On Mon, 8 Mar 2010 11:49:55 -0500, Tim Brown <[email protected]> wrote:
>I have seen in the past references to the ability to change the >TSO/E logon panel. I attempted this quite some time ago but >put it off. I cant recall what the TSO/E module is. I saw that >someone had disabled the new password field. We have a 3rd >party software that changes the password for TSO users. I would >like to revisit changing this screen but cant recall where to start. > I'm sure the TSO/E Customization book covers that, but have you considered that this approach only restrictss one way for the user to change his own password, and only works for TSO users during logon? Don't you have CICS, IMS, or some other application(s) you need to worry about, too? What about TSO users who submit batch jobs and change the password via the JOB statement? Or users who login to a UNIX shell and change the password there, or via login to FTP, or using the RACF PASSWORD command or the UNIX __passwd callable service? It seems to me that if you want to prevent a user changing his own password you should (a) restrict usage of the PASSWORD command (via the PROGRAM class in RACF) and (b) prevent the user from changing his own password via a RACROUTE REQUEST=VERIFY exit. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
