Logging onto CA ACF2 for VM Group Machines

Advanced Logon Procedures › Logging onto CA ACF2 for VM Group Machines

Logging onto CA ACF2 for VM Group Machines

It is sometimes necessary to have a virtual machine that several users can access. This machine is called a group virtual machine (or maintenance machine) and usually has a centralized function. Through CA ACF2 for VM, you can assign the group virtual machine the GRPLOGON privilege (a field in the Privileges group of the logonid record) to define a special kind of group virtual machine.

Many people can use a group virtual machine that has the GRPLOGON privilege, however, only one person can access the machine at any given time. What is special about a GRPLOGON machine is that when someone tries to use it, CA ACF2 for VM validates attempts in a unique way. CA ACF2 for VM determines who is actually using the machine. This way, everyone who uses the group virtual machine (group users) are identified through auditing. In addition, many users can use the group machine without knowing that logonid's password.

How to Log onto a CA ACF2 for VM Group Machine

This method is for CA ACF2 for VM group virtual machines.

logon cmsgroup (with one space before group‑logonid)
(press enter)
 
logon
ACFpgm263R Enter ACF2 logonid
 
TLCAMS
(press enter)
 
ACFpgm244R Enter your ACF2 password
 
password  (nondisplay)
(press enter)
 
ACFpgm137I TLCAMS last system access at 17.38 on 11/09/97 from GRAF‑419
ACFpgm137I CMSGROUP last system access at 21.01 on 10/27/97 from GRAF‑49
ACFpgm268I Group logon successful to CMSGROUP by TLCAMS
  ...
LOGON AT 17:45:09 CST TUESDAY 09/09/98

After entering logon group‑logonid to use the group machine, you supply your own logonid and password, not the group machine's.

When you are in the system, all validations are performed as if the group virtual machine were logged on as a regular user. Normal data and resource access validation is performed against the group machine, not the group user.
CA ACF2 for VM creates SMF records on behalf of the group machine. SMF records contain information that identifies the group user. The user who logged onto the group virtual machine is identified in the CA ACF2 for VM reports. This enforces individual accountability.

You can also use the ACFSERVE RELOAD RESOURCE command to reload and create new group IDs. You can find more information for using this command in the chapter “Using the ACFSERVE Commands” in this guide.

For details on how the CA ACF2 for VM group logonid feature works with CA ACF2 for VM report generators, the Reports and Utilities Guide.

Important factors to consider about this implementation include:

When you try to log onto a group virtual machine, CA ACF2 for VM checks a resource rule to see if you can use the machine. This occurs regardless of the CA ACF2 for VM data access mode setting and any special privileges you might have. The rule checking and implementation requirements for the rule check are explained in the chapter titled “Writing Resource Rules” of the CA ACF2 for VM Implementation Planning Guide.
If the OPTS VMO record defines a VMCHK attribute, that attribute is validated for the group machine but not for the group user.
A CA ACF2 for VM group machine cannot log on or issue the DIAL command. The GRPLOGON attribute does not affect the ability to use the AUTOLOG and XAUTOLOG commands.
You do not need to define a group user as a user ID in the VM directory. The only prerequisite for a group user is that you must define the user with a logonid record in the Logonid database. You must also define the group machine with a logonid record in the Logonid database and in the VM directory.
Password suppression is an IBM security feature implemented in the PSUPRS operand of the SYSJRL macro. It forces you to enter your password on a separate line from your logonid when you log on. This password is not displayed. If this feature is turned on, CA ACF2 for VM does not accept a group user's password on the same line as the logonid. For example, if a group user tries to log onto the MAINT group machine as shown below, CA ACF2 for VM sends a message and ignores the password.
```
logon maint password
(press enter)
 
ACFpgm278I Logon for groupid ‑ password entered will be ignored
```
The AUTOONLY privilege prevents you from logging onto a virtual machine. This is also true if the machine is a group virtual machine.