z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF

Defining protected user IDs

z/OS Security Server RACF Security Administrator's Guide

You can define a protected user ID by assigning the NOPASSWORD, NOPHRASE, and NOOIDCARD attributes through the ADDUSER or ALTUSER command. Protected user IDs are protected from being used to logon to the system and from being revoked through inactivity or unsuccessful attempts to access the system using incorrect passwords and password phrases. However, they can be revoked using the ALTUSER (userid) REVOKE command. If revoked, protected user IDs can be activated using the ALTUSER (userid) RESUME command.

A protected user ID cannot be used to enter the system by any method that uses a supplied password, such as TSO logon, CICS® signon, z/OS UNIX rlogin, batch job submission when a password is specified using the PASSWORD parameter of the JOB statement, or by supplying a password phrase. Before assigning the PROTECTED attribute to a user ID, you should ensure that the user ID will not be used in any situation where specification of a password or password phrase is required.

You might want to assign protected user IDs to z/OS UNIX, and to the UNIX daemons, started procedures, applications, servers or subsystems associated with z/OS UNIX, to minimize their exposure to inadvertent or malicious misuse or revocation. Surrogate-submitted batch jobs can use protected user IDs. See Using protected user IDs for batch jobs for more information. Protected users can be associated with started procedures defined in the STARTED class (preferred method) or in the started procedures table (ICHRIN03). For more information, see Assigning RACF user IDs to started procedures.

The following example shows the ALTUSER command used to assign the PROTECTED attribute to an existing user ID.
A protected user ID will have the PROTECTED attribute displayed in the output of the LISTUSER command.
To remove the PROTECTED attribute from an existing user ID, use the ALTUSER command to assign a password:

Go to the previous page Go to the next page

Copyright IBM Corporation 1990, 2014