A user from a remote host can access your system in one of the following ways:
-
The user can request a station transfer to your system.
In this case, the user is required to enter a usercode and password on your host. If the local USERDATAFILE includes an entry enabling the specified usercode/password combination, the system grants the user local system access according to the rights and privileges defined in that entry.
The host name to which the user station is attached is not relevant on the local system when a remote user accesses the local host by performing a station transfer.
-
You enable automatic log-on service for remote users by creating or modifying a service list for the user. Refer to Automatic Log-On Service.
-
The user can access the local system by requesting a distributed systems service other than a station transfer: a file transfer or a job transfer, for example.
In this case, the USERDATAFILE on your system must include a REMOTEUSER entry enabling the requesting usercode/host name combination to access the local host. For details, see REMOTEUSER Statement.
-
In addition, the remote user must be identified in a USER entry, as follows:
-
If the user is to run under the same usercode on your local host as the one he or she uses on the remote host, the usercode must also appear in a USER entry for the remote host. The MCP does not require that password information be the same on both hosts.
For example, suppose that Tom Thompson has the usercode/password combination THOMPSON/DUFFER on a remote host that has the host name CHA15C. To enable this user to access your system to perform distributed systems services operations other than station transfers, you could run MAKEUSER and enter
+ USER = THOMPSON IDENTITY = "THOMPSON"; + REMOTEUSER THOMPSON OF CHA15C;
-
If the user is to run on your local host under a usercode different from the one he or she uses on the remote host, you must define an alias usercode for the local host in a USER entry for the local host. The alias must also appear in a REMOTEUSER entry designating both the local and remote usercodes. Again, there is no requirement that password information be the same on both hosts.
For example, suppose THOMPSON/DUFFER from the earlier example is now to run under the usercode WILLY on the local host with his same password (DUFFER). In this case, you could enter the following sequence:
+ USER = WILLY IDENTITY = "WILLY"; + REMOTEUSER THOMPSON OF CHA15C LOCALALIAS = WILLY;
-
Access Other Than Station Transfers (Nonautomatic Transfers)
The following forms of REMOTEUSER entries enable a particular usercode to access the local host from a remote host by requesting distributed systems services operations other than station transfers:
<usercode> OF <host name>
<usercode> OF *IPADDRESS <IP address>
<usercode> OF *DOMAINNAME <domain name>
<usercode> OF *ANYHOST
Access from a Remote Host
The following forms of REMOTEUSER entries enable any usercode to access the local host from a remote host by requesting distributed systems services operations other than station transfers:
*ANYUSER OF <host name>
*ANYUSER OF *IPADDRESS <IP address>
*ANYUSER OF *DOMAINNAME <domain name>
*ANYUSER OF *ANYHOST
General Considerations for Granting Access Privileges
Each of the REMOTEUSER entries can optionally specify that one or more of the usercodes permitted to access the local host are to be identified by a different local-alias usercode.
Security administrators can use any combination of entries as appropriate for their installations.
| Note: | Use *ANYHOST entries with caution. They permit access from all remote hosts that can be connected to the local host.For example, the local host NEWYORK has a usercode OPERATOR and a REMOTEUSER entry OPERATOR OF *ANYHOST in its USERDATAFILE. If the host NEWYORK becomes connected to the host DENVER, which also has a usercode OPERATOR in its USERDATAFILE, the usercode OPERATOR of DENVER is permitted to access the host NEWYORK. |
Remoteuser Entry Search Procedures
The caller must specify whether the master control program (MCP), in evaluating the incoming transfer request for access to the local system, is to search the USERDATAFILE for applicable REMOTEUSER entries according to IP addresses, domain names, or host names. The system then searches for entries in the following order of preference.
|
Order |
Security Information |
|---|---|
|
1 |
<usercode> / <complete IP address, complete domain name, or host name> |
|
2 |
<usercode> / <partial IP address, partial domain name> |
|
3 |
<usercode> / *ANYHOST |
If the system is unable to locate applicable entries, the caller can then perform *ANYUSER searches.
