[MVS] Trusted Context and Revoke RACF User

Michael Klaeschen

[MVS] Trusted Context and Revoke RACF User

we have RACF defined users as DB2 Auth-IDs and set up Trusted Context for
DB2-Connect. This works fine so far. But we have a couple of RACF defined
users solely for this purpose. I mean those RACF defined users are used as
DB2-AuthIDs from Trusted Context only. They will never been used for TSO
logon or similar. In some cases the humans in question might not even know
about the password. I think, we could define them as PROTECTED. However,
we do not know exactly whether the RACF defined user is only for Trusted
Context or other purpose as well (in addition this might change over the

Now I was reading on RACF option INACTIVE and found that a RACF defined
user is considered inactive if not logged on, submitted a job, changed
password, attempted unsuccessful logon or received directed command or
output from RACF within the specified number of days. All of these does
not seem to be valid for Trusted Context and the proceedings there used to
change identity -- I think it is similiar to surrogat except that there is
no job submitted.

Now I wonder what happens to a RACF defined user which is (successfully)
daily used for Trusted Context after the number of days specified with
INACTIVE option (180 days in our installation). May be Trusted Context is
just another type of log on...?

I do not think I will manage to arrange a test environment. So I hope you
have experience on this.

Thank you, cheers

* IDUG North America * Anaheim, California * May 2-6 2011 * http://IDUG.ORG/NA *
* If you are going to attend only one conference this year, this is it! *
** The most DB2 technical sessions of any conference
** Access IBM experts and developers

If you need to change settings, http://www.idug.org/cgi-bin/wa?A0=DB2-L is the home of IDUG's Listserv