How can one prevent signon to TPX if the userid has the ACF2 RESTRICT attribute
search cancel

How can one prevent signon to TPX if the userid has the ACF2 RESTRICT attribute

book

Article ID: 95245

calendar_today

Updated On:

Products

TPX - Session Management Vman Session Management for z/OS

Issue/Introduction

TPX does not authenticate a user if the if the userid in ACF2 has the RESTRICT flag.
Restrict is an attribute in the ACF2 logonid record that states the logonid does not have a password.
It is in the ACF2 defined logonid record at Offset x’10’ with a value of x’80’.


I discovered that it is possible to log on to TPX with an ACF2 Restricted userid. That is, one with no password.
Is there an option to prevent a userid with no password from logging on to TPX?

That would be my preferred approach. If not, how should I approach this?
I'd (obviously) prefer not to have to write an exit since that's just one more thing to maintain.

I assume I could set up the userids in question and give them no profile, which would allow a logon, but then no application access. But not allowing logon would be preferable and more in line with normal security practice.

Environment

Release: NVINAM00200-5.4-TPX-Session Management-Access Management package
Component:

Resolution

TPX uses the LOGON ID and USER NAME only to validate access.

Since the ACF2 user Privilege flags such as RESTRICT are in the LIDREC, the TPXUSNSF exit needs to be customized to limit access to userid's with the ACF2 RESTRICT flag.

The customer can reject a signon in the 'TPXUSNSF' exit at call point 12, since the customer can interrogate the LIDREC.

Here is some sample code. Please verify in your environment and make the necessary modifications.
_________________________________________
LIDREC      DSECT LOGONID RECORD
LIDLID      DC CL8' ' LOGON ID
            DC 4X'00'
LIDNAME     DC CL20' ' USER NAME
            DC 992X'00'
LIDLEN      EQU *-LIDREC LENGTH OF RECORD

----------------------------------------------------------------------------