Previous Topic: Group Machine LogonNext Topic: VMMACH and ACID Authorization for Surrogate Processing

System Entry SecurityControlling Access to TerminalsControlling Access to Virtual MachinesVMMACH and ACID Authorization for CP AUTOLOG Command

VMMACH and ACID Authorization for CP AUTOLOG Command

Another application of the VMMACH resource provides authorization for the CP AUTOLOG command. Normally, when a user attempts to autolog another virtual machine the user is prompted for that virtual machine’s directory password. By use of the VMMACH resource, the user issuing the AUTOLOG command does not require a password. For example, the following gives the ACID specified the ability to autolog any virtual machine whose first six characters are CMSBAT (CMSBATCH, CMSBAT1, etc.). 

TSS PER(USER01) VMMACH(CMSBAT) ACCESS(AUTOLOG)

The issuer of the AUTOLOG command still needs to be authorized to use the CP AUTOLOG command. This authorization is dependent upon mode and is accomplished either by having directory class A or B, or by permission to use the CP AUTOLOG command (if the command is protected by CA Top Secret).

By using the VMMACH resource in conjunction with permission to issue the CP AUTOLOG command, an administrator can give what is normally a “class G” user the ability to autolog selected virtual machines.

To allow USER01 to autolog any virtual machine, the administrator enters:

TSS PERMIT(USER01) CPCMD(AUTOLOG)
TSS ADDTO(DEPT01) VMMACH(*ALL*)
TSS PERMIT(USER01) VMMACH(*ALL*) ACCESS(AUTOLOG)

Here are some examples of CPCMD and VMMACH:

TSS PERMIT(USER01) CPCMD(AUTOLOG)
TSS PERMIT(USER01) VMMAC(USER02,USER03) ACCESS(AUTOLOG)
TSS PERMIT(USER01) VMMAC(*ALL*) ACCESS(NONE)

The first permit gives acid USER01 the ability to issue the CP AUTOLOG command. The second allows the user to AUTOLOG virtual machines USER02 and USER03 without being prompted for the directory password. The third permit fails any attempt to AUTOLOG a virtual machine other than USER02 and USER03.

Another facility provided by CA Top Secret is that of alternate ACID support for AUTOLOG. By specifying the ACID to be used as part of the AUTOLOG command, the issuer of the command can cause a disconnected virtual machine to run under the authorities of a specific ACID. The format of the AUTOLOG command is as follows:

CP AUTOLOG userid ACID=alternate-acid

In addition to the authorities required for AUTOLOG, the issuer of the command requires authorization to the alternate acid.

TSS PER(autologger) ACID(alternate-acid)