On Tue, Sep 23, 2008 at 6:05 AM, Martin, Terry R. (CMS/CTR) (CTR) <[EMAIL PROTECTED]> wrote:
> So the only thing you are buying here is that you keep TCPMAINT password > secret is that the whole idea behind LOGOnBY? So then you only add > certain user ids to do LOGONBY for this user id correct? Actually, the better solution is to have *no* password for TCPMAINT. You can with z/VM 5.3. Without a password, the TCPMAINT user can not be revoked by incorrect logon attempts. If it were revoked, the authorized people could not even logon to it with logonby. Also, you don't put individual users on the access list of the surrogate profile, but primarily groups of users. That way it is very easy to handle people joining or leaving the group or change their role. And if needed, you can use Q BYUSER in the PROFILE EXEC to see which person is using the shared userid. This scheme is also useful for service machine that you may occasionally logon to. Knowing all those passwords is either risky or inconvenient. And you certainly do not want service machines to be revoked (it will bite you at next IPL). The only users with a password should be the "warm body" users, belonging to a single known individual who can maintain his own password. All other userids should not have a password because they are either autologged or accessed via LOGONBY. -Rob -- Rob van der Heij Velocity Software http://velocitysoftware.com/
