You sound like you know what you're talking about, so please interpret the following expostulations more as questions than as outright contradictions:
TS> First of all, user authentication isn't necessarily required. Me> Sure, as for example in CICS. In that case CICS supplied a default userID, and the security guys (should) make sure that that ID can run only a few harmless transactions - time of day, current bid on the company's common stock, that sort of thing. But in that case the ID, even if the user is unware of it, is still a max of eight bytes long. Or you could say that in that case the user isn't ~using~ an ID (true in a way), in which case it's meaningless to say that it can be longer than eight bytes. TS> The IBM Directory Server for z/OS supports more than 8 upper case character user IDs....MQ for z/OS and CICS Transaction Server for z/OS can authenticate users via LDAP. Me> I'm about to expose my ignorance here: IDS and LDAP, aren't they just IBM's attempt to let z/OS talk to non-z/OS systems? The same for MQ; the only purpose of MQ allowing IDs longer than eight characters is so MQ can do its thing across systems. The OP's question is about z/OS; if z/OS provides a mechanism for tracking IDs that I may use on other operating systems, that doesn't really count as allowing longer than 8-byte IDs internally. Or put it this way: If you say I can be authenticated via LPAR using a longer ID, and then perform tasks on the mainframe using that ID, how does RACF-or-whatever determine permissions? The OS asks whether <userID> has access to datasets or other resources - and that question allows 8 bytes for <userID>. Even if I've logged on from some other OS using a longer ID, inside z/OS the system is still using an 8-byte ID. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* If everyone is thinking alike, then someone isn't thinking. -Geoge S Patton */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Timothy Sipples Sent: Friday, May 1, 2020 01:42 --- Frank Swarbrick wrote: >Is z/OS still limited in all cases to 8 upper case characters? No. The IBM Directory Server for z/OS supports more than 8 upper case character user IDs. That's a standard, included, IBM supported feature in the base z/OS operating system. --- Bob Bridges wrote: >MQ, TSO, CICS, IMS - whatever the environment, the ID has to be >authenticated by RACF (or ACF2, or TSS). Not as you've written it, no, that's not correct. First of all, user authentication isn't necessarily required. However, I and many others argue that these systems should at least be authorizing user requests. TSO/E, yes, that subsystem supports user IDs up to a maximum of 8 characters. Otherwise, I know that MQ for z/OS and CICS Transaction Server for z/OS can authenticate users via LDAP (ideally the IBM Directory Server for z/OS) at least in certain contexts. See here for example: https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/ q127976_.htm I would have to dig a little deeper with respect to IMS if anyone is interested. Interestingly even the "classic" 3270 z/VSE sign on screen supports "long" user ID authentication via LDAP-based sign on, although it requires "mapping" to a short user ID under the covers: https://www.ibm.com/support/knowledgecenter/SSB27H_6.2.0/fa2ad_ovw_ldap_sign -on_process.html Users don't really have to know all that, though. They just sign on with LDAP user ID "AliceCooper1990" (or whatever). Maybe somebody would like to submit a Request for Enhancement (RFE) for something similar with TSO/E? I don't think IBM provides a "stock" sign on screen with z/OS that'll do this. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
