Endpoint Administration Guide for UNIX › Controlling Login Commands › Password Checking and Login Restrictions › Logon Checks

Logon Checks

After the login process passes the authentication stage, CA ControlMinder intercepts the process and checks the following points:

• Has the password expired?

  If it has, the user receives a number of grace logins accompanied by warnings before being denied access. Following access denial, the security administrator must reassign the user's password. The number of grace logins is determined by the user password policy, which you can specify either globally with the setoptions command, or for a profile group with the chgrp command.

  Note: For more information about the setoptions command, see the Reference Guide.

  You can use the segrace utility to view the number of grace logins left for a user, the number of days remaining until the user's existing password expires, or the date and time the user last logged on and from which terminal.

  Note: For more information about the segrace command, see the Reference Guide.

• Is the user logging on from an authorized terminal?

  If so, login proceeds normally to the next check; if not, the user cannot log in.

• Do the current time‑of‑day and day‑of‑week allow login (per the predefined restrictions)?

  If they do, login proceeds normally to the next check; otherwise, the user cannot log in.

• Was this user name unused for more than a predefined number of days?

  If it was, access is denied. (The default is 90 days; use the setoptions command to change it.)