Password max age based on user ID
search cancel

Password max age based on user ID

book

Article ID: 264213

calendar_today

Updated On:

Products

VM:Secure for z/VM

Issue/Introduction

Our security department is making rules for how often passwords must be changed, and for years we've had a one size fits all, but now they want to allow longer periods for some and shorter periods for others, based on a some criteria.

 

Can VM:Secure support that?  In Linux, for example, the password max age is associated with each user ID, and of course there's a system default that's applied when the ID is created.  Afterward it can be changed to any value or even non-expiring. 

Do you have any plans to support a (new) "magic comment" like *PWMAXAGE: n 

If needed, we could write our own code to go through the directory files looking for *PW= and do our own elapsed time calc and forcibly EXPIRE IDs based on whatever rules they give us. VM:Secure would be configured with the longest period allowed, then our special code would cut that sort as needed.

 

Environment

Release : 3.2

Resolution

Try using the VMSECURE QUERY PASSWORD nn (where nn is the number of days since this user last updated 
their password) and get output for the users that meet that criteria and then use the EXPIRE command to cause the password expiration.   
 
This may not be the optimal solution but other than looking at the user's entry, at least a VMSECURE command to help with the handling.    GETPWEXP also gives password expiration information for a user if that output helps any for any automation.
 
 

Additional Information

The VMSECURE QUERY command is documented at:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/reference/command-reference/query-command.html