With the $CONSOLE interface, BS2000 offers the option of freeing the operator from functions that can be executed under program control, such as:
regular interrogation of certain system load parameters (e.g. number of jobs by different criteria, main memory utilization); and initiation of appropriate measures if required
regular checks for the existence of unanswered messages; broadcasting of messages to the consoles
Device management
Such activities can be performed by user programs which, as BCAM-DCAM applications, have identified themselves to the operating system as authorized $CONSOLE applications and which function as virtual consoles. These programs, which function as consoles, are generally referred to as authorized user programs. They are authorized to execute operator functions according to their authorization profile (routing code set).
An unauthorized user program can only send messages to the system and receive any replies. These are BCAM/DCAM applications which, although they connect to $CONSOLE, have not requested special (authorized) connection setup.
Authorized programs can execute all conventional operator activities.
In addition, an authorized program can occur as a command execution instance for special operator commands (defined with parameter statement ADD-CMD-ENTRY or the CONNECT-CMD-SERVER command); see "Special operator commands in authorized user programs".
When logging on your own operator command with CONNECT-CMD-SERVER, you can specify COMPLETION-CONTROL=*YES. Note, however, that - unlike with consoles - command input in a user task is synchronous.
The input is therefore only possible when the previous command has finished executing. Consequently, the command should either have a short processing time or be logged on with COMPLETION-CONTROL=*NO.
In the operating mode NBCONOPI=Y, the operator task for an authorized user program with a dynamic authorization name has the privileges of its user and the OPERATING privilege.
System operation can be split into functional areas for authorized user programs in the same way as for physical consoles.
Every user program which wishes to exercise operator functions must make a “connection” to the central system operation task (under the application name $CONSOLE). If the operator functions to be exercised require an authorization (authorization/routing code), the user program must also prove its right to make this connection.
The link between a user program and an authorization name gives this program a feature which is comparable with the mnemonic device name of a physical console.
For authorized user programs which connect to the system using this authorization name (generated authorization name), an entry in the authorization name table must be created in the OPR parameter service with SET-CODE or ADD-CMD-ENTRY. An authorization name consists of 4 alphanumeric characters (values: A-Z, 0-9, or @, $, #), where the first character must not be a digit or “#”. “@” should not be used as the first character. The system always creates 512 authorization names. A maximum of 384 authorization names (generated authorization names) can be specified in the parameter service. The remaining authorization names are assigned by the system (dynamic authorization names, @001 to @512, unless already assigned).
Authorized user programs can thus be assigned names that have the same lifetime as the mnemonic device names of physical consoles.
Authorization names have the following characteristics:
The lifetime of authorization names equals the lifetime of the system and hence the lifetime of the device definitions for the physical consoles.
As soon as a user program has been linked to an authorization name it is regarded as an authorized user program. This linkage must be initiated by the program and remains valid until it is canceled by the user program, until the program is terminated or until UCON severs the connection.
The assignment of functional areas for authorized user programs can be made either via authorization names or via operator roles, depending on the type of connection.
After a connection has been accepted by the system, an authorized user program can be identified as the sender or recipient of messages only by the authorization name.
A command processing function may be assigned to an authorization name. If an authorized user program is to execute commands, the system must be informed of the commands for which it functions as the command processor (command server for special commands). For authorized applications with authorization names which were generated, the command name/authorization name, assignment is made in the OPR parameter service with the ADD-CMD-ENTRY record.
In addition, the CONNECT-CMD-SERVER command is available to all authorized user programs for linking authorized applications with operator commands. The DISCONNECT-CMD-SERVER command can be used to remove the link (see the “Commands” manual [27]). By default, both commands are protected by the authorization code K and are only permitted for authorized user programs.
Systems support creates an entry in the user catalog for each authorized user program which is permitted to make a connection to the system. In doing so, passwords should be specified to protect against the unauthorized establishment of a connection to the $CONSOLE (UCON) application. Entries are made in the user catalog by an ADD-USER command; if an application has a generated authorization name, this is used as the user ID, if it has a dynamic authorization name, the OPERID is used as the user ID.
Example of an entry in the user catalog
/ADD-USER USER-ID=RUDI,PROTECTION-ATTRIBUTES=(-
LOGON-PASSWORD=C'FOX#HOLE'),ACCOUNT-ATTRIBUTES=(ACCOUNT=K0815)
If the user program has a generated authorization name, this is used as the user ID.
/ADD-USER USER-ID=ISOLDE,PROTECTION-ATTRIBUTES=(-
LOGON-PASSWORD=C'MUSTARD!'),ACCOUNT-ATTRIBUTES=(ACCOUNT=K0815)
If the user program has a dynamic authorization name, the OPERID is used as the user ID.
A hexadecimal password is not permitted.
An authorized user program can use any operator command; the only exceptions are the commands subject to restrictions with regard to their input location (e.g. REQUEST-MAIN-CONSOLE-FUNCTIONS). An authorized user program cannot be a replacement or main console.
If the assigned operator role includes authorization for the CONNECT-CMD-SERVER command - by default this has the authorization code K - then the authorized user program may use this command to indicate that it is responsible for processing operator commands. The system will then route those operator commands, for the execution of which the authorized user program has taken responsibility, without subjecting them to any syntax analysis.
CAUTION!
Owners of authorization code K may inadvertently issue important system operation commands and, for instance, disable them. Systems support should therefore grant this authorization only to selected user processes.
Structure of the authorization name table
A maximum of 384 authorization names are created in the startup parameter service with the OPR parameter set (generated authorization names); to these, the system will add any unique authorization names for authorized user programs which establish a connection using an operator identification, until the maximum number of 512 entries has been reached.
The command CREATE-OPERATOR-ROLE allows systems support to define a list of authorization codes which comprise an operator role, and to declare it to a specified pubset. The command MODIFY-OPERATOR-ATTRIBUTES is used to create or modify the assignment of operator roles to an operator identification.
A connection as an authorized user program can be made in two different ways:
as a connection with an authorization name which was generated (old-style user program); see "Connections with generated authorization names"
as a connection with a dynamic authorization name; see "Connections with dynamic authorization names"
Command | Meaning |
ADD-USER | Make entries in the user catalog |
CREATE-OPERATOR-ROLE | Define one or more operator roles |
DELETE-OPERATOR-ROLE | Delete the definition of an operator role |
EXIT-JOB | Exit the $CONSOLE application, including connection release |
MODIFY-OPERATOR-ATTRIBUTES | Create or modify assignment of operator roles to an operator identification |
RELEASE-OPERATOR-ROLE | Request release of a specific work area |
REQUEST-OPERATOR-ROLE | Request assignment of one or more operator roles |
SHOW-OPERATOR-ROLE | Display information on operator roles |
Macro | Meaning |
NBMAP | Write message trailer (see "NBMAP macro" in section "Message formats") |
NBMHE | Write the format of the message header (see "NBMHE macro" in section "Message formats") |
Table 46: Interface overview for “Authorized user programs with operator functions”