On Thursday, 04/09/2009 at 06:24 EDT, Kris Buelens <[email protected]> wrote: > I'm 100% sure about this: with a profile in class SURROGAT, the user > becomes LOGON BY only, it has been that way since RACF 1.9 or (arrived > later in VM/SP R6 or VM/ESA 1.0). > Maybe your installation has a generic profile, or things have changed > since the NOPASSWORD attribute was added (z/VM 5.3 or 5.4).
Once a SURROGAT definition is made for a user, it is "lbyonly" by default. To allow the ID to logon *without* LOGON BY, you must also PERMIT LOGONBY.userid CLASS(SURROGAT) ACCESS(READ) ID(userid) This idiom should be used only when you want to give someone else access to a *personal* id. That is, it isn't a peer relationship - rather, one person acting on behalf of another. As of z/VM 5.3 it is recommended that lbyonly-style shared IDs have their passwords removed with ALTUSER NOPASSWORD NOPHRASE to prevent automatic revocation due to too many invalid passwords. (If there's no password, then there is nothing you can enter to let you login, so who cares how many times you try!) Alan Altmark z/VM Development IBM Endicott
