Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Locking terminals/user IDs after unsuccessful access attempts

A user ID or user should be locked for a limited time after a predefined number of rejected access attempts. This function is referred to as “suspension”. Suspending a user ID is the most effective reaction, but it can lead to authorized users being locked in addition to an intruder. To prevent this, the suspension can be restricted to one user (also referred to as “initiator”).

At least the terminal name is available to identify the initiator in dialog mode, and the initiator ID in batch mode. If the batch job was issued in a dialog task, the dialog attributes are available. If a secondary batch job is involved, the audit ID could provide an indication of the original initiator.

User ID

Depending on the access route, up to 4 attributes are available to identify the user:

  1. A secondary user ID
    in dialog mode with a personal logon the personal user ID
    in batch mode the initiator’s personal or logon user ID

  2. The Kerberos principal

    in the net dialog as identifying attribute
    in batch mode the initiator’s principal

  3. The audit information
    is an attribute with mixed content for logging using SAT. It can contain the personal ID or the initiator’s Kerberos principal. This information is propogated to batch jobs.

  4. The terminal name
    in dialog mode the weakest attribute for determining the initiator, even if the only one in the simplest case
    in batch mode the initiator’s terminal name

The initiator can be identified directly via attributes 1-3 , but only indirectly via attribute 4.

When access attempts are rejected, an attempt is made to recognize an access attempt sequence on the basis of the current initiator’s personal attributes. These attempts can also have taken place in various access classes.

Two access attempts must be assigned to the same initiator when

  • at least one of the attributes 1-3 is known and all match, or

  • none of the attributes 1-3 is known, but the terminal matches.

The suspension relates to the user ID to which the rejected access attempts relate. If an intruder attempts to use another user ID, monitoring starts anew for this user ID.

Administration

The suspension is administered specifically for each user ID. However, the attributes can also be administered centrally using the default attribute of the access control.

The user ID TSOS and that of the security administrator cannot be locked; only the initiator is locked.

All suspensions of a user ID are canceled with the /UNLOCK-USER-SUSPEND command and displayed using /SHOW-USER-SUSPEND.

Powered by Atlassian Confluence and Scroll Viewport.