IBM OS/390 Tivoli Management Environment (TME) 10 Global Enterprise Management User Administration Service

The ALTUSER command allows an administrator to reset a user's password to

a temporary password or a default value. This command is modified to save the

old password whenever the password is reset.

The PASSWORD USER (

) command provides users and administrators

with a password reset function. This command is modified to save the old

password whenever the password is reset.

Tivoli Management Environment (TME) 10 Global EnterpriseManagement User Administration Service

The Tivoli Management Environment (TME) 10 Global Enterprise Manager User

Administration Service provides the ability to manage UNIX, Windows NT,

NetWare, and RACF accounts from a single, common interface (either graphical or

command line). The RACF support for this, which was provided by APARs

OW23445 and OW23446, includes:

The TMEADMIN class, which is used to map a TME administrator to a RACF user

ID.

Callable services to:

Derive a session key from a previously generated RACF PassTicket. The Tivoli

Management Region (TMR) TCP/IP server uses such session keys to encrypt

and decrypt administrative data that flows between the TMR server and

OS/390.

Convey RACF administrative changes to RACF. The new R_Admin callable

service provides a function-code driven parameter list with data fields consisting

of name-value pairs. This name-value pair support is used by the TME user

administration service to add or update the following RACF user profile

information:

– BASE profile information

– OMVS segment

– NETVIEW segment

– TSO segment

– CICS segment

In addition to the above, the R_Admin callable service provides a run command

function in which most RACF TSO commands may be executed.

Changes to the RACF TSO command ALTUSER. The NOCLAUTH key will now

accept an asterisk ('*') to indicate removal of all of the user's CLAUTH authorities.

Program Control by System ID

RACF provides a means to restrict access to a program based on the system

identifier (SMFID). This additional program control by system ID improves system

management and usability of program products in a sysplex environment. It also

eliminates error-prone manual procedures, the need to keep DASD that is not

shared, and the potential savings on licensing fees by controlling which systems in

a sysplex the licensed software may execute on. Previously many customers

complied with licensing agreements by paying for ALL system that the software

COULD run on because there was no easy way to restrict access to a particular

8OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration