You can exclude selected user profiles from the scope of IRR.PWRESET.OWNER.owner and IRR.PWRESET.TREE.owner processing so that users authorized by these IRR.PWRESET resources cannot resume user IDs and reset passwords and password phrases for the excluded user profiles. To exclude selected users, define a profile in the FACILITY class to protect the IRR.PWRESET.EXCLUDE.excluded-user resource, where excluded-user is the user ID you are excluding.

When you protect the IRR.PWRESET.EXCLUDE.excluded-user resource with UACC(NONE) and give no general users or groups access, the excluded user's user ID cannot be resumed and the password and password phrase cannot be reset even when the command issuer has READ (or higher) access to the appropriate IRR.PWRESET.OWNER.owner and IRR.PWRESET.TREE.owner resource in the FACILITY class.

In other words, when a general user, who has no access to the IRR.PWRESET.EXCLUDE.excluded-user resource, attempts to resume the user ID or reset the password or password phrase of an excluded user, the ALTUSER command fails.

Users and groups that you authorize with READ access to the IRR.PWRESET.EXCLUDE.excluded-user resource are allowed to resume the user ID and reset the password and password phrase of the excluded user when they also have READ access to the appropriate IRR.PWRESET resource.

See Levels of authority for restrictions and details about authority based on the access level to the IRR.PWRESET.EXCLUDE.excluded-user resource in the FACILITY class.

Tip: If you want to exclude a set of users with similar user IDs, use a generic name (such as GRPADM*) in place of the excluded user ID.

Restriction: Users who are authorized by the IRR.PASSWORD.RESET resource are not limited when you exclude user profiles with the IRR.PWRESET.EXCLUDE.excluded-user resource. Excluded users are excluded only when the general user or group has authority through the IRR.PWRESET.OWNER.owner or IRR.PWRESET.TREE.owner resource.

Protected users and users with the SPECIAL, AUDITOR, or OPERATIONS attribute cannot be resumed, or have their passwords or password phrases reset, by users with authority through the IRR.PWRESET resources. Therefore, you need not exclude users with these attributes using the IRR.PWRESET.EXCLUDE.excluded-user resource.