Force Users to Sign On with Password Phrases

ctsfz
Administrators can force users to sign on exclusively with password phrases. To enforce this restriction, the product offers control through any of the following methods:
  • Adding the PHRASEONLY attribute to users as needed.
  • Using the PHRASEONLY suboption of FACILITY to enforce control by facility.
  • Globally enforcing password phrase signons by activating the PHRASEONLY control option.
 
 
How the Product Inspects Signons to Determine Password Phrase Control
When processing a signon attempt, CA Top Secret performs the following checks:
  1. Checks the user ACID attributes (searching for PHRASEONLY).
  2. Checks the FACILITY attributes (searching for PHRASEONLY).
  3. Checks the availability of the PHRASEONLY global control option.
Force a User to Specify a Password Phrase at Signon
Forcing the use of password phrase at signon means that passwords are prohibited.
 After you implement forced passphrase signon, you can use the PSWDDATA keyword to remove any password data from the ACID; however, we recommend retaining this history of data.
For each user that you want to specify a password phrase at signon, add the password phrase restriction to the ACID: 
TSS ADDTO(
acid
) PHRASEONLY
Enforce Facility Control Over Password Phrase Signons
You can control signons by facility. To enforce facility control over passphrase signons, issue the following command:
TSS MODIFY(FACILITY(PHRASEONLY))
 
PHRASEONLY
 
Requires signons to this facility to specify a password phrase. Signons that specify a password will fail.
Force All Users to Specify a Password Phrase at Signon
Forcing the use of password phrase at signon means that passwords are prohibited.
 After you implement forced passphrase signon, you can use the PSWDDATA keyword to remove any password data from the ACID; however, we recommend retaining this history of data.
 
Follow these steps:
 
  1. Activate the ability for all users to specify a password phrase:
    TSS MODIFY PSWDPHRASE(ON)
  2. Enforce the global restriction that all users must specify a password phrase at signon:
    TSS MODIFY PHRASEONLY(ON)