INACTIVE—Deny Use of Unused ACIDs

Specific Control Options › INACTIVE—Deny Use of Unused ACIDs

INACTIVE—Deny Use of Unused ACIDs

Valid on z/OS and z/VM.

Use the INACTIVE control option to prohibit the use of ACIDs that are connected to an expired password and have not been used for certain periods of time. You can specify a number of days. If no activity is detected for an ACID within this time period after password expiration, CA Top Secret suspends the ACID (to deny system access to any user or job that uses this ACID).

You can also specify LASTUSED to use additional criteria to determine whether to suspend the ACID.

Note: This control option has no function in a CPF target side. CPF command checking uses the XE23 of the administrator to perform authorizations.

All entry methods are accepted.

This control option has the following format:

TSS MODIFY INACTIVE((0|nnn) [,LASTUSED])

0

Deactivates the INACTIVE option. This value is the default value.

nnn

Specifies a number of days, after which the product prohibits signon for an unused ACID that is connected to an expired password. For example, specifying 5 means that five days after the ACID's password expires, CA Top Secret suspends the ACID if no activity is detected for the ACID. Suspending the ACID denies system access to any user or job that uses this ACID.

Range: 1 to 999

LASTUSED

Specifies to suspend the ACID if both of the following values are greater than the nnn setting:

Number of days between the last date that an ACID was used and today's date
Number of days between the last date that the ACID's password was changed and today's date

With this specification in place, CA Top Secret also suspends an ACID that has never signed on for a number of days exceeding the nnn setting. For example, if you create ACID BOB on July 5, and INACTIVE(30,LASTUSED) is set, BOB must sign on between July 5 and August 4; otherwise, CA Top Secret suspends the ACID.

Note: If you specify LASTUSED, the nnn value must be greater than or equal to the password expiration (PWEXP) and password phase expiration (PPEXP) values.

Example: Deny Access for an Unused ACID

This example denies access to any user or job that attempts to access the system by using an ACID that has not been used for five consecutive days after password expiration:

TSS MODIFY INACTIVE(5)

To avoid encountering this access denial, change your password before the password expiration date, or change your password within the five‑day threshold specified in the INACTIVE control option.

Example: Specify LASTUSED to Require a Combination of ACID-Related Events to Suspend an ACID

This example denies access to any user or job that attempts to access the system with an ACID that meets both of the following conditions:

The ACID has not been used for 30 days after its password expires.
The ACID has not had its password changed for 30 days after its password expires.
```
TSS MODIFY INACTIVE (30,LASTUSED)
```

Example: Reactivate an Inactive ACID

This example reactivates an inactive ACID by removing SUSPEND from a user and replacing the password (while also specifying the expiration interval or expiration option). The following syntax removes the SUSPEND:

TSS REMOVE(acid) SUSPEND

Perform one of the following actions to replace the password:

Issue the following command to replace the password and set the password expiration interval to 30 days:
```
TSS REPLACE(acid) PASSWORD(xxx,030)
```
xxx

Specifies the new password.
Issue the following command to replace the password, retain the expiration interval, and force the password to expire when the ACID signs on (thus requiring the user to change the password):
```
TSS REPLACE(acid) PASSWORD(xxx,,EXP)
```
xxx

Specifies the new password.

More information:

PPEXP—Days Before Password Phrase Expires

PWEXP—Password Expiration Interval