z/OS TSO/E Customization
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Possible uses

z/OS TSO/E Customization
SA32-0976-00

Some possible uses of the logon pre-prompt exits are described below. Additional uses for IKJEFLD1 only are described in Possible uses for IKJEFLD1 only.
  • Supply or change values that users specify on the LOGON command.

    When users issue the LOGON command, they specify information such as user ID, password, account number, procedure name, region size, and performance group. When the exit receives control, it is passed an input buffer that contains the information that the user entered when logging on. The exit can change the logon information users specify and return the information to the logon processor in either an input buffer or a parameter. The exit can change the information in the input buffer, update the current length of the input buffer, and return control to the logon processor. The values that the exit can provide in the input buffer correspond to the operands of the LOGON command. For more information about the LOGON command, see .

    The exit can also return the following logon information to the logon processor in a parameter:
    • User ID
    • Password
    • Account number
    • Procedure name
    • Region size
    • New password (users defined to RACF® only)
    • Performance group
    • Group (users defined to RACF only)
    If the exit returns the above logon information in the parameter, it must:
    • Supply the value in the parameter
    • Update the current length of the parameter
    • Set the Don't Prompt control switch bit on

    If the exit uses the parameters to supply this information, it must at least return the user ID, password, procedure name, and account number (if your installation uses account numbers) to the logon processor. These are required when the exit sets the Don't Prompt bit on.

    You must decide if the exit uses the input buffer or the specific parameters to return logon information. Your decision depends on whether you want the logon processor to prompt the user for information and validate the information in the UADS or the RACF data base (depending on where the user information is defined), and other processing the exit performs.

    As an example, suppose you want to use the same accounting number for a specific group of user IDs. The exit checks the input buffer for the user ID and corresponding account number, if any, that the user entered. If the user did not specify an account number or it is incorrect, the exit can return the account number to the logon processor using either the:
    • Account Number parameter. The exit:
      • Provides the accounting string in the Account Number parameter
      • Updates the current length of the parameter
      • Sets the Don't Prompt bit on
      • Returns control to the logon processor

      The logon processor does not prompt the user for any information. The exit can prompt the user and return logon information to the logon processor. The exit must return at least the user ID, password, and procedure name to the logon processor because it set the Don't Prompt bit on.

    • Input buffer. The exit:
      • Updates the input buffer with the ACCOUNT operand
      • Updates the current length of the input buffer
      • Returns control to the logon processor
  • Supply system attributes and user attributes for the protected step control block (PSCB), the generic unit name, UPT, and default SYSOUT destination. The user attributes can include authorization for the ACCOUNT, CONSOLE, and OPERATOR commands.
    The exit can supply one or more, or all of these values in the appropriate parameters. If the exit supplies the default SYSOUT destination, it must set the Destination bit on. If it returns the system attributes, user attributes, generic unit, or the UPT it must:
    • Set both the Don't Prompt and No UADS bits on, or
    • Set the individual bits on and supply the following information:
      • System Attributes
      • User Attributes
      • Generic Unit
      • UPT
    Note: If the exit sets the Don't Prompt and No UADS bits on, then it must supply the system attributes, user attributes (if your installation uses user attributes), generic unit, and the UPT. These parameters are required whenever the exit sets the No UADS bit on. The system attribute bit for RECOVER/NORECOVER should be set to:
    • 0 to indicate RECOVER authority
    • 1 to indicate NORECOVER authority
  • Provide your own JCL statements.

    The logon processor builds standard JOB and EXEC statements with logon information that the user provides, such as user ID and procedure name. You may want to provide your own JCL to add job parameters or supply DD statements. The exit provides the JCL in the JCL parameter and sets the JCL bit on. The logon processor then uses this JCL instead of the standard JOB and EXEC statements that it builds. For information about JCL statements, see .

    The logon processor constructs a standard JOB statement. If your installation uses System Management Facilities (SMF) audit exits, the JOB statement is passed to SMF. If you want to include installation-dependent information, use the logon pre-prompt exit to provide your own JCL.

  • Validate the logon information that users enter.

    The logon processor validates logon information with either the user information stored in the UADS or in the RACF data base, depending on where the user information is defined. The exit can check the information itself, for example, in your own data set, rather than using the UADS or the RACF data base. The exit can also verify logon information with information in the UADS or the RACF data base.

    If the exit validates the logon information, it must set both the No UADS bit and the Don't Prompt bit on. In this case, the exit must also provide at least the following information:
    • User ID
    • Password
    • Procedure name
    • Account number (if your installation uses account numbers)
    • System attributes
    • User attributes (if your installation uses user attributes)
    • Generic unit
    • UPT

    If the exit does not set the Don't Prompt bit on, the logon processor ignores the No UADS bit. The logon processor prompts the user and then validates the logon information with information in either the UADS or the RACF data base.

  • Display your own logon panel.

    If your installation uses full-screen logon processing, the exit can display your own full-screen logon panel instead of the panel that TSO/E provides. After the exit displays your panel and verifies the input, it must set the No Full-Screen Panel bit on to prevent the logon processor from displaying the default full-screen panel. The exit must return the logon values it obtains from the user to the logon processor.

  • Prevent a user from logging on to TSO/E.

    You can use the exit to prevent a user from logging on to TSO/E. The exit can perform various types of checking and, based on your own criteria, cancel logon processing by setting the Disconnect bit on. When the exit sets the Disconnect bit on, the logon processor terminates the logon session and sends no further messages to the user. Before the exit returns control to the logon processor, it can issue an explanation to the user, for example, using PUTLINE.

    Some reasons you may want to prevent a user from logging on are described below:
    • You may want to limit the number of logons according to groups of users. One way of doing this is to categorize your users into groups and define different naming conventions for user IDs for each group. Then the logon pre-prompt exit can check the user ID, determine how many users in that group are logged on, and then either cancel the logon session or allow the session to continue.
    • You may want to allow certain users or groups of users to log on only at certain times of the day.
Parent topic: Writing a logon pre-prompt exit (IKJEFLD/IKJEFLD1)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014