Previous Topic: VMMACH Authorization for Alternate ACID LogonNext Topic: VMMACH and ACID Authorization for CP AUTOLOG Command

System Entry SecurityControlling Access to TerminalsControlling Access to Virtual MachinesGroup Machine Logon

Group Machine Logon

Group Machine Logon allows a user to log on to a virtual machine other than the user’s default virtual machine, without affecting the target machine’s resource access authorizations.

Group logon is invoked through the use of the “GRPUSER=“ parameter of the CP logon command. The format is:

LOGON userid GRPUSER=group-acid

The term userid refers to the target virtual machine being logged on. The term, group-acid or GRPUSER, denotes the CA Top Secret ACID of the user requesting access to the machine.

In contrast with Alternate ACID Logon, Group Machine Logon does NOT cause the target virtual machine to inherit the ACID of the user logging on. Instead, the group user’s ACID is used for password verification and system validation only. Once logged on, the virtual machine assumes (for resource access verification purposes) its own default ACID or the ACID specified by the “ACID=“ parameter in the CP LOGON command.

Authorization for Group Machine Logon requires that the group user be granted GRPLOGON access to the target virtual machine.

For example, with the following command:

LOGON VIRTSYS1 GRPUSER=JOEL

JOEL will be logged on to virtual machine “VIRTSYS1” after correctly entering his own LOGON password. Once the LOGON is authorized, the virtual machine will run under the authorities defined in ACID VIRTSYS1.

To permit this request the following permission is required:

TSS  PER(JOEL) VMMACH(VIRTSYS1) ACCESS(GRPLOGON)

Group Machine Logon may also be used in combination with Alternate ACID Logon, provided the group user has access to the ACID specified via the ACID= keyword, as well as GRPLOGON or LOGON access to the target virtual machine. For instance, with the following command, user JOEL attempts logon to target virtual machine “VIRTSYS1” and to assume the resource access authorizations of ACID “SYSPACID”.

LOGON VIRTSYS1 GRPUSER=JOEL ACID=SYSPACID

The following permissions are required to grant this request:

TSS PERMIT(JOEL) ACID(SYSPACID)
TSS PERMIT(JOEL) VMMACH(VIRTSYS1) ACCESS(GRPLOGON)