In any large enterprise, frequent requests for password resets are a burden on helpdesk and security administration. At the same time, a user needing to request then wait for a resolution can mean frustration and delays in essential work tasks. Self Service Password Reset (SSPR) is a fast, secure and reliable way for users to reset their own RACF password, removing the need to contact a central helpdesk or security administration team.
Self Service Password Reset (SSPR) is a packaged, documented and fully supported solution to a common IT problem.
How safe is SSPR?
SSPR is very safe. In order to reset their RACF password, users must be able to supply up to four unique words or phrases only known to them personally. The words or phrases can be up to 32 characters.
What software do users need to use SSPR?
SSPR only requires a standard web browser. It can therefore not only be used from normal workstations and laptops, but also from tablet devices and even smart phones.
Who can use SSPR?
A generic RACF resource protects SSPR access. Only user groups with READ access to this resource are permitted to reset their own passwords.
Where are the master password and memorable words saved?
The master password, memorable words and hints are saved in the RACF database.
Are the master password and memorable words encrypted?
Yes. The master password and memorable words are saved as SHA-256 encrypted strings.
Who else can read the master password and memorable words for a user?
No one. The master password and memorable words are saved encrypted and are never decrypted by the software. Therefore, not even diagnostic materials such as dumps or traces will contain the passwords in clear.
Are the questions for memorable words fixed?
No. Users can define their own questions to remind them of their memorable words. This makes it far more secure than fixed questions such as mother’s maiden name which may become known to others over time.
Can a user define their own hints for their memorable words?
Yes. Users can define their own questions or hints to remind them of their memorable words. This makes it far more secure than fixed questions such as mother’s maiden name which may become known to others over time.
Can a user be given hints to remind them of their memorable words?
Yes. The hint can be displayed by hovering the cursor over the hint icon.
Can SSPR use be restricted to certain user groups?
Yes. A generic RACF resource protects SSPR access. Only user groups with READ access to this resource are permitted to reset their own passwords. Setting a UACC of READ to this resource effectively enables SSPR for all users.
Can a user change their password on multiple systems?
This is configurable. Where a user has the same userid in multiple RACF databases, their password change can optionally be replicated across all databases, subject to the necessary security permissions for that user being in place.
Can a user change their password on multiple systems if their userid is different on those systems?
This is not currently supported.
How is SSPR access and password changes audited?
All SSPR activity is recorded in an Audit log that can be viewed online by authorized personnel or downloaded to a CSV file. Audit log records can also be written to SMF.
Where is the audit log stored?
The audit log is stored in a VSAM KSDS.
Does SSPR write SMF records?
Yes. All details of SSPR requests, assignments and releases can optionally be written to SMF.
Does SSPR work with TSS or ACF2?
Not today. SSPR currently supports RACF only.
Can SSPR co-exist with RRSF?
Yes. The replication capabilities of SSPR can co-exist with RRSF, with SSPR providing the replication to any RACF databases outside the range of RRSF.
What happens if a user forgets their master password or memorable words?
The user will be given the hints they defined to remind them of their master password and memorable words, but if they still cannot remember, they must revert to whatever helpdesk based process is available to reset their RACF password. Once this has been done, they can redefine their master password and memorable words.
My company has already invested in an enterprise solution. Is this still relevant?
SSPR is still relevant as many enterprise wide solutions do not support the mainframe and RACF.
Does this not conflict with my company's investment in an enterprise solution for this functionality?
The only reason RSM decided to develop SSPR is to address the significant problems we regularly encounter with these ’so called' enterprise solutions. In assisting our clients’ attempt to implement such solutions, we invariably encounter significant problems with the mainframe interface. From a mainframe perspective we find these solutions are not fully secure, not auditable and not truly self-service. SSPR is developed to provide an easily implementable solution for the mainframe that is secure, fully auditable and truly self-service.