IBM OS/390 Server User Manual


 
Chapter 7. Administration Considerations
This chapter summarizes the changes to administration procedures that the security
administrator should be aware of. For more information, see
OS/390 Security
Server (RACF) Security Administrator's Guide
.
The TMEADMIN Class
The new TMEADMIN class is used to associate a TME administrator with a RACF
MVS identity on any MVS system that is part of a Tivoli management region (TMR).
The TMEADMIN class contains a profile for each TME administrator who is able to
perform RACF user management tasks. The name of this profile is the TME
administrator string name. For example:
admin-login-name@TME-region-name
The hex code for @ is x'7C'. You need to use the key on your keyboard that
provides that hex value. Sharing of a single RACF user ID by multiple TME
administrators is not recommended. It is preferable that each TME administrator ID
map to a unique RACF user ID.
In the following example, the TME administrator root in the Tivoli TMR region of
pok01 would have a RACF user ID of CSMITH. The APPLDATA field of this profile
contains the RACF MVS userid. Only a RACF administrator with SPECIAL authority
can issue this command:
RDEFINE TMEADMIN root@pok1 APPLDATA('CSMITH')
For more information on the TMEADMIN class, see “Tivoli Management
Environment (TME) 10 Global Enterprise Management User Administration Service”
on page 8.
Password History Changes
When an administrator resets a password for a user, the old password is saved in
the password history list. This is done with the use of one of the following
commands:
ALTUSER (userid ...) PASSWORD
ALTUSER (userid ...) PASSWORD(password)
PASSWORD USER(userid ...)
For more information, see “Password History Enhancements” on page 7.
Program Control by System ID
Program control by system ID limits a user's access to a particular program to a
specified system. It improves system management and usability of program
products in the sysplex environment. In addition, it eliminates error-prone manual
procedures, eliminates the need to keep DASD that is not shared, and eliminates
the possibility of license exposures.
Copyright IBM Corp. 1994, 1997 31