HP3000-L Archives

January 2000, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Restricting user logon by account rather than system wide.
From:
Patrick Santucci <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Fri, 28 Jan 2000 13:01:59 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (96 lines) 
We do something similar, but rather than setting and resetting UDC's on
the affected account(s) (which can get cumbersome depending on what other
UDC's you may already have defined at the account level, and the number of
accounts you need to lock out), we have the following little bit near the
beginning of our system-wide logon UDC:

<snip>
IF FINFO('LOCKOUT.XEQ.SYS','EXISTS')
  LOCKOUT.XEQ.SYS
ENDIF
<snip>

The file LOCKOUT, which is normally stored somewhere else so the account
names can be edited and then the file copied into XEQ.SYS, looks like
this:

IF (HPACCOUNT='ABCWORK' OR HPACCOUNT='XYZPROD') AND HPUSER <> 'MGR'
  ECHO
  ECHO ===================================================
  ECHO Access to this account is currently restricted.
  ECHO - - - - - - - - - - - - - - - - - - - - - - - - - -
  ECHO Tech Services is performing account maintenance.
  ECHO - - - - - - - - - - - - - - - - - - - - - - - - - -
  ECHO No access is allowed.  You will be logged off now.
  ECHO ===================================================
  ECHO
  IF HPINTERACTIVE
     BYE
  ELSE
     ABORT
  ENDIF
ENDIF

This locks all users out of the account(s) in question (assuming your
users don't normally logon as MGR) but still lets you get into the
account, if necessary, in order to do your work. And it doesn't affect
anyone else.

Once the work is complete, all you do is purge LOCKOUT.XEQ.SYS and you're
done! The other nice thing about this method is that it's extremely
flexible, in that you can use whatever selection criteria you want in your
IF statement. For instance, you might want to allow a user other than MGR,
or you might *not* want MGR logging in either, unless they (or you) login
with a particular session name. The possibilities are almost endless...

HTH,
Patrick
--
Patrick Santucci
Technical Services Analyst
Seabury & Smith, Inc.

-------------------- Lotus "Knots" Reply Separator --------------------



Please respond to Connie Samuel <[log in to unmask]>
To:     [log in to unmask]
cc:      (bcc: Patrick Santucci/DSM/Seabury)

Subject:        Re: [HP3000-L] Restricting user logon by account rather than
system wide.



Frank Girard writes:
>> We are looking for a way to restrict user access by account,
>> rather than
>> globally using limit 1,1.  Telling the users about hipri is
>> not an options
>> as this defeats the purpose, as well as being a security issue.  I am
>> looking to restrict all users except 1, the manager of the account.
>>

There are times that I have to exclude the users on my system from logging
on to the ADMIN account.  When that happens, I have a logon UDC that I use
which is shown below.  I take the normal logon UDC off and put this one in
its place for each of the users on the ADMIN account.

>LOGON
>OPTION LOGON
>echo
>echo System is down for file maintenance.
>echo You will be called when the system is operational.
>echo Please call Computer Services, Ext.2416 if you have questions
>echo
>BYE

Then when I have completed my work, I take this logon UDC off and put the
regular one back on.

Connie Samuel
Clatsop Community College
503/338-2320
[log in to unmask]

ATOM RSS1 RSS2