Activate and deactivate users for multiple instance factors

You use the ALTUSER or ALU command to activate users for multiple instance factors. You can configure a user for more than one active instance of a factor. However, if you do so, the user must use IBM® MFA Out-of-Band authentication, where the policy determines which instance of the factor applies.

Before you begin

When you activate a user for IBM MFA, that user is no longer able to use the z/OS® password to log in. Therefore, the user must first have valid credentials.

To defer activation to a later time, omit the ACTIVE keyword from the ALTUSER command, or supply the NOACTIVE keyword to deactivate the authenticator for the user ID.

Procedure

  1. For example, enter the following command to activate a user for a generic RADIUS multiple instance factor:
    ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
        ACTIVE TAGS(RADUSERID:[User ID]))    
    Where:
    • [Login ID] is the z/OS user name.
    • FACTOR(<FACTOR_NAME><suffix>) is the specific factor instance.
    • ACTIVE activates the AZFRADP1 authenticator for the user ID.
    • User ID is the associated RADIUS user ID.
  2. If needed, enter the following command to defer activating a user. The example uses AZFRADP1.
     ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
         TAGS(RADUSERID:[User ID]))    
    Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the AZFRADP1 authenticator for the user ID. The example uses AZFRADP1.
    ALU <USERID> MFA(FACTOR(AZFRADP1<suffix>) ACTIVE)
  3. Enter the following command to display IBM MFA information for a user profile:
    LISTUSER [Login ID] MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:      
    ---------------------------------------      
      PASSWORD FALLBACK IS NOT ALLOWED           
      FACTOR = <FACTOR_NAME><suffix>                          
        STATUS = ACTIVE                          
        FACTOR TAGS =                            
          RADUSERID:user
  4. If needed, enter the following command to deactivate a user. The example uses AZFRADP1.
     ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
        NOACTIVE TAGS(RADUSERID:[User ID]))