HP OpenVMS Systems

ask the wizard
Content starts here

User Accountability by Login Source?

» close window

The Question is:

Is it possible in VMS to restrict the login of a user account to specific
Background: the [company] has defined workareas. All workers of one workarea
 uses the same vms-account. If one worker change the workarea and therefore
 works in a different location he should no longer be able to login with his
 old account. A workarea
has about 700 workers in 3 shift operation and it is impossible to work with
 individuell accounts.
Thank you in anticipation

The Answer is :

  Inferring details left unstated in the question, it appears there
  is a belief that an accountability and/or security problem exists.
  The OpenVMS Wizard would strongly encourage the use of individually
  assigned usernames and unique UICs, as this provides for better
  security and better accountability.  Many OpenVMS sites operate with
  numbers of entries in SYSUAF well into the tens of thousands, using
  DCL procedures for basic user maintenance tasks.
  Other approaches -- lacking individual accountability -- involve using
  the automatic login facility (SYSALF), or the use of DCL within the
  SYLOGIN that performs the necessary verification of the login source.
  Some of the options include:
    The SYS$REM* logical names
    An OpenVMS security identifier
  Alternatively, you could customize LOGINOUT to perform the processing
  of the login source directly, via the available LGI callouts mechanism.
  Since the current configuration presently provides no user-specific
  security, the use of a null password and the automatic login facility
  (SYSALF) would be entirely appropriate.  Based solely on the source of
  the login, the user is automatically entered into the correct username.
  More complex options include approaches that do not involve logging
  into the system -- the user interface is always available to the
  client via web, GUI, or other approach at all times, and the user
  does not particularly need to connect to the system.  Whether the
  application performs its own verification and/or authentication is
  another discussion, and one based on local security requirements.

answer written or last revised on ( 20-MAR-2001 )

» close window