User table

Review user data, such as owner and status, in the User table.

The User table consists of a list of users and their properties. Use the Find dialog (see Using the Find dialog) to open the User table. Every icon in the list can be either red or green. When an icon is green, it means that the user is active; when it is red, the user is revoked or inactive.

User table showing list of users and corresponding properties — Figure 1. User table

To see the site-specific columns, scroll to the right:

The User table has these columns:

Attempts

Count of logon attempts with an invalid password. This count is only kept if the RACF user revoke setting has been activated with the RACF SETROPTS PASSWORD(REVOKE(nn)) command on the mainframe. After nn invalid password attempts, the user is revoked.

Auth Method

This field indicates the combination of authentication mechanisms to logon to RACF that are allowed for a user:

Pwd: User can use a password.
PPhr: User can use a passphrase.
MFA: User can use the IBM Z® Multi-Factor Authentication (MFA) mechanism.
Protected: User is a protected user.

Complex

The name of the zSecure node where the result was found. This column is displayed only if you are operating in multi-system mode.

Created

Date on which the user is defined.

DefaultGrp

The default group is the group that the user automatically connects at logon.

Eff_Phrint

The effective passphrase interval for a user ID shows the period in days after which the user must change the passphrase. It combines information from the system passphrase interval, the user's passphrase interval, and the user's password interval. If the system does not support a separate passphrase interval, the value is the same as the value of the effective password interval. Field value None indicates that the user has a passphrase that never expires. The value is missing for protected users; protected users do not have an effective password or passphrase interval.

Eff_PwdInt

The effective password interval for a user ID shows the period in days after which the user must change the password.

InstData

This field has a site-defined layout and purpose. Typically it contains organizational data on the user ID. The InstData field might be replaced by site-specific fields, depending on the configuration used by your organization.

LastConnect

This field contains the last RACINIT date for any group that the user is connected to.

Note: RACF uses a different date to calculate the inactivity interval of the user.

LastPhrChange

This field displays the user's last passphrase change date.

LastPwdChange

The most recent date the password was changed.

LegacyPwdCount

This field indicates how many passwords in the password history are encrypted using a legacy algorithm.

LegacyPwdUsed

This field indicates if the current user password is encrypted using a legacy algorithm. A legacy algorithm can either be DES or the algorithm as indicated by the ICHDEX01 password encryption exit (masking, DES, or installation-defined encryption method).

MappingsCount

The number of distributed identity filters that are associated with the user ID.

Name

Real name of the user, or any other description.

Owner

The owner can change the user definition.

Password Fallback

This field indicates whether the user can logon to RACF with a password or passphrase if the MFA server is unavailable.

PhrExpireDate

This field displays the passphrase expiration date of the user. For users whose passphrases have been explicitly expired, this field shows a date in the past. In such cases, it shows the last use date of the user. If the user ID has never been used, this field shows the creation date of the user ID.

PhrExpired

This field indicates whether the passphrase of the user has expired.

Phrint

The period in days after which the user must change the passphrase. The passphrase interval can take a valid value in the range 0-65534. The passphrase interval value of 0 is the default value and indicates that the user does not have a specific passphrase interval value. If the user has a never-expiring passphrase, the value None is shown. The value is missing for protected users; protected users do not have an effective password or passphrase interval.

PwdExpired

This field indicates whether the password has expired. When the password has expired, the user must change the password at the next logon. The field presented takes into account the current date, the password interval of the user, the system-wide password interval, and the most recent password change date.

PwdExpireDate

This field displays the password expiration date of the user. For users whose passwords have been explicitly expired, this field shows a date in the past. In such cases, it shows the last use date of the user. If the user ID has never been used, this field shows the creation date of the user ID.

PwdInt

The period in days after which the user must change the password. Valid interval values are 1 - 254. If the password interval field displays a blank value in the user table, the user has a password that never expires. The blank value is special and equals 255. The value is missing for protected users; protected users do not have an effective password or passphrase interval.

Revoked

A revoked user cannot log on, but the profile is still present. A user can be revoked for these reasons:

An administrator revokes the user.
The user makes too many unsuccessful password attempts and is revoked automatically.
An administrator schedules the revocation on a specified date.
The user does not log on in a specified timeframe and is revoked automatically.

The status is derived from the revoke status flag, the current date, the revoke date, the resume date, and the date the user last logged on.

Site-specific fields

Your organization's zSecure Visual Server might be configured to show site-specific fields with user information, such as Location, Building, Cost-center, zSecure user name, or other site-specific content. In that case, those fields are displayed between the PhrExpireDate and Attempts fields on the User table window.

Userid

The RACF user ID.

The Find dialog for users window shows extra fields for selecting users:

rwusfin — Figure 3. Find dialog for users

Attempts: Select users that have more or less than a certain number of password attempts. A blank field selects users independent of the number of password attempts.
AuthMethod: Select users based on the authentication methods; that is, Protected, Password, Password phrase (passphrase), and MFA. You can select either protected or a combination of password, passphrase, or MFA. If you select nothing, you have the complete list of users.
Default Group: Select users by default group. The field is used as a filter.
Installation data: A substring that must exist in the installation data.
Name: A substring that must exist in the name.
Owner: Select users by owner. The field is used as a filter.
Segment: Select the users that have the segment you specify. If this option is disabled, you cannot view segments or there are no segments. If you select Any, you have the complete user list, whether the profiles have segments or not.
Status: Select users that are revoked, not revoked, active, or inactive. If you select Any, you have the complete user list.

If your organization's zSecure Visual Server is configured to show site-specific fields with user information, those fields are displayed on the right side of the Find dialog for users window.