dfhe4_overview.html |
Last updated: Thursday, 27 June 2019You can now specify that a full verification request takes place at least once a day when users log in to the CICS region. This process ensures that user IDs record their most recent usage date for requests made over IP.
When a user logs in to CICS by a method that uses password verification, like the EXEC CICS VERIFY PASSWORD or EXEC CICS VERIFY PHRASE command, instead of a full verification request like the EXEC CICS SIGNON command, the login process is faster. However, with the faster login methods, RACF does not record the login as the last access for the user ID, and does not write audit information for the user ID. User IDs that are always used with the faster login methods can therefore appear to be unused, and could be revoked.
If you have users who generally use login processes with password verification, you can now specify the system initialization parameter SECVFYFREQ=USRDELAY in the CICS region, to require that CICS makes a full verification request at least once a day for each user ID that is used to log in to the CICS region. The full verification request uses the RACROUTE REQUEST=VERIFYX macro, instead of the RACROUTE REQUEST=EXTRACT macro that is used for password verification. In RACF, the full verification request updates the user statistics for audit purposes, and updates the date and time of last access for the user ID so that it is recorded as being in use.
Last updated: Thursday, 27 June 2019