Review user data, such as owner and status,
in the User table.
The User table consists of a list of users and their properties. Use the
Find dialog (see Using the Find dialog) to open
the User table. Every icon in the list can be either red or green. When an icon is green, it means
that the user is active; when it is red, the user is revoked or inactive. Figure 1. User table
To see the site-specific columns, scroll to the right:Figure 2. User table with site-specific columns
The User table has these columns:
Attempts
Count of logon attempts with an invalid password. This count is only kept if the RACF user revoke setting has been activated with the RACF SETROPTS PASSWORD(REVOKE(nn)) command on the mainframe.
After nn invalid password attempts, the user is revoked.
Auth Method
This field indicates the combination of authentication mechanisms to logon to RACF that are allowed for a user:
Pwd
User can use a password.
PPhr
User can use a passphrase.
MFA
User can use the IBM Z® Multi-Factor Authentication (MFA)
mechanism.
Protected
User is a protected user.
Complex
The name of the zSecure node
where the result was found. This column is displayed only if you are operating in multi-system
mode.
Created
Date on which the user is defined.
DefaultGrp
The default group is the group that the user automatically connects at logon.
Eff_Phrint
The effective passphrase interval for a user ID shows the period in days after which the user
must change the passphrase. It combines information from the system passphrase interval, the user's
passphrase interval, and the user's password interval. If the system does not support a separate
passphrase interval, the value is the same as the value of the effective password interval. Field value None indicates that the user has a passphrase
that never expires. The value is missing for protected users; protected users do not have an
effective password or passphrase interval.
Eff_PwdInt
The effective password interval for a user ID shows the period in days after which the user must
change the password.
InstData
This field has a site-defined layout and purpose. Typically it contains
organizational data on the user ID. The InstData field might be replaced by
site-specific fields, depending on the configuration used by your organization.
LastConnect
This field contains the last RACINIT date for any group that the user is connected to.
Note:
RACF uses a different date to calculate the inactivity
interval of the user.
LastPhrChange
This field displays the user's last passphrase change date.
LastPwdChange
The most recent date the password was changed.
LegacyPwdCount
This field indicates how many passwords in the password history are encrypted using a legacy
algorithm.
LegacyPwdUsed
This field indicates if the current user password is encrypted using a legacy algorithm. A
legacy algorithm can either be DES or the algorithm as indicated by the ICHDEX01 password encryption
exit (masking, DES, or installation-defined encryption method).
MappingsCount
The number of distributed identity filters that are associated with the user ID.
Name
Real name of the user, or any other description.
Owner
The owner can change the user definition.
Password Fallback
This field indicates whether the user can logon to RACF
with a password or passphrase if the MFA server is unavailable.
PhrExpireDate
This field displays the passphrase expiration date of the user. For users whose passphrases have
been explicitly expired, this field shows a date in the past. In such cases, it shows the last use
date of the user. If the user ID has never been used, this field shows the creation date of the user
ID.
PhrExpired
This field indicates whether the passphrase of the user has expired.
Phrint
The period in days after which the user must change the passphrase. The passphrase interval can
take a valid value in the range 0-65534. The passphrase interval value of 0 is the default value and
indicates that the user does not have a specific passphrase interval value. If the user has a
never-expiring passphrase, the value None is shown. The value is
missing for protected users; protected users do not have an effective password or passphrase
interval.
PwdExpired
This field indicates whether the password has expired. When the password has expired, the user
must change the password at the next logon. The field presented takes into account the current date,
the password interval of the user, the system-wide password interval, and the most recent password
change date.
PwdExpireDate
This field displays the password expiration date of the user. For users whose passwords have
been explicitly expired, this field shows a date in the past. In such cases, it shows the last use
date of the user. If the user ID has never been used, this field shows the creation date of the user
ID.
PwdInt
The period in days after which the user must change the password. Valid interval values are 1 -
254. If the password interval field displays a blank value in the user table, the user has a
password that never expires. The blank value is special and equals 255. The value is missing for
protected users; protected users do not have an effective password or passphrase interval.
Revoked
A revoked user cannot log on, but the profile is still present. A user can be revoked for these
reasons:
An administrator revokes the user.
The user makes too many unsuccessful password attempts and is revoked automatically.
An administrator schedules the revocation on a specified date.
The user does not log on in a specified timeframe and is revoked automatically.
The status is derived from the revoke status flag, the current date, the revoke date, the
resume date, and the date the user last logged on.
Site-specific fields
Your organization's zSecure Visual Server might be configured to show site-specific
fields with user information, such as Location, Building, Cost-center, zSecure user name, or other
site-specific content. In that case, those fields are displayed between the
PhrExpireDate and Attempts fields on the User table
window.
Userid
The RACF user ID.
The Find dialog for users window shows extra fields for selecting users:Figure 3. Find dialog for users
Attempts
Select users that have more or less than a certain number of password attempts. A blank field
selects users independent of the number of password attempts.
AuthMethod
Select users based on the authentication methods; that is, Protected, Password, Password phrase
(passphrase), and MFA. You can select either protected or a combination of password, passphrase, or
MFA. If you select nothing, you have the complete list of users.
Default Group
Select users by default group. The field is used as a filter.
Installation data
A substring that must exist in the installation data.
Name
A substring that must exist in the name.
Owner
Select users by owner. The field is used as a filter.
Segment
Select the users that have the segment you specify. If this option is disabled, you cannot view segments or there are no segments. If you select Any, you have the
complete user list, whether the profiles have segments or not.
Status
Select users that are revoked, not revoked, active, or inactive. If you select
Any, you have the complete user list.
If your organization's zSecure Visual Server is configured to show site-specific fields with user
information, those fields are displayed on the right side of the Find dialog for users window.