HPE Community
Operating System - OpenVMS
1827940 Members
2170 Online
109973 Solutions
New Discussion

Allow selective LOGIN when interactive is set to 0

 
SOLVED
Go to solution
ChaimBu
Frequent Advisor

‎06-05-2006 05:32 PM

‎06-05-2006 05:32 PM

Allow selective LOGIN when interactive is set to 0

We have circumstances where we only wish to allow a selective group of programmers to be able to LOGIN to the system. This group can change from circumstance to circumstance.

Currently the operators set the login interactive count to 0, and then open/reclose upon specific request. The problem with this method is that during the short period during which the interactive count is set to more than 0 other users could by coincidence also login. Giving ALL the programmers the minimum privelege to allow them the ability to LOGIN even when the interactive count is set to 0, is NOT an option.

Does anyone have a suggestion how to "resolve" this issue in an elegant manner?

BTW, what is the minimum privelege that a user requires to be able to LOGIN even when interactive logins is set to 0?

Thanks,

Chaim
0 Kudos
Reply
9 REPLIES 9
Heinz W Genhart
Honored Contributor

‎06-05-2006 05:56 PM

‎06-05-2006 05:56 PM

Re: Allow selective LOGIN when interactive is set to 0

Hi Chaim

the minimum privillege to login under this circumstance is OPER privillege.

Another possibility would be not to control login with SET LOGIN/INTERACTIVE, but to control access with a procedure, which restricts login to specified users, controled by the system manager.

Regards

Heinz
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎06-05-2006 06:26 PM

‎06-05-2006 06:26 PM

Re: Allow selective LOGIN when interactive is set to 0

You will have to do some programming in sylogin and leave the limit at a high value.

Wim
Wim
0 Kudos
Reply
ChaimBu
Frequent Advisor

‎06-05-2006 07:05 PM

‎06-05-2006 07:05 PM

Re: Allow selective LOGIN when interactive is set to 0

Thanks for your replies!

Based on these replies, I take it that there is no elegant solution to this problem.

I think I will suggest writing a simple command procedure that will accept a file containing a list of user names and give an optio to either grant or revole the OPER privelege from the users contained in the list. This would then give the desired users the OPER for the duration of the task and then the system manager could rerun the CP to revoke said priv after the task has been completed.

Thanks,

Chaim
0 Kudos
Reply
Ian Miller.
Honored Contributor

‎06-05-2006 09:43 PM

‎06-05-2006 09:43 PM

Re: Allow selective LOGIN when interactive is set to 0

I would check for the presence of an identifier in SYLOGIN which allows logins during the restricted period. Then grant/revoke the identifier as needed.
____________________
Purely Personal Opinion
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎06-05-2006 11:34 PM

‎06-05-2006 11:34 PM

Solution

Re: Allow selective LOGIN when interactive is set to 0

Use enclosure in sylogin.com and let the interactive limit high.

Then create a file sys$common:[sysexe]restrict_logins.closed with all users allowed to login surrounded by |.

When you need to close the system (except for these men), rename it to .dat. When you want to close the system for all users, use the interactive limit. To open the system again, rename to .closed.

Wim
Wim
Reply
Robert Gezelter
Honored Contributor

‎06-06-2006 12:37 AM

‎06-06-2006 12:37 AM

Re: Allow selective LOGIN when interactive is set to 0

Chaim,

The SET LOGIN/INTERACTIVE=n mechanism will not achieve what you want. There is, however, a way to accomplish this in a reasonably elegant fashion.

Create a collection of a Identifiers associated with each of the groups of programmers (If the programmers are broken into different groups, then the Group name can be used as part of the Identifier name).

In SYS$MANAGER:SYLOGIN.COM, check the identifiers against a logical name (in Executive Mode, and in a System Owned Logical name table). If the logical name is set correctly, then allow the login. If not, logout the process.

To be certain, ensure that the SYLOGIN.COM file executes with Control-C and Control-Y disabled.

Alternatively, you can accomplish this using a Executive mode logical name in the group logical name table (LNM$GROUP). This table is different for every UIC group.

I hope that the above is helpful.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Jim_McKinney
Honored Contributor

‎06-06-2006 02:25 AM

‎06-06-2006 02:25 AM

Re: Allow selective LOGIN when interactive is set to 0

>>> in an elegant manner?


You may want to investigate the SYSGEN parameter LGI_CALLOUTS and the associated LOGINOUT API (callout_chkrestrict is the vector of interest) to customize the login process. I once used it for just this purpose - to recognize and permit interactive access to a system for select users when IJOBLIM was set to 0.
0 Kudos
Reply
Jess Goodman
Esteemed Contributor

‎06-08-2006 09:58 AM

‎06-08-2006 09:58 AM

Re: Allow selective LOGIN when interactive is set to 0

There is a safe way to use the OPER privlege to control this. First in the sylogin that these users execute add the line:

$ SET PROCESS/PRIVILEGES=NOOPER

I'm assuming these users' accounts are set RESTRICTED (must execute their login .com) and that they don't have access to edit it.

Then when you wish to allow a user to login modify their SYSUAF account to add OPER to their default privilege list, but do NOT add it to their authorized privilege list.

They will have OPER priv only while their login takes place and will not be able to enable it again.

$ SET PROCESS/PRIV=OPER
%SYSTEM-W-NOTALLPRIV, not all requested privileges authorized
$ WRITE SYS$OUTPUT F$PRIV("OPER")
FALSE

Another possible approach is to use loginout callouts. You can write routines that LOGINOUT.EXE calls to turn OPER on before authentication and turn it back off after authentication based on a list of currently valid users it obtains from a file or system logical name.
I have one, but it's personal.
0 Kudos
Reply
Jeroen Hartgers_3
Frequent Advisor

‎06-08-2006 09:58 PM

‎06-08-2006 09:58 PM

Re: Allow selective LOGIN when interactive is set to 0

If you authorize accounts with a special identifier (example: systemmanager) and you create a system logical like system_closed.
You check this logical for a value if the user has not the ident systemmanager. On this way jou can show a message ik the system is closed for normal use and disconnect the user.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.