In addition to system access control based on user IDs, openUTM offers a sophisticated system access and data access concept. This makes it possible to control which users can access which services of the UTM application via which LTERM partners.
You can choose between a user-oriented variant (lock/key code concept) and a role-oriented variant (access list concept). These variants are generated using lock codes, access lists, keysets, and key codes:
A service is protected either with lock codes (lock/key code concept) or with an access list (access list concept) (TAC statement LOCK= or ACCESS-LIST=).
A user ID receives a keyset with one or more key codes (USER statement KSET=). The key codes define the authorizations.
An LTERM partner receives a keyset with one or more key codes, as well as lock codes if the lock/key code concept is used (LTERM or TPOOL statement, KSET= and LOCK= operands).
Keysets are defined separately in KSET statements.
The preconditions under which users can sign on and when they can start or continue a service (following a service restart) are outlined in the following table for both concept variants.
Action | Preconditions | |
Lock/key code concept | Access list concept | |
Sign on via specific | A key code of the user ID matches | Sign-on is always possible. |
Start a service | The user ID and LTERM partner have a key code that matches the | The user ID and LTERM partner each have a key code which is |
Continue service | A key code of the LTERM partner via which the user continues the | A key code of the LTERM partner via which the user continues the |
Messages in the event of incorrect authorization
If authorization is invalid, the following messages may be output to the terminal user (a corresponding return code is supplied with the sign-on service):
K005 User identification <user> is locked - please sign on
If the key code of the user does not match the key code of the LTERM partner (sign-on service: return code U02).
K009 Transaction code <tac> is invalid - input please
If the user or LTERM is not authorized to start the service. If a BADTAC service is generated, the BADTAC service is started instead.
K123 LTERM does not have the rights to continue the service - please sign on
If the LTERM partner via which the user signed on at the service restart is not authorized to start the follow-up TAC (sign-on service: return code U16). This message may be output in particular if a user continues the service from a different terminal and hence a different LTERM.