On Fri, 14 Apr 2017, at 18:05, Andrew Metcalfe wrote: > For reasons best left unspoken, I need to cause a TSO user’s screen to > “lock” after the SMF TWT time has expired. The user then has to > re-authenticate by supplying their RACF password. If they haven’t > unlocked their screen after another TWT interval I need the user to be > terminated S522.
Ages ago I worked in an installation that allowed TSO users to get one extension to the timeout provided they themselves locked their screens. The program that did it issued a fullscreen TPUT saying it was locked (& named the userid and SMFID of the locked session - so that people logged into multiple systems could unlock the right one as needed). Password validation was in our case done by ACF2 and the lock program also counted failed password uses and forced sessions to end if some user was trying to guess someone-else's password. At the point where a user's screen was locked by this program, a small flag block was hung of the TCBUSER field of the job-step TCB. If that couldn't be set up in the expected way the user just got 522ed. Normally the flag block would contain 'TSOLOCK' literals (so easily found in a dump) and a count field. IEFUTL would look to see if a user had such a flag block, and if so if they'd not yet had too many timeout extensions. If the block was there and the count low, it'd be incremented and they'd stay logged in. Otherwise they'd get 522ed. So... could you in login processing attach a subtask that is a program that waits until some external trigger causes it to lock the user's screen? Then when IEFUTL runs, identifies an address space as a TSO user, checks some flag (stored off TCBUSER, maybe, or via name & token services), to see if they are one of this special class of users, and if so either post the ECB or 522 them. -- Jeremy Nicoll - my opinions are my own. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
