> So the only thing you are buying here is that you keep TCPMAINT password > secret is that the whole idea behind LOGOnBY? So then you only add > certain user ids to do LOGONBY for this user id correct?
Think of it more as a role: you are assuming the role of TCPMAINT, using your own login credentials to validate your claim to the role. The idea is minimum privilege; shared ids should not be directly logged into, because you lose the audit trail of who did what. You give individual ids minimum privilege (essentially with the combination of LOGINBY and PROP, there's rarely a real reason for any individual id to have more than class G), and they authenticate to the shared ID when they need to do something more powerful, or an extended string of things that require privileges or access to files w/o having to jump through a lot of maintenance-intensive hoops.