I would go further and say that most production jobs should run uunder PROTECTED userids. But then, I'm paranoid and don't even trust myself.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Robert S. Hansel <[email protected]> Sent: Thursday, June 12, 2025 6:39 AM To: [email protected] <[email protected]> Subject: Re: STC Userids External Message: Use Caution Roberto, As others have pointed out, Started Task IDs with passwords could be become revoked due to bad password entry or inactivity. Note that even if its ID is revoked or the password is expired, a Started Task will still start. This is a safety feature to prevent accidental or intentional denial of service. However, if a Started Task with a revoked ID submits a job, the job will fail due to the ID being revoked. Also of concern is that Help Desk staff could reset the password of a Started Task ID and then log on with the ID to use whatever authority it has, which is often considerable. RACF authorities that enable Help Desk staff to reset passwords block them from resetting passwords on PROTECTED IDs. Making Started Task IDs PROTECTED is considered to be a 'best practice" and is probably a STIG and CIS requirement. The same is generally true for production batch IDs. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 http://www.linkedin.com/in/roberthansel http://secure-web.cisco.com/1TVsUsRHSYX_FAuea9tsiCtW8lkSEapoTxD8_TierM3zE6QeP_g6e-r2d8MQG-swoJj9n7qKWCjDDolqxmvppjEIUdK0Sj_fZ4SkmqV8-p7gCIt4qjoNl87t9wrOBd-xbS1GHAEv9oCaCdTikcV8rxoqR04VCiEHyGv_ZTUX85fg769NlQqTmKEmvva-PXfqCKLEqR62LYIIX7ohzvwB3vP6isW2fq9BYpQGQkxKilpIg5moxFe3jCI76wvwtXUU6GbCnxS-Brc4-Xc6BNbp4moQgONaGgy1ADbNIfcUJKtYQDaFtg4t4f0C_mogSf6_cGJFAF-UfO2YSYmuW6jEdbs3qKpt_PUO4xdcPly5wgvNRtw4ppFcxFG__PEhAFaUkaKnHFaVdYE_vAvQttiadUCJ1t7Skx4zjs8PWsmIbPCI/http%3A%2F%2Fwww.rshconsulting.com -----Original Message----- Date: Wed, 11 Jun 2025 09:05:33 -0400 From: Roberto Halais <[email protected]> Subject: STC Userids I would like some feedback on what would happen if we assign passwords to the stcs in our z/OS environment. At this moment the stcs have no passwords assigned to them. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
