On 31 August 2016 at 17:12, R.S. <[email protected]> wrote: > I installed an exit from RACF downloads page. > I'm trying to use rule override. > The user TEST1 has READ access to CL(FACILITY) IRR.ICHPWX01.OVERRIDE > Changes were refreshed. > > However during TSO logon the new password is rejected. > The password is compliant to the SETR rules.
The documentation for the RACF REXX ICHPWXn1 package says this: "The ICHPWX01 sample is written so that by default, any AXREXX failure results in an exit failure, because we can’t be sure your password policy has been met, and the password change is rejected. To address such a situation, if an AXREXX error is encountered when trying to invoke the REXX exec, an override mechanism is checked." I have not used this facility, but it sounds as though IRR.ICHPWX01.OVERRIDE is checked only if there was a failure in invoking the REXX component. If there is no failure, but the REXX rejects the password, then you are out of luck. In any case, I think it is a mistake to call this "rule override". Regardless of the programming language(s), there is no way for an ICHPWX01 exit to accept a password that the RACF rules have failed. In the case of rule failure the exit will not even be called. There are ways for a program that accepts logon-with-password-change (e.g. TSO, CICS, UNIX, your own authorized app) to avoid rule checking, but there is no straighforward way for you to externally force an existing program to do this. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
