I've learned many times that reading the MPEX manual helps. Since VESoft
probably has the day off here's a cut and paste from the appropriate HELP
command...
(Beware, large message follows, looks better if small font used.)
%CHGROUP
Syntax: %CHGROUP [groupname [/grouppass]]
[;KEEPCAPS]
[;KEEPALLOW]
[;KEEPUDCS]
Examples: %CHGROUP DATA
%CHGROUP PUB; KEEPCAPS
%CHGROUP
The %CHGROUP command (as you can probably guess) allows you to switch to a
different group. If you don't specify which group to change to, you will
be
changed to your home group. If the new group has a group password (and you
don't include it in the %CHGROUP command), you will be prompted for it
unless
you have SM or AM capability, or you are changing to your home group.
MPEX has a function called ISCHGROUPED() that returns TRUE if the user has
issued an MPEX %CHGROUP command and is currently in a different group to
the
logon group. After the %CHGROUP command is used to return to the original
logon group, ISCHGROUPED() returns FALSE. This is more specific than the
ISCHLOGONED() function, which returns TRUE if the user has changed logons
directly (using %CHLOGON) or indirectly (using %CHGROUP). In fact, using
%CHLOGON to change only the group will cause ISCHGROUPED() to return TRUE
(which is actually what %CHGROUP does internally).
One thing to be aware of with CHGROUP (and CHLOGON, for that matter) is
that
the predefined variable HPGROUP will change to reflect the new group name.
What this means is that if you have:
SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: "
or anything similar in your MPEXMGR start-up file, you should change it to:
SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: "
you have SM or AM capability, or you are changing to your home group.
MPEX has a function called ISCHGROUPED() that returns TRUE if the user has
issued an MPEX %CHGROUP command and is currently in a different group to
the
logon group. After the %CHGROUP command is used to return to the original
logon group, ISCHGROUPED() returns FALSE. This is more specific than the
ISCHLOGONED() function, which returns TRUE if the user has changed logons
directly (using %CHLOGON) or indirectly (using %CHGROUP). In fact, using
%CHLOGON to change only the group will cause ISCHGROUPED() to return TRUE
(which is actually what %CHGROUP does internally).
One thing to be aware of with CHGROUP (and CHLOGON, for that matter) is
that
the predefined variable HPGROUP will change to reflect the new group name.
What this means is that if you have:
SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: "
or anything similar in your MPEXMGR start-up file, you should change it to:
SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: "
so that when you issue the %CHGROUP command your prompt changes (otherwise
your
MPEXPROMPT variable will remain set to the same value even though you
changed
from one group to another -- see the discussion of "!"'s with regard to
variable substitution).
%CHGROUP is really just a subset of the more general %CHLOGON command,
documented later in this manual (please see the %CHLOGON command for an
explanation of the various parameters). In particular, %CHGROUP is
affected by
$CHLOGON-NOPASS, $CHLOGON-FORBID, and $CHLOGON-PERMIT in STREAMX.DATA and
any
appropriate $LOGON-EXECUTE commands in SECURCON.DATA (just as if you had
entered a %CHLOGON command).
Also, just like with %CHLOGON, we must disable the [BREAK] key when you do
a
%CHGROUP until you do a %CHLOGON with no parameters; simply entering a
%CHGROUP
with no parameters will not re-enable break if you didn't originally log on
to
your home group; %CHGROUP with no parameters switches you to your home
group
(for compatibility with MPE/iX); %CHLOGON with no parameters switches you
back
to your original logon. Please read the "Important note for MPE/iX users"
in
the %CHLOGON documentation.
Special note: although this feature is being described in the MPEX User
Manual,
it is also available (to SECURITY users) within STREAMX jobs (via
::CHGROUP)
and in SECURITY menus.
(CHG) %CHLOGON
Syntax: %CHLOGON [[session,] user [/pass] .account [/pass] [,group
[/pass]]]
[;KEEPCAPS]
[;KEEPALLOW]
[;KEEPUDCS]
[;SILENT] (NEW)
%CHLOGON abbreviated logon (NEW)
Examples: %CHLOGON DAVID,MANAGER.SYS
%CHLOGON =,CLERK.PR;KEEPCAPS;KEEPALLOW;KEEPUDCS;SILENT
%CHLOGON
Special note: although this feature is being described in the MPEX User
Manual,
some of the features that can be used to control it (the $CHLOGON-xxx
commands
in the STREAMX.DATA file), are only available to you if you are a user of
both
MPEX and SECURITY. This command is also available (to SECURITY users)
within
STREAMX jobs (via ::CHLOGON) and in SECURITY menus.
The %CHLOGON command gives you the ability to switch to a different MPE
account, group, user, or session name without having to re-logon via the
:HELLO
command! Why not just re-logon via :HELLO?
* The :HELLO command creates an entirely new session. You lose all of
your
file equations, variable settings, temporary files, REDO history, etc.
%CHLOGON preserves all of this (and more!) for you.
* Because it doesn't have to actually create an entire new session,
%CHLOGON
is much faster than :HELLO.
* %CHLOGON can be used in command files, SECURITY menus, and in STREAMX
as
"::CHLOGON"!
Special note: although this feature is being described in the MPEX User
Manual,
some of the features that can be used to control it (the $CHLOGON-xxx
commands
in the STREAMX.DATA file), are only available to you if you are a user of
both
MPEX and SECURITY. This command is also available (to SECURITY users)
within
STREAMX jobs (via ::CHLOGON) and in SECURITY menus.
The %CHLOGON command gives you the ability to switch to a different MPE
account, group, user, or session name without having to re-logon via the
:HELLO
command! Why not just re-logon via :HELLO?
* The :HELLO command creates an entirely new session. You lose all of
your
file equations, variable settings, temporary files, REDO history, etc.
%CHLOGON preserves all of this (and more!) for you.
* Because it doesn't have to actually create an entire new session,
%CHLOGON
is much faster than :HELLO.
* %CHLOGON can be used in command files, SECURITY menus, and in STREAMX
as
"::CHLOGON"!
* %CHLOGON lets you KEEP all of the CAPabilities (;KEEPCAPS), ALLOWs
(;KEEPALLOW), and UDCs (;KEEPUDCS) from your original logon in your
new
logon; this includes extra capabilities and ALLOWs acquired via the
GOD
program or SECURITY's $ALLOW facility.
* Like STREAMX, %CHLOGON can be configured to not prompt for MPE and
SECURITY user profile passwords. This means you can set up a command
file
or menu (with OPTION NOBREAK, and to which the user doesn't even need
read
access, only execute) that logs on to another account, performs some
task,
then switches the user back to his original logon. This is much more
secure than giving him the passwords to an account he doesn't normally
need to log on to.
As you can see, %CHLOGON (::CHLOGON in STREAMX, and CHLOGON in menus) uses
the
same basic syntax as MPE's ":HELLO" command, but with a few special
keywords
added and the "user.account" is optional -- if you don't specify a
"user.account", %CHLOGON simply switches you back to your original logon,
the
one you entered at the ":HELLO" command. This is especially useful in
command
files, SECURITY logon menus, and STREAMX jobs: you can do a "CHLOGON
newuser.newacct", perform whatever task you want under the new logon, then
do a
"CHLOGON" with no parameters to switch back to the original logon.
You may use an "=" in place of the session, user, account, and/or group
names
to retain your current session, user, account, and/or group.
After you enter the %CHLOGON command, you will be prompted for the
appropriate
MPE and SECURITY password(s) (unless you have SM, or AM and are changing to
another logon in the same account, or there is a $CHLOGON-NOPASS --
documented
below -- in effect for you), and then you will be switched to the new
logon.
One thing to be aware of with CHLOGON (and CHGROUP for that matter) is that
the
predefined variables HPGROUP and HPACCOUNT will change to reflect the new
logon
ID. What this means is that if you have:
SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: "
or anything similar in your MPEXMGR start-up file, you should change it to:
SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: "
so that when you issue the %CHLOGON command your prompt changes (otherwise
your
MPEXPROMPT variable will remain set to the same value even though you
changed
from one logon ID to another -- see the discussion of "!"'s with regard to
variable substitution).
The following special keywords may be used in the %CHLOGON command:
;KEEPCAPS tells %CHLOGON to give you the same capabilities under your
new
logon that you had under your old one (this includes any capabilities
acquired via the GOD program). Note: in order to prevent AM users in
one
account from getting AM in another account (where they might not
normally
have it), ;KEEPCAPS only works if you have SM capability.
;KEEPALLOW tells %CHLOGON to ALLOW you the same console commands that
your
were ALLOWed under your old logon (this includes global ALLOWs, :ALLOWs
issued by the console operator, ALLOWs acquired via the GOD program, and
$ALLOWs in your SECURITY SECURCON.DATA file).
;KEEPUDCS tells %CHLOGON to give you the same UDCs under your new logon
that
you had under your old one.
;SILENT tells %CHLOGON to switch to the new logon without displaying the
message "Welcome! You are now signed on". This is useful when you want
to
use %CHLOGON within a command file or menu where the user does not need
to
know that you changed their logon-ID.
The function ISCHLOGONED() will return TRUE if the current session has
executed
a %CHLOGON (and has not yet switched back). This can be useful within a
command file or SECURITY menu to test the CHLOGON status. In addition, the
ISCHGROUPED() function returns FALSE if the %CHLOGON command changes the
account or user, but TRUE if ONLY the group changed (which is actually what
%CHGROUP does internally).
ELIMINATING PASSWORD PROMPTS ($CHLOGON-NOPASS)
You can allow particular usersets, using particular MPEX command
files/SECURITY
menus/STREAMX jobs, to switch to particular logons without being prompted
for
passwords by adding entries of the form:
$CHLOGON-NOPASS currentuserset fileset targetuserset
to your STREAMX.DATA file (as you can see, this is quite similar to the
$NOPASS
and $WITHCAPS-PERMIT/FORBID entries in STREAMX.DATA). For example,
$CHLOGON-NOPASS @.DEV TESTPROD.CMD.PROD TEST.PROD
means anyone in the DEV account can %CHLOGON to TEST.PROD with ANY session
name
by using the command file TESTPROD.CMD.PROD.
The "fileset" above can include $STDIN; this is how you keep from asking
for
passwords when the user enters "%CHLOGON..." directly from the MPEX "%"
prompt.
RESTRICTING WHO MAY USE %CHLOGON ($CHLOGON-FORBID|PERMIT)
What if you don't want certain users to have access to %CHLOGON at all?
There
are two keywords you can put in the STREAMX.DATA file to control who can
use
%CHLOGON:
$CHLOGON-FORBID currentuserset fileset targetuserset
$CHLOGON-PERMIT currentuserset fileset targetuserset
By default, all users are allowed to use %CHLOGON to switch to any logon
that
they know the passwords for. $CHLOGON-FORBID lets you forbid a particular
userset from switching to a particular set of new logons via a particular
fileset of MPEX command files, SECURITY menus, and/or STREAMX jobs. This
"fileset" can include (or exclude) $STDIN; this is how you control use of
"%CHLOGON..." in an interactive session. $CHLOGON-PERMIT cancels the
effect of
a previous $CHLOGON-FORBID. This lets you say things like
$CHLOGON-FORBID @.PROD @[log in to unmask]@ @.@
$CHLOGON-PERMIT BERT,@.PROD @.MUPPET.PROD ERNIE,@.PROD
which means no users in the PROD account may use %CHLOGON at all, except
any
user in PROD with a session name of "BERT" can use any file in the group
MUPPET.PROD to %CHLOGON his session name to "ERNIE". Another example would
be:
$CHLOGON-FORBID @.@ @[log in to unmask]@ @.@
$CHLOGON-PERMIT @.DEV [log in to unmask]@ @.@
Which means that only the users who can use the %CHLOGON command are users
in
the DEV account, and even then, they can only use it from a "%" prompt.
What if the new logon is protected by a SECURITY logon menu?
* If you have SM capability (and use ;KEEPCAPS), you will be switched to
the
new logon and the menu will not be activated;
* If you don't have SM capability, you will not be permitted to switch
to
the new logon at all.
If you want non-SM users to be able to switch to logons that are protected
by
SECURITY logon menus (bypassing the logon menu), add the keyword
$CHLOGON-OKMENU currentuserset fileset targetuserset
to your STREAMX.DATA.VESOFT file. This keyword only allows a user to
bypass
the logon menu for the new logon if he knows the passwords (or if you also
have
a $CHLOGON-NOPASS for him).
For example,
$CHLOGON-OKMENU KENT,OPERATOR.SYS BOOTH.CMD.SYS BOSS,MANAGER.SYS
means "the user KENT,OPERATOR.SYS can use the command file BOOTH.CMD.SYS to
CHLOGON to BOSS,MANAGER.SYS, even if BOSS,MANAGER.SYS is protected by a
logon
menu (the logon menu will be skipped)."
What if you want the user to be in the menu when he switches to the new
account? Easy! Using the same example as above, BOOTH.CMD.SYS could look
something like this:
OPTION NOBREAK
CHLOGON BOSS,MANAGER.SYS
FILE MENUFILE=BOSS.MENU.SYS
RUN MAIN.PUB.VESOFT,MENU
CHLOGON
In addition to the STREAMX.DATA keywords of $CHLOGON-NOPASS,
$CHLOGON-FORBID,
and $CHLOGON-PERMIT, %CHLOGON (and %CHGROUP) will also execute
$LOGON-EXECUTE
commands from SECURCON.DATA as well. Please refer to the SECURITY manual
discussion of $LOGON-EXECUTE for details on this keyword.
USING ABBREVIATED LOGONS WITH %CHLOGON
If you have configured abbreviated logons for the LOGON facility of our
SECURITY package, then %CHLOGON will automatically recognize and use these
abbreviated logons just as if you had typed the entire logon string
manually.
Abbreviated logons are only available when the BACKG job is running and the
HELLO task is active. See the Additional Benefits of the VESOFT HELLO trap
section of the SECURITY manual for details on abbreviated logons and the
HELLO
trap.
IMPORTANT NOTES FOR MPE/iX USERS
Due to MPE/iX limitations we cannot change your logon ID for other
processes in
your process tree, including your father process, other son processes of
your
father (brother processes), and any of your son processes that existed
before
you did the %CHLOGON (created, perhaps, by the %GOON or %SPOONFEEDing
facilities, or programs like QEDIT that suspend themselves, or by using
MPEX
HOOKed programs).
Not changing your father process is only a problem if the father is still
active (VERY unusual). Not changing your sons and "brothers" is a problem
IF
they remain active, or you reactivate one of them to do something. An
example
of this would be if you were to, within MPEX, run QEDIT, suspend it,
%CHLOGON,
re-activate QEDIT, and try and edit files.
For this reason, on MPE/iX systems, we do the following:
* If you have any son processes MPEX will not allow you to do a
%CHLOGON.
You must first %KILL your son processes.
* When you do a %CHLOGON, we disable the <BREAK> key until you switch
you
back to your original logon.
* If you exit MPEX (or STREAMX) without switching back to your original
logon first, we switch you back automatically.
IMPORTANT NOTES FOR MPE/V USERS
On MPE/V systems, using the %CHLOGON command completely switches you to a
new
logon, just as if you had entered an MPE :HELLO command, with one
exception: if
you exit MPEX without changing back to your original logon, you will remain
in
that "changed" logon but have the UDCs you had in your original logon.
As long as you remain in MPEX (and assuming you didn't specify the
;KEEPUDCS
options), you will have the UDCs that are set for your current logon.
If you don't want to accidentally exit MPEX and have the "wrong" UDCs, you
can
use the "%SET CHLOGONRETURN" command; this will make MPEX switch you back
to
your original logon automatically when you exit (just like it does on
MPE/iX --
see above). Please see the documentation for this command later in this
manual.
|
