Classification: Confidential The use of protected IDs is not restricted to STCs. A protected ID has no password and cannot be logged on to. Generally they also do not expire (as in good until...). I concur w/Seymour.
Many shops run all production under a single protected ID for convenience, other may use multiple protected IDs depending on their business model. This makes it very easy to segregate (e.g.) TSO access from production access. You do not want production to fail because someone forgot to update a password. My USD $0.02 -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Colin Paice Sent: Thursday, June 12, 2025 10:48 AM To: [email protected] Subject: Re: STC Userids [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Seymour, You said *I would go further and say that most production jobs should run under PROTECTED userids. But then, I'm paranoid and don't even trust myself.* Are you saying most production jobs should be run as started tasks, or there is a clever way of submitting a job which runs under a protected userid, perhaps with a surrogate userid? Colin On Thu, 12 Jun 2025 at 12:50, Seymour J Metz <[email protected]> wrote: > I would go further and say that most production jobs should run uunder > PROTECTED userids. But then, I'm paranoid and don't even trust myself. > > -- > Shmuel (Seymour J.) Metz > http://mason/ > .gmu.edu%2F~smetz3&data=05%7C02%7Callan.staller%40HCLTECH.COM%7Ce15989 > e58b384fedae5a08dda9c88768%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0% > 7C638853400939524962%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsI > lYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C > 0%7C%7C%7C&sdata=Z5Xswk4rpH5Wrwe9hOS3%2BVfah%2FFX1i45E%2BYpVWdzu9c%3D& > reserved=0 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > > > ________________________________________ > From: IBM Mainframe Discussion List <[email protected]> on > behalf of Robert S. Hansel <[email protected]> > Sent: Thursday, June 12, 2025 6:39 AM > To: [email protected] <[email protected]> > Subject: Re: STC Userids > > > External Message: Use Caution > > > Roberto, > > As others have pointed out, Started Task IDs with passwords could be > become revoked due to bad password entry or inactivity. Note that even > if its ID is revoked or the password is expired, a Started Task will > still start. This is a safety feature to prevent accidental or > intentional denial of service. However, if a Started Task with a > revoked ID submits a job, the job will fail due to the ID being revoked. > > Also of concern is that Help Desk staff could reset the password of a > Started Task ID and then log on with the ID to use whatever authority > it has, which is often considerable. RACF authorities that enable Help > Desk staff to reset passwords block them from resetting passwords on > PROTECTED IDs. > > Making Started Task IDs PROTECTED is considered to be a 'best practice" > and is probably a STIG and CIS requirement. The same is generally true > for production batch IDs. > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. > 617-969-8211 > http://www.l/ > inkedin.com%2Fin%2Froberthansel&data=05%7C02%7Callan.staller%40HCLTECH > .COM%7Ce15989e58b384fedae5a08dda9c88768%7C189de737c93a4f5a8b686f4ca994 > 1912%7C0%7C0%7C638853400939550187%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1h > cGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIj > oyfQ%3D%3D%7C0%7C%7C%7C&sdata=SNHtw0tZ2JKDllhFrF%2FtAsUR70FHZxpTqQ4B7% > 2Fr4Nlg%3D&reserved=0 > > http://secur/ > e-web.cisco.com%2F1TVsUsRHSYX_FAuea9tsiCtW8lkSEapoTxD8_TierM3zE6QeP_g6 > e-r2d8MQG-swoJj9n7qKWCjDDolqxmvppjEIUdK0Sj_fZ4SkmqV8-p7gCIt4qjoNl87t9w > rOBd-xbS1GHAEv9oCaCdTikcV8rxoqR04VCiEHyGv_ZTUX85fg769NlQqTmKEmvva-PXfq > CKLEqR62LYIIX7ohzvwB3vP6isW2fq9BYpQGQkxKilpIg5moxFe3jCI76wvwtXUU6GbCnx > S-Brc4-Xc6BNbp4moQgONaGgy1ADbNIfcUJKtYQDaFtg4t4f0C_mogSf6_cGJFAF-UfO2Y > SYmuW6jEdbs3qKpt_PUO4xdcPly5wgvNRtw4ppFcxFG__PEhAFaUkaKnHFaVdYE_vAvQtt > iadUCJ1t7Skx4zjs8PWsmIbPCI%2Fhttp%253A%252F%252Fwww.rshconsulting.com& > data=05%7C02%7Callan.staller%40HCLTECH.COM%7Ce15989e58b384fedae5a08dda > 9c88768%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C63885340093956553 > 1%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIs > IlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=uT > FV7L%2BsIZ7qNKb8FMfRg6jK3yLh1oXQi9gap2QXfB4%3D&reserved=0 > > -----Original Message----- > Date: Wed, 11 Jun 2025 09:05:33 -0400 > From: Roberto Halais <[email protected]> > Subject: STC Userids > > I would like some feedback on what would happen if we assign passwords > to the stcs in our z/OS environment. > At this moment the stcs have no passwords assigned to them. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ::DISCLAIMER:: ________________________________ The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. ________________________________ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
