Terry, LOGONBY has been around for many VM releases. We set all our service machine accounts and important maintenance ids (MAINT, TCPMAINT, etc) up with a LOGONBY list. Then we change those ids' passwords to LBYONLY, which says the userid can only be logged on using LOGONBY. So if you try and log on to MAINT directly you get told
L MAINT HCPLGA053E MAINT not in CP directory A scary message for the faint of heart! Besides limiting the number of people who can access MAINT to the ones in the LOGONBY list, MAINT never needs its password changed again, and the auditors are appeased (a considerable benefit for those who have to answer the questions at annual audits!). Ron On Tue, Sep 23, 2008 at 12:17 AM, Rob van der Heij <[EMAIL PROTECTED]> wrote: > On Tue, Sep 23, 2008 at 6:05 AM, Martin, Terry R. (CMS/CTR) (CTR) > <[EMAIL PROTECTED]> wrote: > >> So the only thing you are buying here is that you keep TCPMAINT password >> secret is that the whole idea behind LOGOnBY? So then you only add >> certain user ids to do LOGONBY for this user id correct? > > Actually, the better solution is to have *no* password for TCPMAINT. > You can with z/VM 5.3. Without a password, the TCPMAINT user can not > be revoked by incorrect logon attempts. If it were revoked, the > authorized people could not even logon to it with logonby. Also, you > don't put individual users on the access list of the surrogate > profile, but primarily groups of users. That way it is very easy to > handle people joining or leaving the group or change their role. And > if needed, you can use Q BYUSER in the PROFILE EXEC to see which > person is using the shared userid. > > This scheme is also useful for service machine that you may > occasionally logon to. Knowing all those passwords is either risky or > inconvenient. And you certainly do not want service machines to be > revoked (it will bite you at next IPL). > > The only users with a password should be the "warm body" users, > belonging to a single known individual who can maintain his own > password. All other userids should not have a password because they > are either autologged or accessed via LOGONBY. > > -Rob > -- > Rob van der Heij > Velocity Software > http://velocitysoftware.com/ >
