Protected user IDs

The user IDs that you assign to started procedures should have the PROTECTED attribute. Protected user IDs are user IDs that have the NOPASSWORD, NOPHRASE, and NOOIDCARD attributes. They are defined or modified using the ADDUSER and ALTUSER commands. See Defining protected user IDs for more information.

Protected user IDs cannot be used to logon to the system, and are protected from being revoked through incorrect system access attempts. The following example shows a protected user ID being defined for a CICS® region, and an existing user ID used by JES being given the PROTECTED attribute:

ADDUSER CICS03 DFLTGRP(STCGROUP) OWNER(STCADMIN) NOPASSWORD
ALTUSER JES    DFLTGRP(STCGROUP) OWNER(STCADMIN) NOPASSWORD NOPHRASE

If you do not specify NOPASSWORD for a user ID assigned to a started procedure, you should specify a password and change the password periodically. If you do not specify a password and do not specify NOPASSWORD, RACF® uses the default group name as the password. Anyone who knows this user ID and password combination can gain access to any resource that the started procedure can access.

See Using protected user IDs for batch jobs for more information.

Note: If the associated user ID is revoked for any reason, the started procedure might have problems allocating new SMS-managed data sets, submitting batch jobs, and obtaining printed output.