User Access Utilities › User Profiles › Password Validation › Initial Password Expiry Program

Initial Password Expiry Program

If a password expiry value is set for the profile (for example, if either an absolute password expiry date, or a relative expiry period in days is specified for the profile), the Toolkit initial program, YINLPGM, calls a separate program YINLPGMPWD to carry out the actual checking.

The YINLPGMPWD program will do the following:

1. Retrieve the password last change date for the user profile (PWDCHGDAT on i OS user profile), and the current system date (i OS QDATE system value).
2. Determine a base password expiry date, as follows:

   If the profile has a password expiry date which is earlier than the current system date, it will be used as the base expiry date.

   Otherwise, the password expiry period (if any) will be added to the password last change date to give the base password expiry date.

3. Determine the grace password expiry date by adding the password expiry grace period for the user profile to the base expiry date computed previously.
4. Compare the current system date with the calculated expiry dates.
   • If the current system date is earlier than the base password expiry date, the password is still current, so return without further checking.
   • If the current system date is later than the grace password expiry date, the password has expired, so send a diagnostic message (YUS0027) and sign off. User must have their user profiles changed by a security officer before they may sign on again.
   • If the current system date is later than the base password expiry date but earlier than the grace password expiry date, the password is within the grace period.
   • If the password expiry option is *NOSIGNON, the user will not be allowed to specify a new password, so send a diagnostic message (YUS0027) and sign off.
   • If the password expiry option is *PMTCHG, send message (YUS0048) and prompt the user with the Toolkit display Change Password (YCHGPWD) (see the section Checking New Password Values) to change the password (that is, users are still allowed to sign on, but should change their passwords before the grace period expires). When the user exits from the display, whether the password has been changed or not, proceed with the sign-on process. Note that when the password is changed, if there is an absolute password expiry date and it is earlier than the grace period expiry date, then the password expiry date will be reset to zero.