Browse Prior Art Database

Methodology for In-Storage Authentication Table

IP.com Disclosure Number: IPCOM000105039D
Original Publication Date: 1993-Jun-01
Included in the Prior Art Database: 2005-Mar-19
Document File: 2 page(s) / 85K

Publishing Venue

IBM

Related People

Jackson, BK: AUTHOR [+3]

Abstract

This article describes a method of authentication for administrators who wish to secure access by individual users to MVS hosts and are concerned with data access security. A method to track and authorize host MVS access from a LAN based product (e.g., IBM Data Interpretation System) based on a Desktop Name and LAN/network Number is often necessary. Commonly the user's Desktop Name and LAN Number are available to the MVS host in addition to the User Name and Password, when a data access tool is started by a LAN Desktop user. This information can be used, directly or indirectly, to determine the primary authorization ID for connecting to host in whatever manner acceptable by the users' site security standards.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Methodology for In-Storage Authentication Table

      This article describes a method of authentication for
administrators who wish to secure access by individual users to MVS
hosts and are concerned with data access security.  A method to track
and authorize host MVS access from a LAN based product (e.g., IBM
Data Interpretation System) based on a Desktop Name and LAN/network
Number is often necessary.  Commonly the user's Desktop Name and LAN
Number are available to the MVS host in addition to the User Name and
Password, when a data access tool is started by a LAN Desktop user.
This information can be used, directly or indirectly, to determine
the primary authorization ID for connecting to host in whatever
manner acceptable by the users' site security standards.

      To take full advantage of this method a Desktop
Name-to-Authorization ID table is accessible to all the Host Client
address spaces is built in the Extended Common Service Area (i.e.,
ECSA subpool 241).  This table is referred to as an In-storage Table.
Subsequently, a connect exit routine may map the Desktop and LAN
Number to an administrator assigned authorization id from the
In-storage Table prior to the authorization validation.

      This table is a set of subtables, one per LAN.  The list of the
Desktops for each LAN is a set of sublists, one per length of the
Desktop Name which can range from 1 to a maximum number of characters
allowed for the Desktop name.  This means that there may be one list
for any possible existing Desktop Names for each unique LAN.  For
example, there is one list for 4-character Desktop Names for LAN1, a
different list for the 4-character Desktop Names for LAN2, and so on.

      For identification purposes, there is an 8-byte table
identifier at the beginning and another one at the end of the
In-storage Table.  Immediately after a header eye catcher and before
the first LAN Number subtable there are 3 fullwords as follows:

o   The first fullword contains the beginning address of the table.
o   The second fullword contains the size of the table.
o   The third fullword is a flag for the synchronization purposes
    when the tabl...