Shimon, What release of VM:Secure are you running? In r2.8 G0808, it definitely doesn't work. I tested before I posted. You're assuming that LOGON and LOGONBY rules are evaluated together to determine the most specific rule. That's not how it works. LOGON rules are evaluated first. If the userid cannot be logged onto, LOGONBY rules are irrelevant.
Dennis O'Brien 39,556 ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Shimon Lebowitz Sent: Wednesday, March 04, 2009 02:14 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Using LBYONLY I am sorry, but that set of rules WILL work in VM:Secure. To quote the Rules Manual: <quote> When two or more rules in a file govern a particular access request, VM:Secure establishes an order of preference based on how precisely the requester is specified. In order of preference, a rule is chosen that indicates: 1.A specific user ID as requester 2.A specific group as requester 3.An asterisk (*) as requester; this indicates all user IDs </quote> So, when someone NOT mentioned in the specific ACCEPT rule tries to logonby, the REJECT * LOGON catches them. But if the user specified in the accept attempts it, the ACCEPT rule is more specific and will allow the logonby. In fact, the manual gives an example just like Richard's rules, except that it is dealing with LINK requests: REJECT * LINK 191 RR ACCEPT FRAISERC LINK 191 RR Shimon > Richard Schuh wrote: > >And with VM:Secure, you can accomplish the same effect by using the > Rules Facility. With >the following rules, the actual password is > immaterial: > > > > REJECT * LOGON > > ACCEPT userx LOGONBY > > That doesn't work. The REJECT * LOGON rule takes precedence, and you > don't even get a chance to enter your password for LOGONBY. Set the > password to LBYONLY and create ACCEPT xxx LOGONBY rules for the userids > you want to log on. That's all you need. If you don't have VM:Secure > or another external security manager, then set the password to LBYONLY > and add LOGONBY statements to the directory. > > Dennis O'Brien > > 39,556 -- ************************************************************************ Shimon Lebowitz mailto:shim...@iname.com VM System Programmer . Israel Police National HQ. Jerusalem, Israel phone: +972 2 542-9877 fax: 542-9308 ************************************************************************