Creating and Setting Up Users › Suspend ACIDs Automatically Based On Inactivity Thresholds

Suspend ACIDs Automatically Based On Inactivity Thresholds

You can suspend ACIDs that have not been used for a long time. Inactivity is measured from the day that an ACID’s password expired. If CA Top Secret does not detect any activity for an ACID before the threshold is reached, the ACID is suspended. Changing the password is considered activity.

To determine when to suspend ACIDs based on inactivity, enter the following command:

TSS MODIFY INACTIVE((0|nnn) [,LASTUSED])

0

Deactivates the INACTIVE option. This value is the default value.

nnn

Specifies a number of days, after which the product prohibits signon for an unused ACID that is connected to an expired password. For example, specifying 5 means that five days after the ACID's password expires, CA Top Secret suspends the ACID if no activity is detected for the ACID. Suspending the ACID denies system access to any user or job that uses this ACID.

Important! This suspension process does not apply to users with an administratively expired password. For example, an administrator can create a user with PASSWORD(password_text,,EXP). If the user never logged on to the system, the user would not be suspended during the first logon, regardless of the INACTIVE interval.

Range: 1 to 999

We recommend specifying a value between 14 and 30. When the value is too large, older unused identities that are still technically active might be at risk for unauthorized use (without administrator intervention). When the value is too small, ACIDs could be suspended unnecessarily (for example, when a regular employee returns from a scheduled vacation).

LASTUSED

Specifies to suspend the ACID if both of the following values are greater than the nnn setting:

• Number of days between the last date that an ACID was used and today's date
• Number of days between the last date that the ACID's password was changed and today's date

With this specification in place, CA Top Secret also suspends an ACID that has never signed on for a number of days exceeding the nnn setting. For example, if you create ACID BOB on July 5, and INACTIVE(30,LASTUSED) is set, BOB must sign on between July 5 and August 4; otherwise, CA Top Secret suspends the ACID.

Note: If you specify LASTUSED, the nnn value must be greater than or equal to the password expiration (PWEXP) and password phase expiration (PPEXP) values.