In addition to system access control based on user IDs, openUTM offers a sophisticated system access and data access concept. This makes it possible to control which users can access which services of the UTM application via which LTERM partners.
You can choose between a user-oriented variant (lock/key code concept) and a role-oriented variant (access list concept). These variants are generated using lock codes, access lists, keysets, and key codes:
A service is protected either with lock codes (lock/key code concept) or with an access list (access list concept) (TAC statement LOCK= or ACCESS-LIST=).
A user ID receives a keyset with one or more key codes (USER statement KSET=). The key codes define the authorizations.
An LTERM partner receives a keyset with one or more key codes, as well as lock codes if the lock/key code concept is used (LTERM or TPOOL statement, KSET= and LOCK= operands).
Keysets are defined separately in KSET statements.
The preconditions under which users can sign on and when they can start or continue a service (following a service restart) are outlined in the following table for both concept variants.
Action | Preconditions | |
Lock/key code concept | Access list concept | |
Sign on via specific LTERM partner | A key code of the user ID matches the lockcode of the LTERM partner. | Sign-on is always possible. |
Start a service | The user ID and LTERM partner have a key code that matches the lockcode of the TAC. | The user ID and LTERM partner each have a key code which is contained in the access list of the TAC. The key codes of the user ID and LTERM need not be identical. |
Continue service(following service restart) | A key code of the LTERM partner via which the user continues the service must match the lockcode of the follow-up TAC. | A key code of the LTERM partner via which the user continues the service must be contained in the access list of the follow-up TAC. |
Messages in the event of incorrect authorization
If authorization is invalid, the following messages may be output to the terminal user (a corresponding return code is supplied with the sign-on service):
K005 User identification user is locked - please sign on
If the key code of the user does not match the key code of the LTERM partner (sign-on service: return code U02).
K009 Transaction code <tac> is invalid - input please
If the user or LTERM is not authorized to start the service. If a BADTAC service is generated, the BADTAC service is started instead.
K123 LTERM does not have the rights to continue the service - please sign on
If the LTERM partner via which the user signed on at the service restart is not authorized to start the follow-up TAC (sign-on service: return code U16). This message may be output in particular if a user continues the service from a different terminal and hence a different LTERM.
 | More information can be found in the openUTM manual “Concepts und Functions” and the openUTM manual “Generating Applications”. |