I've learned many times that reading the MPEX manual helps. Since VESoft probably has the day off here's a cut and paste from the appropriate HELP command... (Beware, large message follows, looks better if small font used.) %CHGROUP Syntax: %CHGROUP [groupname [/grouppass]] [;KEEPCAPS] [;KEEPALLOW] [;KEEPUDCS] Examples: %CHGROUP DATA %CHGROUP PUB; KEEPCAPS %CHGROUP The %CHGROUP command (as you can probably guess) allows you to switch to a different group. If you don't specify which group to change to, you will be changed to your home group. If the new group has a group password (and you don't include it in the %CHGROUP command), you will be prompted for it unless you have SM or AM capability, or you are changing to your home group. MPEX has a function called ISCHGROUPED() that returns TRUE if the user has issued an MPEX %CHGROUP command and is currently in a different group to the logon group. After the %CHGROUP command is used to return to the original logon group, ISCHGROUPED() returns FALSE. This is more specific than the ISCHLOGONED() function, which returns TRUE if the user has changed logons directly (using %CHLOGON) or indirectly (using %CHGROUP). In fact, using %CHLOGON to change only the group will cause ISCHGROUPED() to return TRUE (which is actually what %CHGROUP does internally). One thing to be aware of with CHGROUP (and CHLOGON, for that matter) is that the predefined variable HPGROUP will change to reflect the new group name. What this means is that if you have: SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: " or anything similar in your MPEXMGR start-up file, you should change it to: SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: " you have SM or AM capability, or you are changing to your home group. MPEX has a function called ISCHGROUPED() that returns TRUE if the user has issued an MPEX %CHGROUP command and is currently in a different group to the logon group. After the %CHGROUP command is used to return to the original logon group, ISCHGROUPED() returns FALSE. This is more specific than the ISCHLOGONED() function, which returns TRUE if the user has changed logons directly (using %CHLOGON) or indirectly (using %CHGROUP). In fact, using %CHLOGON to change only the group will cause ISCHGROUPED() to return TRUE (which is actually what %CHGROUP does internally). One thing to be aware of with CHGROUP (and CHLOGON, for that matter) is that the predefined variable HPGROUP will change to reflect the new group name. What this means is that if you have: SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: " or anything similar in your MPEXMGR start-up file, you should change it to: SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: " so that when you issue the %CHGROUP command your prompt changes (otherwise your MPEXPROMPT variable will remain set to the same value even though you changed from one group to another -- see the discussion of "!"'s with regard to variable substitution). %CHGROUP is really just a subset of the more general %CHLOGON command, documented later in this manual (please see the %CHLOGON command for an explanation of the various parameters). In particular, %CHGROUP is affected by $CHLOGON-NOPASS, $CHLOGON-FORBID, and $CHLOGON-PERMIT in STREAMX.DATA and any appropriate $LOGON-EXECUTE commands in SECURCON.DATA (just as if you had entered a %CHLOGON command). Also, just like with %CHLOGON, we must disable the [BREAK] key when you do a %CHGROUP until you do a %CHLOGON with no parameters; simply entering a %CHGROUP with no parameters will not re-enable break if you didn't originally log on to your home group; %CHGROUP with no parameters switches you to your home group (for compatibility with MPE/iX); %CHLOGON with no parameters switches you back to your original logon. Please read the "Important note for MPE/iX users" in the %CHLOGON documentation. Special note: although this feature is being described in the MPEX User Manual, it is also available (to SECURITY users) within STREAMX jobs (via ::CHGROUP) and in SECURITY menus. (CHG) %CHLOGON Syntax: %CHLOGON [[session,] user [/pass] .account [/pass] [,group [/pass]]] [;KEEPCAPS] [;KEEPALLOW] [;KEEPUDCS] [;SILENT] (NEW) %CHLOGON abbreviated logon (NEW) Examples: %CHLOGON DAVID,MANAGER.SYS %CHLOGON =,CLERK.PR;KEEPCAPS;KEEPALLOW;KEEPUDCS;SILENT %CHLOGON Special note: although this feature is being described in the MPEX User Manual, some of the features that can be used to control it (the $CHLOGON-xxx commands in the STREAMX.DATA file), are only available to you if you are a user of both MPEX and SECURITY. This command is also available (to SECURITY users) within STREAMX jobs (via ::CHLOGON) and in SECURITY menus. The %CHLOGON command gives you the ability to switch to a different MPE account, group, user, or session name without having to re-logon via the :HELLO command! Why not just re-logon via :HELLO? * The :HELLO command creates an entirely new session. You lose all of your file equations, variable settings, temporary files, REDO history, etc. %CHLOGON preserves all of this (and more!) for you. * Because it doesn't have to actually create an entire new session, %CHLOGON is much faster than :HELLO. * %CHLOGON can be used in command files, SECURITY menus, and in STREAMX as "::CHLOGON"! Special note: although this feature is being described in the MPEX User Manual, some of the features that can be used to control it (the $CHLOGON-xxx commands in the STREAMX.DATA file), are only available to you if you are a user of both MPEX and SECURITY. This command is also available (to SECURITY users) within STREAMX jobs (via ::CHLOGON) and in SECURITY menus. The %CHLOGON command gives you the ability to switch to a different MPE account, group, user, or session name without having to re-logon via the :HELLO command! Why not just re-logon via :HELLO? * The :HELLO command creates an entirely new session. You lose all of your file equations, variable settings, temporary files, REDO history, etc. %CHLOGON preserves all of this (and more!) for you. * Because it doesn't have to actually create an entire new session, %CHLOGON is much faster than :HELLO. * %CHLOGON can be used in command files, SECURITY menus, and in STREAMX as "::CHLOGON"! * %CHLOGON lets you KEEP all of the CAPabilities (;KEEPCAPS), ALLOWs (;KEEPALLOW), and UDCs (;KEEPUDCS) from your original logon in your new logon; this includes extra capabilities and ALLOWs acquired via the GOD program or SECURITY's $ALLOW facility. * Like STREAMX, %CHLOGON can be configured to not prompt for MPE and SECURITY user profile passwords. This means you can set up a command file or menu (with OPTION NOBREAK, and to which the user doesn't even need read access, only execute) that logs on to another account, performs some task, then switches the user back to his original logon. This is much more secure than giving him the passwords to an account he doesn't normally need to log on to. As you can see, %CHLOGON (::CHLOGON in STREAMX, and CHLOGON in menus) uses the same basic syntax as MPE's ":HELLO" command, but with a few special keywords added and the "user.account" is optional -- if you don't specify a "user.account", %CHLOGON simply switches you back to your original logon, the one you entered at the ":HELLO" command. This is especially useful in command files, SECURITY logon menus, and STREAMX jobs: you can do a "CHLOGON newuser.newacct", perform whatever task you want under the new logon, then do a "CHLOGON" with no parameters to switch back to the original logon. You may use an "=" in place of the session, user, account, and/or group names to retain your current session, user, account, and/or group. After you enter the %CHLOGON command, you will be prompted for the appropriate MPE and SECURITY password(s) (unless you have SM, or AM and are changing to another logon in the same account, or there is a $CHLOGON-NOPASS -- documented below -- in effect for you), and then you will be switched to the new logon. One thing to be aware of with CHLOGON (and CHGROUP for that matter) is that the predefined variables HPGROUP and HPACCOUNT will change to reflect the new logon ID. What this means is that if you have: SETVAR MPEXPROMPT "!HPGROUP.!HPACCOUNT: " or anything similar in your MPEXMGR start-up file, you should change it to: SETVAR MPEXPROMPT "!!HPGROUP.!!HPACCOUNT: " so that when you issue the %CHLOGON command your prompt changes (otherwise your MPEXPROMPT variable will remain set to the same value even though you changed from one logon ID to another -- see the discussion of "!"'s with regard to variable substitution). The following special keywords may be used in the %CHLOGON command: ;KEEPCAPS tells %CHLOGON to give you the same capabilities under your new logon that you had under your old one (this includes any capabilities acquired via the GOD program). Note: in order to prevent AM users in one account from getting AM in another account (where they might not normally have it), ;KEEPCAPS only works if you have SM capability. ;KEEPALLOW tells %CHLOGON to ALLOW you the same console commands that your were ALLOWed under your old logon (this includes global ALLOWs, :ALLOWs issued by the console operator, ALLOWs acquired via the GOD program, and $ALLOWs in your SECURITY SECURCON.DATA file). ;KEEPUDCS tells %CHLOGON to give you the same UDCs under your new logon that you had under your old one. ;SILENT tells %CHLOGON to switch to the new logon without displaying the message "Welcome! You are now signed on". This is useful when you want to use %CHLOGON within a command file or menu where the user does not need to know that you changed their logon-ID. The function ISCHLOGONED() will return TRUE if the current session has executed a %CHLOGON (and has not yet switched back). This can be useful within a command file or SECURITY menu to test the CHLOGON status. In addition, the ISCHGROUPED() function returns FALSE if the %CHLOGON command changes the account or user, but TRUE if ONLY the group changed (which is actually what %CHGROUP does internally). ELIMINATING PASSWORD PROMPTS ($CHLOGON-NOPASS) You can allow particular usersets, using particular MPEX command files/SECURITY menus/STREAMX jobs, to switch to particular logons without being prompted for passwords by adding entries of the form: $CHLOGON-NOPASS currentuserset fileset targetuserset to your STREAMX.DATA file (as you can see, this is quite similar to the $NOPASS and $WITHCAPS-PERMIT/FORBID entries in STREAMX.DATA). For example, $CHLOGON-NOPASS @.DEV TESTPROD.CMD.PROD TEST.PROD means anyone in the DEV account can %CHLOGON to TEST.PROD with ANY session name by using the command file TESTPROD.CMD.PROD. The "fileset" above can include $STDIN; this is how you keep from asking for passwords when the user enters "%CHLOGON..." directly from the MPEX "%" prompt. RESTRICTING WHO MAY USE %CHLOGON ($CHLOGON-FORBID|PERMIT) What if you don't want certain users to have access to %CHLOGON at all? There are two keywords you can put in the STREAMX.DATA file to control who can use %CHLOGON: $CHLOGON-FORBID currentuserset fileset targetuserset $CHLOGON-PERMIT currentuserset fileset targetuserset By default, all users are allowed to use %CHLOGON to switch to any logon that they know the passwords for. $CHLOGON-FORBID lets you forbid a particular userset from switching to a particular set of new logons via a particular fileset of MPEX command files, SECURITY menus, and/or STREAMX jobs. This "fileset" can include (or exclude) $STDIN; this is how you control use of "%CHLOGON..." in an interactive session. $CHLOGON-PERMIT cancels the effect of a previous $CHLOGON-FORBID. This lets you say things like $CHLOGON-FORBID @.PROD @[log in to unmask]@ @.@ $CHLOGON-PERMIT BERT,@.PROD @.MUPPET.PROD ERNIE,@.PROD which means no users in the PROD account may use %CHLOGON at all, except any user in PROD with a session name of "BERT" can use any file in the group MUPPET.PROD to %CHLOGON his session name to "ERNIE". Another example would be: $CHLOGON-FORBID @.@ @[log in to unmask]@ @.@ $CHLOGON-PERMIT @.DEV [log in to unmask]@ @.@ Which means that only the users who can use the %CHLOGON command are users in the DEV account, and even then, they can only use it from a "%" prompt. What if the new logon is protected by a SECURITY logon menu? * If you have SM capability (and use ;KEEPCAPS), you will be switched to the new logon and the menu will not be activated; * If you don't have SM capability, you will not be permitted to switch to the new logon at all. If you want non-SM users to be able to switch to logons that are protected by SECURITY logon menus (bypassing the logon menu), add the keyword $CHLOGON-OKMENU currentuserset fileset targetuserset to your STREAMX.DATA.VESOFT file. This keyword only allows a user to bypass the logon menu for the new logon if he knows the passwords (or if you also have a $CHLOGON-NOPASS for him). For example, $CHLOGON-OKMENU KENT,OPERATOR.SYS BOOTH.CMD.SYS BOSS,MANAGER.SYS means "the user KENT,OPERATOR.SYS can use the command file BOOTH.CMD.SYS to CHLOGON to BOSS,MANAGER.SYS, even if BOSS,MANAGER.SYS is protected by a logon menu (the logon menu will be skipped)." What if you want the user to be in the menu when he switches to the new account? Easy! Using the same example as above, BOOTH.CMD.SYS could look something like this: OPTION NOBREAK CHLOGON BOSS,MANAGER.SYS FILE MENUFILE=BOSS.MENU.SYS RUN MAIN.PUB.VESOFT,MENU CHLOGON In addition to the STREAMX.DATA keywords of $CHLOGON-NOPASS, $CHLOGON-FORBID, and $CHLOGON-PERMIT, %CHLOGON (and %CHGROUP) will also execute $LOGON-EXECUTE commands from SECURCON.DATA as well. Please refer to the SECURITY manual discussion of $LOGON-EXECUTE for details on this keyword. USING ABBREVIATED LOGONS WITH %CHLOGON If you have configured abbreviated logons for the LOGON facility of our SECURITY package, then %CHLOGON will automatically recognize and use these abbreviated logons just as if you had typed the entire logon string manually. Abbreviated logons are only available when the BACKG job is running and the HELLO task is active. See the Additional Benefits of the VESOFT HELLO trap section of the SECURITY manual for details on abbreviated logons and the HELLO trap. IMPORTANT NOTES FOR MPE/iX USERS Due to MPE/iX limitations we cannot change your logon ID for other processes in your process tree, including your father process, other son processes of your father (brother processes), and any of your son processes that existed before you did the %CHLOGON (created, perhaps, by the %GOON or %SPOONFEEDing facilities, or programs like QEDIT that suspend themselves, or by using MPEX HOOKed programs). Not changing your father process is only a problem if the father is still active (VERY unusual). Not changing your sons and "brothers" is a problem IF they remain active, or you reactivate one of them to do something. An example of this would be if you were to, within MPEX, run QEDIT, suspend it, %CHLOGON, re-activate QEDIT, and try and edit files. For this reason, on MPE/iX systems, we do the following: * If you have any son processes MPEX will not allow you to do a %CHLOGON. You must first %KILL your son processes. * When you do a %CHLOGON, we disable the <BREAK> key until you switch you back to your original logon. * If you exit MPEX (or STREAMX) without switching back to your original logon first, we switch you back automatically. IMPORTANT NOTES FOR MPE/V USERS On MPE/V systems, using the %CHLOGON command completely switches you to a new logon, just as if you had entered an MPE :HELLO command, with one exception: if you exit MPEX without changing back to your original logon, you will remain in that "changed" logon but have the UDCs you had in your original logon. As long as you remain in MPEX (and assuming you didn't specify the ;KEEPUDCS options), you will have the UDCs that are set for your current logon. If you don't want to accidentally exit MPEX and have the "wrong" UDCs, you can use the "%SET CHLOGONRETURN" command; this will make MPEX switch you back to your original logon automatically when you exit (just like it does on MPE/iX -- see above). Please see the documentation for this command later in this manual.