There's also a non-technical aspect to consider. It's a good idea to keep the IDs of the special users confidential from the general population. Disgruntled employees can cause these situations.
:-( Sadly, spoken from experience. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Walt Farrell Sent: Thursday, May 13, 2010 7:15 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF - ICH3031 & ICH304D Messages On Wed, 12 May 2010 19:19:12 -0500, Lenz, Joseph <joseph.l...@ttiinc.com> wrote: >Is there a way to keep RACF from preventing signons to my z/OS 1.10 >system when RACF message ICH304D has been issued? I would prefer the >system just revoke the user without the need for operator intervention. >A user who is not 'SPECIAL' simply gets revoked. Users who are >'SPECIAL' cause the messages below to be generated when they fail to >enter the correct password within the permissible number of attempts. >The user in this case is attempting to signon to a CICS region. > No, there is no way to stop RACF from issuing the WTOR, at least without exits. You could automate a response to that message. However, this gives you only two possibilities: (1) Risk all your SPECIAL IDs becoming revoked if your automation responds that RACF should not grant another chance; or (2) Allow unlimited hacking against your SPECIAL IDs if your automation responds that RACF should grant another chance. Other options: (a) Tell your SPECIAL users not to logon to applications (such as CICS) that single-thread their signons, especially when they've forgotten their password. (b) Give them non-SPECIAL IDs for using CICS. Or, (c) perhaps they should remember their passwords better, or stop trying before they get themselves revoked and seek help from another administrator. Or, (d) (kind of a variant of (a), at least stop trying to logon to CICS and logon to TSO instead, where they won't tie up anyone else during the prompt. Then, once they have their password right, they can try logging on to CICS. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
