The TDP security logon function and the User Logon Exit interface, TDPLGUX, can both operate independently. But, because TDPLGUX can optionally modify both the authid and the logon string itself, using them together can provide additional flexibility in security administration.
When the security logon function is disabled, TDP allows a logon to proceed whenever TDPLGUX returns a zero value. When the security logon function is enabled, the logon is routed to TDP for final validation and authorization by using the z/OS System Authorization Facility (SAF) and your external security manager.
Whenever TDPLGUX returns a nonzero value, TDP terminates the logon attempt, immediately, whether security logon is enabled or disabled.
When using security logon with TDPLGUX, configure TDPLGUX to:
- First, check flag bit LGSI$SEC in the LGISFL switch byte. This flag is ON when the security logon function is enabled, signifying that TDPLGUX can place a modified authid in LGICHUSR.
- Then, after modifying the authid, set flag bit LGI$CHNG in the LGISFL switch byte to ON. This signifies that TDP should use the new authid for logon validation and authorization.
- If necessary, override the default class in the LGICLASS field.
By default, with no intervention by TDPLGUX, the authid is:
- LGIXISU for most applications
- LGIXIUSR for multiuser single-address-space applications such as CICS and IMS