The R-INACT status tells the RACF Admin that the user with this status has exceeded the inactive period defined in the RACF database but has not yet attempted to sign on. Since RACF will not actually revoke the user until the user actually attempts to sign on at which time the user would be revoked. As far as RACF is concerned the user is in a limbo state. In my opinion this user should be be eligible for clean-up since the userid is not in use.
Regards Otto Schumacher HP Enterprise Services Infrastructure Specialist Ahold Account CICS & Capacity Technical Support P.O. Box 6462 2000 Wade Hampton Blvd. LC1-302 Greenville, South Carolina, 29606 Cell: 864 569--5338 Tel: 864 987-1417 Fax: 864 987-4500 E-mail: otto.schumac...@hp.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Eric Bielefeld Sent: Thursday, February 17, 2011 1:07 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Difference Between R-INACT and REVOKED Patrick, Thanks for the information. That was very helpful. Now I know that what I though happens actually does happen. I believe the R-INACT actually comes from a Vanguard report, if that jogs anyone's memory. I think that term is also used in VTAM, but I don't care about that. I'm sure someone will know what R-INACT means. -- Eric Bielefeld Systems Programmer ---- Patrick Lyon <ptl...@midamerican.com> wrote: > On Thu, 17 Feb 2011 10:26:51 -0600, Eric Bielefeld <eric- > ibmm...@wi.rr.com> wrote: > > >I have two questions about security. > > > >What is the difference between R-INACT and REVOKED? I know what > revoked is, but I'm not sure what R-INACT is exactly. I have searched the > Security Server bookshelf, and R-INACT is not listed there. At least its not > on > the z/OS R9 bookshelf that I have on CD. > > > >Another related question I have. If RACF is set up to revoke userids after > >45 > days of inactivity, will the user show up as revoked after that 45 days? I > had > heard that it only showed up as revoked if the user tried to log on after the > period of inactivity. So even if the user didn't try to log on for 60 days > in my > example, he would still show up as "REVOKE DATE=NONE after 50 days. Is > that correct? > > > >Thanks, > >-- > >Eric Bielefeld > >Systems Programmer > > Eric - Can't help you with the R-INACT but here is the revoked information > from the 1.11 RACF Security Administrators Guide: > > .2.5 Revoking Unused User IDs (INACTIVE Option) > > > The INACTIVE operand of the SETROPTS command causes RACF to revoke the > user's right to use the system if the user ID has remained unused beyond a > specified number of days. RACF revokes the user the next time the user > attempts to enter the system. > > The following example specifies that RACF revoke a user ID if it is unused > for > over 30 days: > > > > > SETROPTS INACTIVE(30) > > > If you issue the SETROPTS INACTIVE(30) command and a user has not done > any of the following in 31 days: > > Logged on > > Submitted a job > > Changed their password or password phrase by any method > > Attempted an unsuccessful logon > > Received a directed command or output from RACF > > that user is considered revoked. However, the user is not actually revoked > and the output of the LISTUSER command does not show that the user is > revoked until the user next attempts to log on or submit a job. When you > allow the user to start using the system again (using the RESUME operand on > the ALTUSER command), RACF resets the effective date with which the period > of inactivity starts. > > When you define a new user ID, the user's last access date is set to the user > ID's creation date. If the user ID is not used within the number of days > specified by SETROPTS INACTIVE, the user ID will be revoked. When you issue > the LISTUSER for a new user ID that has never been used, the last access > date will be listed as UNKNOWN. > > If NOINACTIVE is in effect, RACF does not check the user ID against an > unused user ID interval. > > If NOINITSTATS is in effect, the INACTIVE, REVOKE, HISTORY, and WARNING > options cannot be used. > > > HTH > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
