Hi Jim
Blocking specific RACF command keywords is the purview of zSecure Command Verifier. There is
a whole section in the Command Verifier user guide for password controls, but I'll quote just one option:
C4R.USER.PASSWORD.owner.userid
This policy profile controls the setting of the password by an administrator through the ADDUSER or
ALTUSER command. Setting your own password through the PASSWORD command is controlled by the
=RACUID profile. Some levels of RACF allow setting the password of another user through the
PASSWORD command. This is controlled by the password quality profile for value =DFLTGRP.
If the use of the (NO)PASSWORD keyword does not change the protected status, the current profile is
used. If these keywords make the user protected, or remove the protected status, the
C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see "User attributes and
access level descriptions" on page 90. The profile described here controls the authorization to manage
passwords for normal (non-protected) users.
No profile found
This control is not implemented. No action is performed.
NONE
The terminal user is not authorized to specify the PASSWORD operand. When using the ADDUSER
command, and depending on the level of RACF, this access level can result in users with a RACF
default password (=DFLTGRP) or in PROTECTED users. Both can be prevented by defining adequate
policies for password quality or the protected status.
READ
Same as NONE.
UPDATE
The terminal user is authorized to specify the PASSWORD operand on the ALTUSER command to
reset the password for an existing user. However, if the target user currently has the PROTECTED
attribute, the PASSWORD operand is not authorized. This access level allows for normal password
maintenance, but prevents PROTECTED userids from becoming NON-PROTECTED.
CONTROL
The control is not implemented for the terminal user. The terminal user is authorized to specify the
PASSWORD keyword, unless the target userid currently has the PROTECTED attribute.
That means, add an XFACILIT C4R.USER.PASSWORD.**, give it UACC(NONE) and only permit ACCESS(CONTROL) to those few administrators that have to manage technical user IDs where 8 character passwords are architecturally required, for example, used in FTP connections.
------------------------------
Rob van Hoboken
------------------------------