z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling password synchronization

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To enable synchronization of passwords and password phrases, issue the SET PWSYNC command. (For syntax information, see z/OS Security Server RACF Command Language Reference for more information.)

For users with RACLINK PEER PWSYNC associations on an RRSF node, you can use the following resources in the RRSFDATA class to further control synchronization:
  • The PWSYNC resource, to authorize users for password synchronization.
    Example: 
    RDEFINE RRSFDATA PWSYNC UACC(NONE)
PERMIT PWSYNC CLASS(RRSFDATA) ID(SYSGRP ADMGRP) ACCESS(READ)
  • The PHRASESYNC resource, to authorize users for password phrase synchronization.
    Example: 
    RDEFINE RRSFDATA PHRASESYNC UACC(NONE)
PERMIT PHRASESYNC CLASS(RRSFDATA) ID(*) ACCESS(READ)
Important: When you define the PWSYNC or PHRASESYNC resources, you do not initiate synchronization for authorized users. For synchronization to occur, each user must have an approved RACLINK PEER association with password synchronization (PWSYNC) enabled and have sufficient authority for either the PWSYNC resource, the PHRASESYNC resource, or both resources. For more information, see Password synchronization.

To be authorized for synchronization, a user must be permitted with at least READ access to the appropriate RRSFDATA resource. This allows PWSYNC requests for the user to be processed successfully. Alternatively, you can define a UACC of READ for the PWSYNC resource or the PHRASESYNC resource, or both, to authorize synchronization for all users who have approved PEER associations with PWSYNC enabled.

Examples:
RALTER RRSFDATA PWSYNC UACC(READ)
RDEFINE RRSFDATA PHRASESYNC UACC(READ)
Important: If the RACF® RRSFDATA class is not active or the PWSYNC resource is not defined, password synchronization will not occur even for users with established associations. Similarly, if the RACF RRSFDATA class is not active or the PHRASESYNC resource is not defined, password phrase synchronization will not occur even for users with established associations.
To enable synchronization for users with RACLINK PEER PWSYNC associations and disable automatic password direction, issue: 
SET PWSYNC NOAUTOPWD
To disable synchronization, issue: 
SET NOPWSYNC
You can also use the RRSFDATA resources to control synchronization at a system level. For example, you can turn off synchronization without having to delete all of the existing user ID associations by deleting the PWSYNC or PHRASESYNC resource, or by changing the UACC to NONE with no users on the access list.
Examples:
RALTER RRSFDATA PWSYNC UACC(NONE)
RDELETE RRSFDATA PHRASESYNC
Parent topic: Controlling the use of remote sharing functions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014