Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace z/OS
Categories RACF
Created by Guest
Created on Jun 4, 2024

Ability to remove or decrease the Passphrase Complexity for RACF

This would give the ability for Single Sign On which could utilize the Active Directory (Windows) as the PRA (Password Rules Authority) and create policies to control password complexity from AD. Currently RACF requires that we utilize a minimum of 2 non-alpha and 2 alpha characters which is controlled at the global level for protection for the passphrase rules. This is currently a non changeable field for RACF.  This prevents AD from using an all alpha or all numeric password due to RACF requirements.  If a company uses 2FA and a long passphrase (15 plus characters)f combined with a product that also validates a password on a block list, the company should be able to modify the complexity rules so AD can become the Rules Authority based on different policies.  

We would like the ability to override those fields using the IRRPHREX and ICHPWX11. We have those 2 exits installed and was unable to override the allowable characters using the Phr_req_types = 2 values hoping that it would only use those categories for the allowable characters, but that is not how it actually works since the 2 non-alpha/2 alpha are internal code.
We would like an enhancement that selecting a lower value for Phr_req_types would require a value from any of those allowable character category. If you changed the value = 1, then you would be allowed a passphrase of 'passwordallowed" or "123456789012345' or a mixed passphrase of 'PAssWord12345@@' using any of the categories with the value of 1 being the only requirement. For more complexity, an option value = 4 would require at least 1 character from each category defined in the IRRPHREX code.

In addition to our change, another request was posted back on March 29, 2022 which stated:

NIST Password Policy Guidelines no longer recommend that password complexity be imposed, since studies have shown they can encourage the creation of bad passwords/passphrases. The manual indicates that RACF enforces a basic set of syntax rules which cannot be altered or avoided, with one of the rules requiring at least 2 non-alphabetic characters. We would like the non-alphabetic character requirement to be optional when creating passphrases.

Also,  researching the Broadcom TSS software, they have currently modified their NEWPHRASE control option to specify the controls for password phrases.

 

Idea priority Urgent