|
Some possible uses of the logon pre-prompt exits are described
below. Additional uses for IKJEFLD1 only are described in Possible uses for IKJEFLD1 only. - Supply or change values that users specify on the LOGON command.
When
users issue the LOGON command, they specify information such as user
ID, password, account number, procedure name, region size, and performance
group. When the exit receives control, it is passed an input buffer
that contains the information that the user entered when logging on.
The exit can change the logon information users specify and return
the information to the logon processor in either an input buffer or
a parameter. The exit can change the information in the input buffer,
update the current length of the input buffer, and return control
to the logon processor. The values that the exit can provide in the
input buffer correspond to the operands of the LOGON command. For
more information about the LOGON command, see .
The
exit can also return the following logon information to the logon
processor in a parameter: - User ID
- Password
- Account number
- Procedure name
- Region size
- New password (users defined to RACF® only)
- Performance group
- Group (users defined to RACF only)
If the exit returns the above logon information in the
parameter, it must: - Supply the value in the parameter
- Update the current length of the parameter
- Set the Don't Prompt control switch bit on
If the exit uses the parameters to supply this information,
it must at least return the user ID, password, procedure name, and
account number (if your installation uses account numbers) to the
logon processor. These are required when the exit sets the Don't Prompt
bit on.
You must decide if the exit uses the input buffer or
the specific parameters to return logon information. Your decision
depends on whether you want the logon processor to prompt the user
for information and validate the information in the UADS or the RACF data base (depending on where
the user information is defined), and other processing the exit performs.
As
an example, suppose you want to use the same accounting number for
a specific group of user IDs. The exit checks the input buffer for
the user ID and corresponding account number, if any, that the user
entered. If the user did not specify an account number or it is incorrect,
the exit can return the account number to the logon processor using
either the: - Account Number parameter. The exit:
- Provides the accounting string in the Account Number parameter
- Updates the current length of the parameter
- Sets the Don't Prompt bit on
- Returns control to the logon processor
The logon processor does not prompt the user for any information.
The exit can prompt the user and return logon information to the logon
processor. The exit must return at least the user ID, password, and
procedure name to the logon processor because it set the Don't Prompt
bit on.
- Input buffer. The exit:
- Updates the input buffer with the ACCOUNT operand
- Updates the current length of the input buffer
- Returns control to the logon processor
- Supply system attributes and user attributes for the protected
step control block (PSCB), the generic unit name, UPT, and default
SYSOUT destination. The user attributes can include authorization
for the ACCOUNT, CONSOLE, and OPERATOR commands.
The exit can supply
one or more, or all of these values in the appropriate parameters.
If the exit supplies the default SYSOUT destination, it must set
the Destination bit on. If it returns the system attributes, user
attributes, generic unit, or the UPT it must: - Set both the Don't Prompt and No UADS bits on, or
- Set the individual bits on and supply the following information:
- System Attributes
- User Attributes
- Generic Unit
- UPT
Note: If the exit sets the Don't Prompt and No UADS bits
on, then it must supply the system attributes, user attributes (if
your installation uses user attributes), generic unit, and the UPT.
These parameters are required whenever the exit sets the No UADS
bit on. The system attribute bit for RECOVER/NORECOVER should be
set to: - 0 to indicate RECOVER authority
- 1 to indicate NORECOVER authority
- Provide your own JCL statements.
The logon processor
builds standard JOB and EXEC statements with logon information that
the user provides, such as user ID and procedure name. You may want
to provide your own JCL to add job parameters or supply DD statements.
The exit provides the JCL in the JCL parameter and sets the JCL bit
on. The logon processor then uses this JCL instead of the standard
JOB and EXEC statements that it builds. For information about JCL
statements, see .
The
logon processor constructs a standard JOB statement. If your installation
uses System Management Facilities (SMF)
audit exits, the JOB statement is passed to SMF. If you want to include
installation-dependent information, use the logon pre-prompt exit
to provide your own JCL.
- Validate the logon information that users enter.
The logon
processor validates logon information with either the user information
stored in the UADS or in the RACF data
base, depending on where the user information is defined. The exit
can check the information itself, for example, in your own data set,
rather than using the UADS or the RACF data
base. The exit can also verify logon information with information
in the UADS or the RACF data
base.
If the exit validates the logon information, it must set
both the No UADS bit and the Don't Prompt bit on. In this case, the
exit must also provide at least the following information: - User ID
- Password
- Procedure name
- Account number (if your installation uses account numbers)
- System attributes
- User attributes (if your installation uses user attributes)
- Generic unit
- UPT
If the exit does not set the Don't Prompt bit on, the
logon processor ignores the No UADS bit. The logon processor prompts
the user and then validates the logon information with information
in either the UADS or the RACF data
base.
- Display your own logon panel.
If your installation uses full-screen
logon processing, the exit can display your own full-screen logon
panel instead of the panel that TSO/E provides. After the exit displays
your panel and verifies the input, it must set the No Full-Screen
Panel bit on to prevent the logon processor from displaying the default
full-screen panel. The exit must return the logon values it obtains
from the user to the logon processor.
- Prevent a user from logging on to TSO/E.
You can use the exit
to prevent a user from logging on to TSO/E. The exit can perform various
types of checking and, based on your own criteria, cancel logon processing
by setting the Disconnect bit on. When the exit sets the Disconnect
bit on, the logon processor terminates the logon session and sends
no further messages to the user. Before the exit returns control to
the logon processor, it can issue an explanation to the user, for
example, using PUTLINE.
Some reasons you may want to prevent
a user from logging on are described below: - You may want to limit the number of logons according to groups
of users. One way of doing this is to categorize your users into
groups and define different naming conventions for user IDs for each
group. Then the logon pre-prompt exit can check the user ID, determine
how many users in that group are logged on, and then either cancel
the logon session or allow the session to continue.
- You may want to allow certain users or groups of users to log
on only at certain times of the day.
|