User Management

This chapter describes user attributes, user statuses, and details of user information.

1. Overview

Users must be registered in TACF to access the system. User information is registered and saved in the 'User Profile'.

There are three different types of TACF user accounts.

Root users

The root user account (or the TACF Super User account) is automatically created when TACF is installed. Since the root user is a privileged user with unrestricted access to all resources, you must be cautious when assigning root user status. It is recommended to assign root user status only to a security manager. The root user account cannot be deleted from the TACF system and some of the associated attributes cannot even be changed.
NOPASSWORD users

Users with NOPASSWORD status are not required to enter a password. Account lockout cannot occur to users without a password. CICS DEFAULT USER is an example of this type of user.
General users

General users must login to the system using a password. These passwords can be defined by the users themselves. The root user has the ability to change the status of general users or delete them from the TACF system.

2. User Attributes

User attributes indicate a specific feature or a restriction given to a user.

If a user attribute is associated with a specific group, it is called 'group-related attribute'.

The types of attributes that can be assigned to users include no attribute, the special attribute, the auditor attribute, the operations attribute, the restricted attribute, the privileged attribute, the automatic data set protection, and the group access flag. Only 'special attribute' and 'auditor attribute' are available in the current version of TACF.

As with root users in Unix systems, users with the special attribute can access all resources registered in TACF. Therefore, it is recommended to assign the special attribute status only to a security administrator.

Users with the 'auditor attribute' have auditor authority, which allows inquiry of all the users, groups, resources, and access lists in the system.

3. User Statuses

The field specifies the status of the user. Other than the normal status, the available user statuses include:

REVOKE

The user is registered in TACF, but cannot access the system. A user with 'special attribute' or 'special group attribute' can change the status of other users to 'REVOKE' by using the ALTUSER command. The user can also reset a user from 'REVOKE' status by using RESUME with ALTUSER command option.
NOPASSWORD

Users with NOPASSWORD status are called 'protected users' and the passwords used by these users are not authenticated. Users with this status cannot access the system. A user with 'special attribute' or 'special group attribute' can grant NOPASSWORD status by using ADDUSER or the ALTUSER command.
EXPIRED

User passwords must be reset within a specified period. If a user’s password is not reset within the specified period, then the user’s status is modified to 'EXPIRED'. Users with EXPIRED status must change their password to log into the system.
ACCOUNTLOCK

Users with the ACCOUNTLOCK status are suspended from accessing the system due to entering wrong password information a specified number of times. This status is similar to REVOKE in terms of system access restrictions. An account with the ACCOUNTLOCK status, however, is automatically unlocked after a specified period of time.

For more information about the ADDUSER and ALTUSER commands, refer to TACF Commands.

4. User Information

This section describes components of user information such as user profiles, the CICS segment, and user profile owners.

4.1. User Profiles

A user profile is created when a new user is registered. A user profile contains a user’s information in each field of the profile. User ID is a required field. The other fields are automatically set to default values if no information is given.

The following table describes the parameter fields of a user profile.

Field	Description
USERID	Identifies the user to access TACF
OWNER	Most profiles in TACF have specific owners. A user or group in TACF can be the owner. The owner of the profile is authorized to modify or delete the profile. If OWNER is not specified, the owner of the profile is set by default to the user ID.
NAME	Shows how user name will appear.
PASSWORD	The password is used to verify a user’s authority to sign on the system. If PASSWORD is not specified, the password is set by default to the name of the group. The first time the user logs into the system, the system requires that the password be changed.
DFLTGRP	Specifies the default group of the user. The default group must be registered in TACF. If DFLGRP is not specified, the default group is set to the group that the user registering the USER profile belongs to. For more information, refer to User and Group CONNECT.
CLAUTH	Specifies the class name for the user. The two classes are 'USER' and 'General Resource'. Currently, only 'USER' can be specified.
WDAY(Week of Day)	Specifies the weekday when the user can access the system. The user is not allowed to access the system except on the specified day. IF WDAY is not specified, the user can access the system any day.
WTIME	Specifies the hours of the day during which the user can access the system. The user is not allowed to access the system except during the specified hours. If WTIME is not specified, the user can access the system any time.
ATTR	Specifies user attribute (special attribute, auditor attribute) information. special attribute auditor attribute For more information, refer to User Attributes.
PASSDATE	Specifies the date the password was last updated.
PASSINTV	Specifies password change interval. Users using a password for authentication must change their password within the period specified in PASSITV. If the password is not changed within the specified time period, the user account automatically expires.
FLAGS	Specifies the user’s status information. REVOKE NOPASSWORD EXPIRED ACCOUNTLOCK For more information about user status, refer to User Statuses.
RETCNT	Specifies the maximum count for user authentication attempts. The user status is changed to ACOUNTLOCK if user authentication attempts exceed the specified count. The number of user authentication attempts is set to 0 when the time exceeds the specified value in the system.
RESETDT	Specifies the time period after which the number of user authentication attempts is reset to 0.
ALOCKDT	Specifies the time period for which a user account is to be locked if the user exceeds the maximum number of failed login attempts.
LTACCDT	Specifies the last time a user logged in. LTACCDT for users with NOPASSWORD status is not updated as they cannot access the system.

Field

Description

USERID

Identifies the user to access TACF

OWNER

Most profiles in TACF have specific owners. A user or group in TACF can be the owner. The owner of the profile is authorized to modify or delete the profile. If OWNER is not specified, the owner of the profile is set by default to the user ID.

NAME

Shows how user name will appear.

PASSWORD

The password is used to verify a user’s authority to sign on the system. If PASSWORD is not specified, the password is set by default to the name of the group. The first time the user logs into the system, the system requires that the password be changed.

DFLTGRP

Specifies the default group of the user. The default group must be registered in TACF. If DFLGRP is not specified, the default group is set to the group that the user registering the USER profile belongs to. For more information, refer to User and Group CONNECT.

CLAUTH

Specifies the class name for the user. The two classes are 'USER' and 'General Resource'. Currently, only 'USER' can be specified.

WDAY(Week of Day)

Specifies the weekday when the user can access the system. The user is not allowed to access the system except on the specified day. IF WDAY is not specified, the user can access the system any day.

WTIME

Specifies the hours of the day during which the user can access the system. The user is not allowed to access the system except during the specified hours. If WTIME is not specified, the user can access the system any time.

ATTR

Specifies user attribute (special attribute, auditor attribute) information.

special attribute
auditor attribute

For more information, refer to User Attributes.

PASSDATE

Specifies the date the password was last updated.

PASSINTV

Specifies password change interval. Users using a password for authentication must change their password within the period specified in PASSITV. If the password is not changed within the specified time period, the user account automatically expires.

FLAGS

Specifies the user’s status information.

REVOKE
NOPASSWORD
EXPIRED
ACCOUNTLOCK

For more information about user status, refer to User Statuses.

RETCNT

Specifies the maximum count for user authentication attempts. The user status is changed to ACOUNTLOCK if user authentication attempts exceed the specified count. The number of user authentication attempts is set to 0 when the time exceeds the specified value in the system.

RESETDT

Specifies the time period after which the number of user authentication attempts is reset to 0.

ALOCKDT

Specifies the time period for which a user account is to be locked if the user exceeds the maximum number of failed login attempts.

LTACCDT

Specifies the last time a user logged in. LTACCDT for users with NOPASSWORD status is not updated as they cannot access the system.

Although CATEGORY, SECLEVEL, SECLABEL, MODEL, DATA, UACC, and CREATION are supported, their functionalities are not yet implemented. To prevent errors, only internal parameters are used for the fields.

4.2. CICS Segment

A CICS segment is a set of information for CICS terminal operators in user profiles. This information is used when CICS terminal users log in to CICS.

The following table describes the parameter fields of a CICS segment.

Field	Description
OPCLASS	Specifies the class to which the output of a Basic Mapping Support (BMS) will be directed.
OPIDENT	Specifies the user ID used for BMS.
OPPRTY	Sets the priority of CICS terminal users.
RSLKEY	Specifies Resource Security Level (RSL) for a CICS terminal user.
TIMEOUT	Specifies the time period during which CICS terminal users can log in.
TSLKEY	Specifies Transaction Security Level (TSL) for a CICS terminal user.
XRFSOFF	Specifies whether to terminate a CICS terminal user’s access if the extended recovery facility (XRF) is used with CICS.

Field

Description

OPCLASS

Specifies the class to which the output of a Basic Mapping Support (BMS) will be directed.

OPIDENT

Specifies the user ID used for BMS.

OPPRTY

Sets the priority of CICS terminal users.

RSLKEY

Specifies Resource Security Level (RSL) for a CICS terminal user.

TIMEOUT

Specifies the time period during which CICS terminal users can log in.

TSLKEY

Specifies Transaction Security Level (TSL) for a CICS terminal user.

XRFSOFF

Specifies whether to terminate a CICS terminal user’s access if the extended recovery facility (XRF) is used with CICS.

5. User Profile Owners

A user profile’s owner is the user or the group profile specified in the owner field of a user profile. The owner is allowed to search, modify, or delete the profile.

Each resource profile is assigned to an owner when it is created. The owner has the permission to access the resource.