Under z/VM, SFS has the capability for a user to have the ability to grant/revoke access to files and directories that are owned by the user's id. Thus, users can grant and revoke access to/from their own SFS resources without the bother of involving a security staffer, addressing (1) above.
Perhaps there is a less known analogous feature in RACF or a requirement that needs to be written and/or supported. On Mon, Dec 29, 2014 at 8:56 AM, Charles Mills <[email protected]> wrote: > Why force your users to change passwords at all? I know "everyone does it" > but what problems does it solve? > > 1. Bob needs access to some dataset that his userid does not grant. So > Alice > loans him her logon credentials. Forcing Alice to change her password > prevents Bob from continuing to masquerade as Alice. > > 2. Bob hangs out in Alice's cubicle while she logs on. Every day he is able > to glimpse a little of her password until he has the whole thing figured > out. Forcing Alice to change her password periodically ameliorates this > problem. > > But for (1.) a better solution is giving Bob the access his job requires > and > for both problems a better solution is training Alice. > > The big negatives of forced password change are that studies have shown > that > people forced to change passwords choose progressively weaker passwords, > and > are more compelled to write them down. > > http://cryptosmith.com/password-sanity/exp-harmful/ > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Monday, December 29, 2014 6:29 AM > To: [email protected] > Subject: RACF password history was: AW: //STARTING JOB ... > > > Check out the SETROPTS HISTORY and MINCHANGE options if you haven't > already. > > Thanks, Tom! I did that and set history accordingly. No need for an exit, > then! I would set MINCHANGE only if I see that someone tries to change the > many passwords that are now kept to get to the (n+1)th password. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- OREXXMan ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
