PASSWORD Keyword (for Administrators)

Keywords › PASSWORD Keyword (for Administrators)—Assign a Password

PASSWORD Keyword (for Administrators)—Assign a Password

Valid on z/OS, z/VSE, and z/VM.

An administrative ACID can use the PASSWORD keyword to assign a password, along with values that control its use, to a previously defined ACID.

Note: An administrative ACID can assign passwords that do not conform to NEWPW control option restrictions; however, passwords must not exceed the MAX length set for the system. For z/OS, the administrator may set control option PWADMIN(YES) to enforce NEWPW control option restrictions and expiration interval restrictions on administrators.

Passwords entered through the Administrative Panels are "invisible." Passwords entered through TSS commands are entered as text.

Some teleprocessing monitors automatically convert mixed case passwords into uppercase before processing by CA Top Secret. These monitors cannot match a mixed case password.

A password that is specified by the ADDTO command function replaces the ACID's previous password.

When used by an administrative ACID, this keyword has the following format:

TSS ADDTO(acid) PASSWORD(password[,[expiration_interval][,EXP]])
                [FACILITY(facility) MULTIPW]

TSS ADDTO(acid) PASSWORD(NOPW)
                [FACILITY(facility) MULTIPW]

password

Specifies one of the following values:

a one- to eight-character password string, as limited by control options NEWPW, PWADMIN, and PASSCHAR.
* (specifies that the password string should remain unchanged by this command). This value is the default.

expiration_interval

(Optional) Specifies an interval (days) for the current password before it expires (0 indicates a non-expiring password).

Range: 0 to 255

If not included in the PASSWORD keyword specification for ADD or CREATE, the expiration interval defaults to the PWEXP control option value. For example, the expiration interval is not specified in the following commands:

TSS ADDTO(acid) PASSWORD(pass1)
TSS ADDTO(acid) PASSWORD(pass1,,EXP)

If not specified in REPLACE (as shown in the following example), the current expiration interval is retained:

TSS REP(acid) PASSWORD(pass1)

EXP

(Optional) Indicates that the password string is issued as an expired password and must be immediately changed.

NOPW

Specifies that no password is required for this ACID.

Note: Setting this value requires UPDATE access to entity TSSCMD.USER.cmd.NOPW in the CASECAUT recourse class. For complete information about CASECAUT, see the CA Top Secret User Guide.

FACILITY

Specifies that the password applies only to the specific facility (FACILITY must be supplied with the MULTIPW keyword). Specifying a MULTIPW facility password allows the administrator to account for variations in mixed-case and extended length passwords.

Separate password history is provided for each MULTIPW facility password.

MULTIPW

Confirms that the password applies only to the specific facility. This keyword is required when a new password is added by an administrative ACID for a designated facility.

When a non-administrative ACID assigns a new password in a facility where an administrator assigned a MULTIPW facility password, they must include the MULTIPW and FACILITY options to target the correct facility for the change.

This keyword is used with:

The commands CREATE, REPLACE, and ADDTO
The ACID types User, DCA, VCA, ZCA, LSCA, SCA, and MSCA
ACID(MAINTAIN) authority
Administrators who do not have ACID(MAINTAIN) authority can add a password to users within their scope if given UPDATE access to entity TSSCMD.USER.ADDTO.PASSWORD in the CASECAUT resource class.

Administrators who do not have ACID(MAINTAIN) authority can replace a password for users within their scope if given UPDATE access to entity TSSCMD.USER.REPLACE.PASSWORD in the CASECAUT resource class.

Other requirements are as follows:

When setting a NOPW password value (using CREATE, ADDTO or REPLACE), administrators must have UPDATE access to entity TSSCMD.USER.cmd.NOPW in the CASECAUT resource class, where cmd is the command being issued.
To set a new password value for the MSCA (using ADDTO or REPLACE), an SCA must must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, where cmd is the command being issued.
Note: Always replace cmd with the full command name.

Example: Replace a Password and Require Immediate Password Change

This example replaces USER56's previous password with WORK and prompts the user to change the password immediately during that user's first signon. USER56 is forced to change passwords every nine days.

TSS ADDTO(USER56) PASSWORD(WORK,9,EXP)

Example: Assign a Password

In this example, USER56 signs on with this password until it expires in 30 days (or the default set by the PWEXP control option) or until USER56 changes it. This example assumes that the NEWPW control option is not set to NU to prevent USER56 from changing his or her own password.

TSS ADDTO(USER56) PASSWORD(WORK)

Example: Replace a Password

This example shows a non-administrator (USER56) with the default NEWPW option set of MIN=4,MAX=8,MINDAY=1,WARN=3:

TSS REPLACE(USER56) PASSWORD(ALLEN11)

If the NEWPW option NR=1 is set, the above password change fails.

Example: Replace an Expiration Interval

This example replaces USER01's expiration interval without changing or knowing USER01's password:

TSS ADDTO(USER01) PASSWORD(*,10)