Defining protected user IDs
You can define a protected user ID by assigning the NOPASSWORD, NOPHRASE, and NOOIDCARD attributes through the ADDUSER or ALTUSER command. Protected user IDs are protected from being used to logon to the system and from being revoked through inactivity or unsuccessful attempts to access the system using incorrect passwords and password phrases. However, they can be revoked using the ALTUSER (userid) REVOKE command. If revoked, protected user IDs can be activated using the ALTUSER (userid) RESUME command.
A protected user ID cannot be used to enter the system by any method
that uses, a supplied password, such as TSO logon, CICS® signon, PassTicket
authentication, z/OS UNIX rlogin,
batch job submission when a password is specified using the PASSWORD
parameter of the JOB statement, or by supplying a password phrase.
Before assigning the PROTECTED attribute to a user ID, you should
ensure that the user ID will not be used in any situation where specification
of a password, PassTicket, or password phrase is required.
You might want to assign protected user IDs to z/OS UNIX, and to the UNIX daemons, started procedures, applications, servers or subsystems associated with z/OS UNIX, to minimize their exposure to inadvertent or malicious misuse or revocation. Surrogate-submitted batch jobs can use protected user IDs. See Using protected user IDs for batch jobs for more information. Protected users can be associated with started procedures defined in the STARTED class (preferred method) or in the started procedures table (ICHRIN03). For more information, see Assigning RACF user IDs to started procedures.
ALTUSER SERVER8 NOPASSWORD NOPHRASEALTUSER SERVER8 PASSWORD(password)