Using Security Logon With TDPLGUX - Teradata Director Program

Teradata Director Program Reference

Product
Teradata Director Program
Release Number
16.10
Published
May 2017
Language
English (United States)
Last Update
2018-05-09
dita:mapPath
hwt1488824663348.ditamap
dita:ditavalPath
Audience_PDF_include.ditaval
dita:id
B035-2416
lifecycle
previous
Product Category
Teradata Tools and Utilities

The TDP security logon function and the User Logon Exit interface, TDPLGUX, can both operate independently. But, because TDPLGUX can optionally modify both the authid and the logon string itself, using them together can provide additional flexibility in security administration.

When the security logon function is disabled, TDP allows a logon to proceed whenever TDPLGUX returns a zero value. When the security logon function is enabled, the logon is routed to TDP for final validation and authorization by using the z/OS System Authorization Facility (SAF) and your external security manager.

Whenever TDPLGUX returns a nonzero value, TDP terminates the logon attempt, immediately, whether security logon is enabled or disabled.

When using security logon with TDPLGUX, configure TDPLGUX to:

  1. First, check flag bit LGSI$SEC in the LGISFL switch byte. This flag is ON when the security logon function is enabled, signifying that TDPLGUX can place a modified authid in LGICHUSR.
  2. Then, after modifying the authid, set flag bit LGI$CHNG in the LGISFL switch byte to ON. This signifies that TDP should use the new authid for logon validation and authorization.
  3. If necessary, override the default class in the LGICLASS field.
By default, with no intervention by TDPLGUX, the authid is:
  • LGIXISU for most applications
  • LGIXIUSR for multiuser single-address-space applications such as CICS and IMS