Defining protected user IDs
You can define a protected user ID by assigning the NOPASSWORD, NOPHRASE, and NOOIDCARD attributes through the ADDUSER or ALTUSER command. Protected user IDs are protected from being used to logon to the system and from being revoked through inactivity or unsuccessful attempts to access the system using incorrect passwords and password phrases. However, they can be revoked using the ALTUSER (userid) REVOKE command. If revoked, protected user IDs can be activated using the ALTUSER (userid) RESUME command.
A protected user ID cannot be used to enter the system by any method that uses, a supplied
password, such as TSO logon, CICS® signon,
PassTicket authentication, z/OS UNIX
rlogin, batch job submission when a password is specified using the PASSWORD
parameter of the JOB statement, or by supplying a password phrase. Before assigning the PROTECTED
attribute to a user ID, you should ensure that the user ID will not be used in any situation where
specification of a password, PassTicket, or password phrase is required.
Applications can authenticate a protected user ID with an Identity Token (IDT) when the covering IDTDATA profile indicates PROTALLOWED(YES). See z/OS Security Server RACF Command Language Reference and z/OS Security Server RACROUTE Macro Reference for more details on the RACF IDT support.
You might want to assign protected user IDs to z/OS UNIX, and to the UNIX daemons, started procedures, applications, servers or subsystems associated with z/OS UNIX, to minimize their exposure to inadvertent or malicious misuse or revocation. Surrogate-submitted batch jobs can use protected user IDs. See Using protected user IDs for batch jobs for more information. Protected users can be associated with started procedures defined in the STARTED class (preferred method) or in the started procedures table (ICHRIN03). For more information, see Assigning RACF user IDs to started procedures.
ALTUSER SERVER8 NOPASSWORD NOPHRASEALTUSER SERVER8 PASSWORD(password)