How do you enable users to sign on with their existing password and replace their password with a passphrase? Is there a way to do this without getting the admin (SCA) involved? 

Release : 16.0

Component : Top Secret for z/OS

Currently the functionality to enable "users to sign on with their existing password and change it to a phrase" does not exist.

A Top Secret Administrator must assign the PHRASE to ACIDs. An SCA is recommended since an SCA has scope over everyone on the security file.  

However, it can be automated as follows:  
1) Create a dataset of the acids via: 
TSSCFILE TSS LIST(ACIDS) DATA(BASIC)

2) Create a TSSCFILE utility program to read the file and generate the TSS commands to:  
   A. Change/expire the PASSWORD, 
   B. Add the PHRASEONLY attribute: TSS ADD(acid) PHRASEONLY, and 
   C. Add/change a PHRASE keyword. Set it to expire to force users to change phrase: TSS ADD(acid) PHRASE("change this phrase",,EXP)

3) Set up the passphrase control options to site's standards:
NEWPHRASE(MIN=14,MAX=nnn,WARN=nn,MINDAYS=nn,etc)
PSWDPHRASE(ON ) - set to ON when ready to allow all users to use phrases. 
NPPTHRESH(nn)
PPEXP(nnn)
PPHIST(nn)