The Check Signon Count tool allows you to prevent a signon
(interactive job) if the number of current signons for a specific
user profile exceeds a maximum. The supplied TAA program (TAASEFGC
in TAATOOL) must be named in the INLPGM parameter or used in the
users initial program. A system default and unique user profile
values may be specified.
An option exists for whether jobs from the same device (either System
Request or Group Jobs) should be considered to count toward the
maximum.
In some environments, profiles exist that are used by multiple users.
The Check Signon Count tool offers a solution to prevent excess use
of these profiles.
The defaults are set for:
- A maximum of 5 Signons
- Jobs from the same device do not count toward the maximum
To cause a user profile to be checked, you must use the the TAATOOL
program TAASEFGC. If the user does not have an initial program,
specify:
CHGUSRPRF USRPRF(xxx) INLPGM(TAATOOL/TAASEFGC)
If you already have an initial program for the user, enter as the
first command in the users initial program either:
CALL TAATOOL/TAASEFGC
or
TAATOOL/CHKSGNCNT
The CHKSGNCNT command has no parameters and just invokes TAASEFGC.
If the number of Signons exceeds the default for the specified
profile, a display appears explaining that the maximum has been
exceeded and the user is signed off when Enter is pressed. A journal
entry is sent to the QAUDJRN by default. See the later discussion if
you do not have the QAUDJRN active, want to use a different journal,
or do not want to cause a journal entry.
Note that any user profile that does not specify the supplied program
cannot be checked.
Thus 3 types of situations may exist:
** A profile is not controlled by the tool. An unlimited number
of signons may occur.
** A profile is checked by the supplied defaults to prevent
excess signons.
** A profile is checked by an individual record. See the later
discussion of the SGNCNTP file.
Jobs from the same device
-------------------------
An option exists to determine whether jobs from the same device will
count toward the maximum. This includes System Request jobs and
Group Jobs. When either System Request is used to start a new job or
an additional group job is started, the assigned job name is the
device name. The Check Signon Count tool compares job names to
determine if the job is running on the same device.
The option does not include 'hot key' jobs such as from a PC device.
These jobs are given unique job numbers and cannot be determined as
being from the same device.
Changing the defaults
---------------------
The system defaults are used when a record for the user does not
exist in the SGNCNTP file in TAASECURE. See the later discussion of
the SGNCNTP file.
The system defaults are kept in the CHKSGNCNT Application Value
(*USRSPC object) in TAASECURE. A user with *ALLOBJ authority should
enter:
EDTAPPVAL APPVAL(TAASECURE/CHKSGNCNT)
The following options exist:
MAXSGNCNT The maximum number of signons allowed. The value
must be between 1 and 99999. The shipped default is
5. The value must be entered with leading zeros.
Note that at one time the lower limit value was
incorrectly set at 5 rather than 1. If your lower
limit is still 5, you may change to a limit of 1 by:
EDTAPPVALD APPVAL(TAASECURE/CHKSGNCNT)
Use option 1 on MAXSGNCNT. Change the 'Range' low
limit value from 00005 to 00001.
CNTSAMDEV A *YES/*NO value for whether to count jobs that are
started on the same device. This includes System
Request and Group Jobs, but excludes 'hot key' PC
jobs (see the section on 'Jobs from the same
device'). The shipped default is *NO meaning the
user may have a System Request job (Option 1) and
Group Jobs on the same device without the jobs being
considered for the maximum.
JRN The journal name to send an audit entry to if a user
is prevented from signing on. QAUDJRN is the
shipped default. *NONE may be specified to not send
a journal entry.
If a journal is specified, the JRNLIB parameter must
also be specified. If the journal cannot be found,
a message is sent to QSYSOPR.
See the later section on the journal entry.
JRNLIB The journal library name to send an audit entry to
if a user is prevented from signing on. QSYS is the
shipped default for the QAUDJRN journal. *NONE may
be specified to not send a journal entry.
SGNCNTP file in TAASECURE
-------------------------
The SGNCNTP file in TAASECURE may contain individual user records
where specific values may be entered if there is a requirement to
differ from the defaults. For example, if the system default allows
a maximum of 5 jobs, you may want to allow less or more for a
specific user profile.
To enter or review the records, a user with both *ALLOBJ and *SECADM
special authority should enter:
WRKSGNCNT
A display of any existing user records appears. Options exist to
change, delete, etc. A new user may be entered using F6.
The first two options for each record mirror the first two options of
the Application Value defaults:
MAXSGNCNT The maximum number of signons allowed. The value
must be between 1 and 99999. The shipped default is
5.
CNTSAMDEV A *YES/*NO value for whether to count jobs that are
started on the same device. This includes System
Request and Group Jobs, but excludes 'hot key' PC
jobs (see the section on 'Jobs from the same
device'). The shipped default is *NO.
CHKGRPMBR A *YES/*NO value to be entered for Group Profile
records for whether the members of the group should
be checked as if there was an individual record for
each member. This includes supplemental groups as
well. This is a 'shorthand' solution to avoid
having to enter individual records if all (or most)
members of the group should be treated with the same
values for MAXSGNCNT and CNTSAMDEV. Note however,
that each member of the group must invoke the
CHKSGNCNT tool as described earlier.
The MAXSGNCNT value is considered uniquely for each
member of the group (not a total for the group).
For example, the Group Profile record may specify a
MAXSGNCNT of 2 which would allow many members of the
group to be signed on, but no single member could
have more than 2 signons.
If a member of a group should be treated differently
from the Group record, enter both the Group record
and one or more individual records for the users
that should be treated differently. The logic first
checks if an individual record exists for the signed
on user. If not, but the user is a member of a
group, a check is made for a group profile record.
If it does not exist, a check is made if any records
exist for a supplemental group profile.
The supplemental group profiles are checked in the
order they appear on DSPUSRPRF. If an individual
record does not exist, nor any record for a group
profile or supplemental group profile, the
Application Value defaults are used.
To review, the order in which the checking occurs
is:
- User profile
- Group profile record (GRPPRF parameter)
- Supplemental group profiles (SUPGRPPRF
parameter) in the order as displayed
by DSPUSRPRF
If the user record exists, the values from it are
used.
If the Group profile or a Supplemental group profile
record exists, the 'Check Grp/Mbr' value must be
*YES in the record in order to use the values in the
record. If the value is *NO, no further check
occurs and the Application Value defaults are used.
If no record is found for the user or one of the
Group Profile records, the Application Value
defaults are used. See the example in the next
section.
No error occurs if the record entered with *YES for
'Check GrpMbr' is not a group profile.
Example of Group and Supplemental Group actions
-----------------------------------------------
Assume USERA and USERB are both members of GROUP1 which is specified
for their GRPPRF parameter. They are also members of GROUP2 and
GROUP3 as specified in their SUPGRPPRF parameters.
The WRKSGNCNT display was entered as:
Maximum Count Check
User Signons SamDev GrpMbr
GROUP1 1 *YES *YES
GROUP2 2 *YES *NO
GROUP3 3 *YES *YES
USERA 4 *YES *NO
If USERA signs on, his record is found, and he is allowed 4 signons.
No further checking occurs because his record was found.
If USERB signs on, his record does not exist, but the GROUP1 record
does and 'Check GrpMbr' is *YES so he is allowed 1 signon.
If the GROUP1 record in SGNCNTP is removed and USERB signs on, the
GROUP2 record is found, but since the 'Check Grp/Mbr' value is *NO,
the Application defaults are used. Note that the GROUP3 record is
not checked, because the checking stops when the first record is
found.
If USERC signons on, he does not have an individual record and if his
GRPPRF value is *NONE, the Application Value defaults would be used.
Exceeding the maximum number of signons
---------------------------------------
When the maximum number of signons is exceeded, a display appears to
the user describing the error. The text varies slightly depending on
whether it is a full signon versus a request for another Group Job.
The text informs the user that when Enter is pressed, the user will
be signed off (if a Group Job is requested, ENDGRPJOB is used).
Journal entry
-------------
If the maximum number of signons is exceeded, the default sends a
journal entry to the QAUDJRN journal. A different journal could be
specified or you can specify that no journal entry be sent. See the
previous section on Changing Defaults.
The journal entry is specified as Code = U and Type = CS. The text
of the entry describes the reason.
CHKSGNCNT escape messages you can monitor for
---------------------------------------------
None.
WRKSGNCNT escape messages you can monitor for
---------------------------------------------
None.
CHKSGNCNT Command parameters *CMD
----------------------------
None.
WRKSGNCNT Command parameters *CMD
----------------------------
None.
Restrictions
------------
The maximum number of signons can only be controlled when the
TAATOOL/TAASEFGC program is specified for the user profile INLPGM
parameter or a call to TAATOOL/TAASEFGC is included in the users
initial program.
Prerequisites
-------------
The following TAA Tools must be on your system:
ADJVAR Adjust variable
APPVAL Application value
CVTWRKUSR Convert work user
EDTVAR Edit variable
FILEFDBCK File feedback
HLRMVMSG HLL Remove message
RPGSTSDS RPG status DS
RTVOBJD2 Retrieve object description 2
RTVSPCAUT Retrieve special authority
SNDESCMSG Send escape message
Implementation
--------------
The tool is ready to use, but requires an entry in the INLPGM
parameter of each user profile to be checked or a modification of the
users initial program. If you are already using an initial program,
enter a CALL to TAATOOL/TAASEFGC or TAATOOL/CHKSGNCNT.
You should review the defaults provided and add individual user
records using WRKSGNCNT for user profiles that require values that
differ from the defaults.
Objects used by the tool
------------------------
Object Type Attribute Src member Src file
------ ---- --------- ---------- ----------
CHKSGNCNT *CMD TAASEFG QATTCMD
WRKSGNCNT *CMD TAASEFG2 QATTCMD
TAASEFGC *PGM CLP TAASEFGC QATTCL
TAASEFGC2 *PGM CLP TAASEFGC2 QATTCL
TAASEFGC3 *PGM CLP TAASEFGC3 QATTCL
TAASEFGR *PGM RPG TAASEFGR QATTRPG
TAASEFGR2 *PGM RPG TAASEFGR2 QATTRPG
TAASEFGD *FILE DSPF TAASEFGD QATTDDS
TAASEFGE *FILE DSPF TAASEFGE QATTDDS
TAASEFGP *FILE PF TAASEFGP QATTDDS
TAASEFGL *FILE LF TAASEFGL QATTDDS
The Application Value CHKSGNCNT (a *USRSPC object) exists in
TAASECURE.
The physical file SGNCNTP and the logical file SGNCNTL exist in
TAASECURE. These are duplicates of TAASEFGP and TAASEFGL.
Structure
---------
CHKSGNCNT Cmd
TAASEFGC CL pgm - Called from or as the users initial program
TAASEFGR RPG pgm - Retrieves information from SGNCNTP file
TAASEFGC3 CL Pgm - Displays the text before signoff
TAASEFGE Display file
WRKSGNCNT Cmd
TAASEFGC2 CL pgm
TAASEFGR2 RPG Pgm
TAASEFGD Display file
|
