Create and manage policies for multiple instance factors

To use IBM® MFA Out-of-Band you must use the RDEFINE command to define policies for multiple instance factors, and the ALU command to apply the policies to one or more users.

Before you begin

Important: If you apply a policy to a user, the user must have all the factors defined in the policy, and those factors must be active for the user. RACF® does not prevent you from applying a policy to a user who does not have all the required factors defined. This will prevent the user from authenticating with IBM MFA Out-of-Band.

Procedure

  1. Enter the following command to create a multi-factor authentication policy:
    RDEF MFADEF POLICY.POLICY-NAME MFPOLICY(FACTOR(FACTOR-NAME<suffix>)
    TOKENTIMEOUT(num-of-seconds) REUSE(Y|N))
    Where:
    • POLICY-NAME is a name of your choice between 1 and 20 characters. The allowed characters are A-Z, 0-9. You might find it convenient to give the policy a descriptive name, such as CERTSIDPTOTP or CERTONLY.
    • FACTOR-NAME<suffix> is a space-separated list of factor names combined with your chosen suffix. The allowed factor names are as follows:
      • AZFRADP1
      • AZFSIDP1
      • AZFSIDP3
      • AZFSIDR1
      • AZFSFNP1
      • AZFLDAP1
      • AZFISAM1
      • AZFCKCTC
    • TOKENTIMEOUT sets the length of time (in seconds) the IBM MFA Out-of-Band token is valid once generated. The value can be between 1 and 86,400 (the number of seconds in a day). The default is 300 seconds (5 minutes.)
    • REUSE determines whether the IBM MFA Out-of-Band token can be reused by an application. Possible values are Y or N. The default is N.
  2. Repeat 1 as needed.
  3. Refresh the MFADEF class:
    SETROPTS RACLIST(MFADEF) REFRESH
  4. Enter the following command to display information about a specific policy:
    RLIST MFADEF POLICY.POLICY-NAME MFPOLICY
  5. Enter the following command to display information about all IBM MFA factors and policies:
    RLIST MFADEF *
  6. Enter the following command to apply the policy to a user:
    ALU <USERID> MFA(ADDPOLICY(POLICY-NAME))
  7. Repeat 6 as needed. If you apply multiple policies to a user, instruct the user which policy to use.
  8. Enter the following command to display IBM MFA information for a user profile, including any applied policies:
    LU <USERID> MFA
    MULTIFACTOR AUTHENTICATION INFORMATION:                
    ---------------------------------------                
      PASSWORD FALLBACK IS NOT ALLOWED                         
      AUTHENTICATION POLICIES =                            
        TOTPONLY                                           
      FACTOR = AZFSIDP1<suffix>                                    
        STATUS = ACTIVE                                  
        FACTOR TAGS =                                      
          SIDUSERID:user
  9. If needed, enter the following command to remove a policy from a user:
    ALU <USERID> MFA(DELPOLICY(POLICY-NAME))
  10. If needed, enter the following commands to delete a policy and refresh the MFADEF class:
    RDEL MFADEF POLICY.POLICY-NAME
    SETROPTS RACLIST(MFADEF) REFRESH