I am working with Macro4 to enhance the security exit we use to validate passwords. When the password has already been changed today it returns a 'denied' return code.

Can this be enhanced to an additional return code or subcode to give better reasons?

It confuses the user since we do not know why the password was denied. When a password change request fails, VM:Secure sets a return code to indicate why and TUBVMX translates that into a message which it appends to 'NEW PASSWORD REJECTED -'.

There are a number of possible return codes and you can see their meanings at label NPEXPTAB in TUBVMX ASSEMBLE. Return code X'24' equates to 'Request denied by the password security exit', but VM:Secure is no more specific about it than that. If the only reason you'd get return code X'24' is an attempt to change a password more than once in a day, then maybe we should simply change the text.

Alternatively (and preferably), if there's some way of getting VM:Secure to set a different return code specifically for this reason, we could easily modify TUBVMX to handle it.

Release: all
Component: VM:Secure 

We suggest you take advantage of changes made to our Diagnose X'A0' subcode 60 that now allow the password user exit to put a message back to the diagnose caller so you can tell the user exactly why the password change failed. The diagnose also captures and returns any message up to 255 bytes in length that the PASSWORD exit stacks. At the completion of the diagnose, the first byte of the parameter list contains the length of the message, which immediately follows. If the length is 0, no message was returned. Hopefully, you can code the diagnose to gather the stacked message and display the details to the user. 

You'll find more information about this and Diagnose X'A0'  in the VM:Secure Rules Facility guide.