z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Interaction among password synchronization, automatic direction of commands, and automatic password direction

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Password synchronization, automatic direction of commands, and automatic password direction can be active at the same time. These functions interact as follows:
  • When a password or password phrase change is made at logon:
    • Password synchronization sends the change to users with approved PEER PWSYNC associations, if the user changing the password or password phrase is authorized to the appropriate password synchronization resource.
    • If automatic password direction is enabled on the system, and the user who changed the password or password phrase is authorized to one or more profiles, the change is automatically directed to the same user IDs on the nodes defined by the RRSFDATA profiles that protect automatic password direction.
  • A password or password phrase changed by the PASSWORD command is not directed by automatic password direction. It is directed by automatic direction of commands based on RRSFDATA profile setup. Also, if the user is authorized to the appropriate password synchronization resource, password and password phrase changes are sent to users with approved PEER PWSYNC associations with the user whose password or password phrase was changed.
  • Password synchronization and automatic password direction do not handle updates initiated by the ADDUSER command. Users who participate in password synchronization must be initially defined to RACF® before automatic direction can occur. The ADDUSER command can be directed by automatic direction of commands based on RRSFDATA profile setup.
  • The ALTUSER and PASSWORD commands must be automatically directed to maintain the synchronization of user passwords and password phrases for the same user IDs across RRSF nodes. The automatic direction of commands RRSFDATA profiles that protect AUTODIRECT.node.USER.ALTUSER and AUTODIRECT.node.USER.PASSWORD control this automatic direction. The RRSFDATA profiles that protect automatic password direction are not checked for the automatic direction of the ALTUSER and PASSWORD commands.
  • A password or password phrase change by other methods, such as at logon or by an installation-written application, is not directed by automatic direction of commands. These changes are sent to users with the same name if automatic password direction is in effect. Also, if the user is authorized to the appropriate profile in the RRSFDATA class, the changes are sent to users with approved PEER PWSYNC associations with the user whose password or password phrase was changed.
Parent topic: Interactions among automatic direction functions and password synchronization

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014