In the IBM-MAIN forum, there was discussion about started task userids, and how nopassword was good.
There was a comment made that Administrators should not be able to set the password for a protected userid ( so they cannot then logon with the privileged id use the password)
First question. How is this set up?

Second question.. following on from the first question.
I can use RACDCERT MAP to map a logon by certificate to become a userid.  If I am a naughty administrator, I can set my certificate to be come an all powerful userid - even if the userid is protected (has no password).

How can I stop this - ie I am allowed to map certificates to normal ( a subset  of ) userids, but not to privileged  ones ?

Hi Colin

Using zSecure Command Verifier you can control the PROTECTED status of user IDs.  If an ALTUSER command would change the PROTECTED status of an ID, the following policy profile is checked:

XFACILIT C4R.USER.ATTR.PROTECTED.owner.userid

The administrator who wants to assign PROTECTED status (to a normal user ID) needs READ on the applicable policy.
If the administrator wants to remove the PROTECTED status from a PROTECTED ID, by setting a password/phrase using PASSWORD or ALTUSER, he needs UPDATE on the policy profile.  (There is an exception, read the manual to find out).

You can use asterisks in the last 2 qualifiers to make the policy all encompassing...

This policy is also applied if the administrator has system special.

Regarding certificate mapping, you have a very valid point.  Someone should open an Idea with RACF development, asking for control similar to the limitations afforded to IRR.PWRESET.

------------------------------
Rob van Hoboken
------------------------------