You use the ALTUSER or ALU command to activate
users for multiple instance factors. You can configure a user for more than one active instance of
a factor. However, if you do so, the user must use IBM® MFA Out-of-Band
authentication, where the policy determines which instance of the factor applies.
Before you begin
When you activate a user for IBM MFA, that user is no
longer able to use the z/OS® password to log in. Therefore,
the user must first have valid credentials.
To defer activation to a later time, omit the ACTIVE keyword from the ALTUSER command, or supply
the NOACTIVE keyword to deactivate the authenticator for the user ID.
Procedure
-
For example, enter the following command to activate a user for a generic RADIUS multiple
instance factor:
ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
ACTIVE TAGS(RADUSERID:[User ID]))
Where:
- [Login ID] is the z/OS user name.
- FACTOR(<FACTOR_NAME><suffix>) is the specific factor instance.
-
ACTIVE activates the AZFRADP1 authenticator for the user ID.
- User ID is the associated RADIUS user ID.
-
If needed, enter the following command to defer activating a user. The example uses AZFRADP1.
ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
TAGS(RADUSERID:[User ID]))
Then, at a later time, enter an ALTUSER or ALU command of the following form to activate the
AZFRADP1 authenticator for the user ID. The example uses AZFRADP1.
ALU <USERID> MFA(FACTOR(AZFRADP1<suffix>) ACTIVE)
-
Enter the following command to display IBM MFA
information for a user profile:
MULTIFACTOR AUTHENTICATION INFORMATION:
---------------------------------------
PASSWORD FALLBACK IS NOT ALLOWED
FACTOR = <FACTOR_NAME><suffix>
STATUS = ACTIVE
FACTOR TAGS =
RADUSERID:user
-
If needed, enter the following command to deactivate a user. The example uses AZFRADP1.
ALU [Login ID] MFA(FACTOR(AZFRADP1<suffix>)
NOACTIVE TAGS(RADUSERID:[User ID]))