Reference Guide › User Exit Reference › POSTRULE User Exit › Recommendations for Using the POSTRULE Exit
Recommendations for Using the POSTRULE Exit
Keep the following points in mind when you use the POSTRULE user exit:
- Specify the VMXUSER MACLIB on a GLOBAL MACLIB command before assembling the exit code.
- If you plan to use the POSTRULE user exit, you must add a USEREXIT POSTRULE record to PRODUCT CONFIG file in the following format:
USEREXIT POSTRULE filename TEXT
Replace filename with the filename of your POSTRULE user exit file. The file ID of the prototype file provided on the distribution tape is VMXEXITF XASSEMBL.
- The POSTRULE exit is treated as a rule. If it modifies the CA VM:Secure evaluation, it is illogical to treat this as either NORULE ACCEPT (code 8) or NORULE REJECT (code 12). If the exit modifies PRXACODE to 8, CA VM:Secure treats that the same as code 4 (conditional accept). If the exit modifies PRXACODE to 12, CA VM:Secure treats that the same as code 16 (reject by a rule).
- If you have not chosen to configure the CP component of CA VM:Secure with a CPIGNORE DIRLINKS record, directory links are evaluated by CA VM:Secure, and the POSTRULE exit can reject them.
- The surrogate user ID is a user ID on whose behalf a request is made. The surrogate facility is used by CA VM:Batch. The information about the requesting user ID would reflect, for example, user ID VMBAT003. The information about the surrogate user ID would reflect the user ID who submitted the CA VM:Batch job. If there is no surrogate relationship involved, requester and surrogate information is the same.
The CA VM:Secure evaluation is based on the surrogate user, not the actual requesting user. The only exception is that a surrogate user is never prompted for its logon password, even if the applicable rule includes the LOGPASS option. If the POSTRULE exit sets PRXACODE to 20 (prompt for logon password) and there is a surrogate relationship involved, CA VM:Secure treats that the same as code 0 (unconditional accept with no password prompt).
- If the POSTRULE exit stores any value other than 0, 4, 8, 12, 16, or 20 in PRXACODE, CA VM:Secure reverts to its original evaluation of the request.
- If the POSTRULE exit sets PRXACODE to 20 (accept with LOGPASS) for a logon request, CA VM:Secure treats that the same as code 4 (accept with appropriate password) and the requester is prompted normally for a logon password.
- If the POSTRULE exit sets PRXACODE to 20 (accept with LOGPASS) for a link during logon (directory link), CA VM:Secure treats that the same as code 0 (unconditional accept with no password prompt). The user, who ordinarily is prompted for a logon password during a LOGON command, is not asked multiple times for the same password.
- If the POSTRULE exit sets PRXACODE to 20 (accept with LOGPASS) for a DIAL command, CA VM:Secure treats that the same as code 4 (accept with appropriate password). If the relevant DIAL rule specifies a password, the requester is prompted for it. If the relevant DIAL rule does not specify a password, there is no password prompt, and the DIAL is accepted as if the POSTRULE exit had specified code 0 (unconditional accept).
Copyright © 2014 CA.
All rights reserved.
|
|