System access control is only relevant for real user IDs and is generated in the USER statement.

You define system access control by assigning a password to each user ID and by specifying a minimum length, a certain level of complexity, and a minimum and a maximum validity period for the password.

USER userid-name,PASS=password,PROTECT-PW=complexity-level

On signing on, the user must pass the specified authorization data configured for userid-name to openUTM.

On BS2000 systems, a magnetic strip card can also be configured as an access requirement for a user ID.

In addition, on BS2000 systems an access check using Kerberos can be generated as an alternative to a password and/or magnetic strip card.

Generating system access control using Kerberos (BS2000 systems)

The following generation statements are of significance for generating access control using the distributed authentication service Kerberos:

• LTERM KERBEROS-DIALOG=

  If you specify LTERM KERBEROS-DIALOG=YES, a Kerberos dialog is carried out when a connection is established for terminals that support Kerberos and that connect to the application directly via this LTERM partner (not via OMNIS) (see "LTERM - define an LTERM partner for a client or printer").

• TPOOL KERBEROS-DIALOG=

  If you specify TPOOL KERBEROS-DIALOG=YES, a Kerberos dialog is carried out when a connection is established for terminals that support Kerberos and that connect to the application directly via this terminal pool (not via OMNIS) (see "TPOOL - define an LTERM pool").

• USER PRINCIPAL=

  When you specify USER PRINCIPAL=characterstring, the user is authenticated via Kerberos with the help of this string (see "USER - define a user ID").

openUTM stores the Kerberos information in the length resulting from the maximum lengths generated for MAX PRINCIPAL-LTH and MAX CARDLTH (see "MAX - define UTM application parameters"). If the Kerberos information is longer, it is truncated to this length and stored.