On Thu, 17 Feb 2011 10:26:51 -0600, Eric Bielefeld <eric-
ibmm...@wi.rr.com> wrote:
>I have two questions about security.
>
>What is the difference between R-INACT and REVOKED? I know what
revoked is, but I'm not sure what R-INACT is exactly. I have searched the
Security Server bookshelf, and R-INACT is not listed there. At least its not
on
the z/OS R9 bookshelf that I have on CD.
>
>Another related question I have. If RACF is set up to revoke userids after 45
days of inactivity, will the user show up as revoked after that 45 days? I had
heard that it only showed up as revoked if the user tried to log on after the
period of inactivity. So even if the user didn't try to log on for 60 days in
my
example, he would still show up as "REVOKE DATE=NONE after 50 days. Is
that correct?
>
>Thanks,
>--
>Eric Bielefeld
>Systems Programmer
Eric - Can't help you with the R-INACT but here is the revoked information
from the 1.11 RACF Security Administrators Guide:
.2.5 Revoking Unused User IDs (INACTIVE Option)
The INACTIVE operand of the SETROPTS command causes RACF to revoke the
user's right to use the system if the user ID has remained unused beyond a
specified number of days. RACF revokes the user the next time the user
attempts to enter the system.
The following example specifies that RACF revoke a user ID if it is unused for
over 30 days:
SETROPTS INACTIVE(30)
If you issue the SETROPTS INACTIVE(30) command and a user has not done
any of the following in 31 days:
Logged on
Submitted a job
Changed their password or password phrase by any method
Attempted an unsuccessful logon
Received a directed command or output from RACF
that user is considered revoked. However, the user is not actually revoked
and the output of the LISTUSER command does not show that the user is
revoked until the user next attempts to log on or submit a job. When you
allow the user to start using the system again (using the RESUME operand on
the ALTUSER command), RACF resets the effective date with which the period
of inactivity starts.
When you define a new user ID, the user's last access date is set to the user
ID's creation date. If the user ID is not used within the number of days
specified by SETROPTS INACTIVE, the user ID will be revoked. When you issue
the LISTUSER for a new user ID that has never been used, the last access
date will be listed as UNKNOWN.
If NOINACTIVE is in effect, RACF does not check the user ID against an
unused user ID interval.
If NOINITSTATS is in effect, the INACTIVE, REVOKE, HISTORY, and WARNING
options cannot be used.
HTH
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
