ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ACF2 Security Admins able to reset passwords despite PSWDMIN/MINDAYS settings

book

Article ID: 238494

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

Current PSWDMIN set on the ACF2 GSO PSWD is 0:

PSWDMIN  = 0       MINIMUM NUMBER OF DAYS TO ELAPSE FOR A PSWD CHANGE

LIDREC for each user is set for MINDAYS(3)

The ID admin team and helpdesk is able to change password for the user within a day. They should not be able to change password before 3 days. Why are they allowed?

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

The ACF2 GSO PSWD and LIDREC PSWDMIN/MINDAYS fields are only applicable for the user changing their own password. This is to help prevent users from cycling through their password history. Security administrators can always change the password for other users regardless of this setting. If this wasn't the case, then as an example if someone forgets their new password they wouldn't be able to log into the system until the PSWDMIN days was honored. 

Security admins will be unable to change their own passwords. Attempting to do so will result in this message:

ACF00136 NEW PASSWORD NOT SET - CURRENT PASSWORD MUST BE KEPT FOR X DAYS

The only way a password can be reset before the limit specified in PSWDMIN/MINDAYS is for another privileged user to reset it.