We use VM:Secure to manage our user directory. We sweep our user directory every year or so to look for inactive userids. We keep "system" service machines under a special directory manager so they are not involved in the sweeps. There are other sensitive userids that are kept under other directory manager userids so they are not part of the sweep. Only normal everyday users are part of the sweep process.
The directory is swept looking for inactive userids. This is determined by the last logon date in the directory (a special VM:Secure commented entry *LL). Inactive userids are then placed on hold then the combined list of held userids gets sent out to the managers notifying them that these held userids will be archived and deleted in 30 days. After 30 days, the held userids are archived to tape for a year and removed from the directory. In the past 10 years of this, we have had to recover only 3 userids. We conform to as many of the company password requirements as possible. Actually the only one we don't is to allow for upper and lower case letters in the password. ----------------- Judson West Teradata, a division of NCR Corporation ________________________________________ From: VM/ESA and z/VM Discussions [mailto:[EMAIL PROTECTED] On Behalf Of Colin Allinson Sent: Tuesday, January 03, 2006 5:19 AM To: [email protected] Subject: Re: Policies Regarding Old Userids Looking at this from a slightly different angle for a moment :- We have RACF as our ESM and it is set to automatically revoke a user after 180 days of inactivity. Without discussing if this is a good rule (or duration), it does raise an interesting issue. If our system stays up for more than 180 days (as it often does) then, as far as RACF is concerned, there has been no activity on all the servers that have been quietly logged on and running all that time. So, without any other action, they would all be revoked at the next system IPL. I have seen various solutions to this (including an automatic recycling of all servers at midnight to tidy up). For us the answer to run a timed process daily to do a RACF RESUME on all userids listed in AUTOLOG2. I know this is a bit obvious - but obvious things sometimes get missed. Colin Allinson Amadeus Data Processing
