equal to the RACF
SETROPTS
value. Otherwise, the resulting command might fail. - NEVER
- The password interval is set to
never
. This setting results in a password and phrase that never expire. RACF requires extra authorization to specify this value. If the terminal user lacks this authorization, the command is rejected by RACF. - other
- This value is an error. The RACF
SETROPTS
value is used as maximum.
- C4R.USER.PWINT.owner.userid
This profile can be used to control the maximum value of the password and phrase interval. In the best fitting profile, the maximum value for the interval must be specified by the
APPLDATA
. The interval must be specified by 3 digits that include leading zeros. The terminal user specified value is compared against the value that is defined in theAPPLDATA
. If the value in the command is higher than the value in the profile, the command is rejected. If the terminal user hasCONTROL
access the defined maximum value is ignored. Although the qualifierPWINT
suggests that this policy profile applies only for the password interval, RACF uses the same interval for the password and phrase. Therefore, this policy profile also applies to both.- No profile found
- This control is not implemented. No action is performed.
- NONE
- Changing the interval is not allowed. Any value that is specified by the terminal user is rejected.
- READ
- Same as NONE.
- UPDATE
- The value from the APPLDATA is used as a maximum value for the interval. If the terminal user specified value is less than or equal to the defined value, the command is accepted. The interval cannot be set higher than the system-wide default.
- CONTROL
- The control is not implemented for the terminal user. Any terminal user specified value is accepted.
The values possible for the APPLDATA field are given as follows.- BLANK
- This value is used to indicate that the RACF
SETROPTS
value must be used as a maximum. - interval
- The interval must be specified by 3 digits that include leading zeros.
- NEVER
- The interval can be set to NEVER. This setting
results in a password and phrase that never expire. RACF requires extra authorization for this value.
It is also possible to specify an interval that is less than or equal
to the
SETROPTS
value. - other
- This value is an error. The RACF
SETROPTS
value is used as maximum.
- C4R.USER.PWEXP.owner.userid
This policy profile can be used to control usage of the
EXPIRED
andNOEXPIRED
options on the ALTUSER command. RACF already restricts theNOEXPIRED
option to terminal users with the system special attribute and users with UPDATE access to the IRR.PASSWORD.RESET profile. The current policy profile allows further restriction on the target user. It also controls the authority to expire a password or phrase without setting a new value of a password or phrase. Although the qualifierPWEXP
suggests that this policy profile applies only for expiration of passwords, it also applies to phrases.The following access rules apply:
- No profile found
- This control is not implemented. No action is performed.
- NONE
- The terminal user is not authorized to expire
the current password and phrase through use of the
EXPIRED
keyword on the ALTUSER command. If a new value for the password or phrase is specified, the default value ofEXPIRED
is allowed. When specifying a new value for the password or phrase, the terminal user is not authorized to specifyNOEXPIRED
. - READ
- Same as NONE
- UPDATE
- The terminal user is authorized to expire the
current password and phrase through use of the
EXPIRED
keyword without specifying a new value for the password or phrase. When specifying a new value for the password or phrase, the terminal user is authorized to specifyEXPIRED
as well asNOEXPIRED
. This access level allows regular maintenance of password and phrases. - CONTROL
- The policy is not implemented for the terminal user. This access level allows regular maintenance of password and phrases.