On Thu, Jul 29, 2010 at 4:39 PM, Alan Altmark <alan_altm...@us.ibm.com> wrote: > On Thursday, 07/29/2010 at 09:27 EDT, Rob van der Heij <rvdh...@gmail.com> > wrote: >> They might also be happy also with NOPASS (assuming it's the same as >> NOPASSWORD in RACF). > > It isn't. NOPASS in the directory means "no password required". > 'NOPASSWORD NOPHRASE' on RACF means that the user ID does not have an > authenticator and end users cannot access it. No FTP. No logon. All you > can do is XAUTOLOG it.
Right, we know it isn't. But it isn't obvious without reading the book either... .. cannot... except for LOGONBY ... > ESMs can deny NOPASS logins if they want. RACF doesn't. (Though I am > increasingly tempted to add a RACF SETROPTS to allow you to do so - and > turn it on by default.) We played with this before RACF/VM had the NOPASSWORD setting. For NOPASS users, our local modification would skip the password check to RACF (and thus avoid the risk of getting revoked). But we did not like the idea that with RACF inactive, all these important service machines would be wide open... >> Such experiences should show the responsible VM Systems Programmer >> he's on his own and should not expect any helpful guidance from the >> auditors. And maybe not even try to explain why the user profiles were >> "missing" for all NOLOG users... > > VM allows the ESM to override a NOLOG. I.e. you have a user profile with > a password and directory entry of NOLOG. You can authenticate via FTP > (for example) and access files, but you do not have a virtual machine to > call your own. This lets you keep USER DIRECT and the ESM in sync. I think "override" is a bit strong here. So you can have a RACF user profile to access resources, even though you don't have a virtual machine with that name in the directory. And we have NOLOG virtual machines defined that never run on VM, so they don't request access to resources.There's a void space between them. Some special usage cases might nicely fit in as long as you know what you do. RACF and CP directory both have a partial view of the world for their own purpose. Attempts to align them only to simplify administration often leads to interesting experiences (like automated programs issue a DIRM PURGE for MNT540 because the RACF profile had not been touched in 90 days). | Rob
