Logon Processor

The logon processor controls user access to a database. It is run when:

The reality command is executed to start up a Reality database environment under UNIX or Windows.
Logging off from a database environment started using the reality -U command.
The LOGON command is executed at TCL.

The logon processor performs the following functions:

Reads the physical location identifier (PLId) of the port from which the logon is attempted and validates it against the associated network profile in NETWORK file.
If logon from that location is valid, LOGON displays a prompt for Reality user-id and password and validates the input.

Note: The user-id prompt is contained in item LOGON in the SYSTEM file. If an invalid user-id or password is entered the message 'Invalid logon attempt' is displayed.

It checks the user-id against the user and security profiles defined in the USERS and SECURITY files (see Database Access Profiles). If the user has a default account without a password, or the user-id has a password (thus overriding any account password), logon continues as at step 4.
If the account has a password and it is not overridden by user-id security, LOGON displays account logon and password prompts and validates the input against the SYSTEM file and against the security profile in SECURITY. If an invalid account or password is entered or if this logon is invalid, the user is denied access and the message 'Invalid logon attempt' is displayed.
Displays any logon message contained in item LOGON in the ERRMSG file. This message is formatted as a standard ERRMSG item. It is used to display a message to users logging-on to the database.
Displays any logon 'welcome' message contained in item '335' in the ERRMSG file.
Runs a user's logon Proc, if specified in the user's profile and defined in the account's Master Dictionary.
If a user's logon Proc is not executed, LOGON runs instead any Proc in the account's MD with the same name as the account name or account synonym used to logon.
If access to TCL is attempted and a 'TCL-inhibit Proc' is specified via a T in attribute 9 of the account's definition item and an appropriate item is present in DICT ACC file and a Proc named in this item is defined in the account's MD, the TCL-inhibit Proc is run so as to prevent the user gaining access to TCL.

If TCL access is attempted when inhibited in the user's security profile, the user process is logged off.

Logon Prompt

UNIX

On a UNIX system, the following Reality logon prompt is displayed when connection to a new Reality database is attempted:

system_name
LOGON PLEASE:

where system_name is the name assigned to the database when it was created. Refer to the description of the mkdbase command.

The LOGON item must be present in file SYSTEM to allow logon to the database. It can be edited from SYSMAN, SYSPROG or any account with SYS2 privileges and update access to SYSTEM. Initially, when the database has just been made, it contains the following:

   LOGON
001 L
002 Hsystem_name
003 L
002 HLOGON PLEASE: +

Note: The characters 'L', 'H' and '+' format the message as for ERRMSG items.

Windows

On a Windows system, the Reality logon prompt is generated by the communicating program smanager. It can be modified using the network administration utility netadmin. smanager passes the user-id to the reality process it starts, which then prompts for a password, if necessary.

First Logon Message: 'LOGON' in ERRMSG

Item LOGON in file ERRMSG contains the first message displayed after logon is completed. Do not delete this item: if it is missing the message ERRMSG [LOGON] will be displayed at logon.

When the database is first created item LOGON contains only a line feed specification, as follows:

   LOGON
001 L
EOI 001

Welcome Message: '335' in ERRMSG

Item '335' in ERRMSG contains the second message displayed after logon. It shows the release and revision level of Reality software and a copyright notice. If it is missing, the system displays the message ERRMSG [335].

Editing Logon Prompt and Message

On UNIX, to edit the logon prompt, log on to any account that has SYS2 level privileges and update access to the SYSTEM file. These include SYSMAN and SYSPROG.

To edit the logon message text in ERRMSG items LOGON or 335 you can log on to any account that has update access to the ERRMSG file.

Example

    LOGON
001 L(2)
002 T
003 S(21)
004 D
005 L
006 HLOGON TO THE DEVELOPMENT SYSTEM:+

This logon Prompt would be displayed as follows:

11:34:23                     25 DEC 99
LOGON TO THE DEVELOPMENT SYSTEM:

On Windows, use the netadmin utility to edit the logon prompt.

Logon Control Procs

One or more of the Procs described in the following pages ('user', 'account' and 'TCL inhibit') can be used to customise database access. You need only create those required. For detailed information on writing Procs, see the Proc Reference.

User Logon Proc

The user logon Proc specified in the user's profile (see Securing the Database Using SSM) performs a sequence of actions when the associated user logs on to an account in which it resides. It is executed automatically only once, when the user first logs on and is not executed by the LOGTO command. If the user logon Proc is executed, then the account logon Proc is not executed (unless called by the user logon Proc).

The following examples might typically be implemented as user logon Procs.

Example 1

    PRINTER
001 PQN
002 HSP-ASSIGN =LASER
003 P
004 X*** LASER PRINTER ASSIGNED ***

This Proc assigns the spooler queue for the LASER printer and displays the message '***LASER PRINTER ASSIGNED***' after the logon welcome message. For the Proc to be executed automatically at logon, ‘PRINTER’ must be entered in the user's profile and the PRINTER Proc item must be present in the MD of the account to which the user logs on .

Example 2

    TERMCHAR
001 PQN
002 HTERM 118,44,7,6
003 P
004 X*** TERMINAL CHARACTERISTICS SET ***

This Proc sets terminal characteristics and displays a corresponding message. As above, for automatic execution at logon, the ‘TERMCHAR’ must be entered in the user's profile and TERMCHAR Proc must be present in the MD of the account logged on to.

Account Logon Proc

When logging on to an account, if a user logon Proc is not executed, the logon processor executes any Proc in the account's MD with an item-id that matches the account name or account synonym used to logon.

An account logon Proc may be used, for example, to execute initialisation routines that establish the user's operating environment or to run a specific program. The Proc is executed whenever one of the following conditions is met:

The account is the first one entered at logon and a user logon Proc is not executed.
The account is entered via the LOGTO command.
Attribute 9 of the Account Definition Item contains an R, debug has been entered and the debug END command has been executed.

Specifying an R in attribute 9 of the Account Definition Item can be used to prevent TCL access. For example, if the account logon Proc has a menu, that does not allow access to TCL, the user might try to break into one of the debuggers and enter the END command to by-pass the menu. The R in attribute 9 specifies that the system is to rerun the Proc whenever the debugger's END command is executed.

Example

    SALES
001 PQN
002 HRUN BP MENU
003 P

This Proc runs a DataBasic program named MENU located in the BP file. Typically this might display an application menu. To run the program immediately after logging on to the SALES account, the SALES Proc must be in the MD of the SALES account and no user logon Proc must be specified, or, if it is, the user logon Proc must execute SALES.

TCL-inhibit Proc

The TCL-inhibit Proc prevents users from accessing TCL. It is run whenever the software is about to return the process to TCL provided that all of the following conditions are met:

Attribute 9 of the Account Definition Item contains T.
The dictionary of the ACC file contains an item with item-id :port-number (the port number of the currently logged on user) and with attribute 1 containing the name of the Proc.
The named Proc exists in the account's MD.

The purpose of the TCL-inhibit Proc is to prevent the user from accessing TCL. The Proc stops the user exiting from the Proc except to log off. If the Proc allows access to TCL, the system simply restarts the Proc each time access to TCL is attempted.

Note: This is the 'soft' method of inhibiting TCL access. If TCL access is inhibited in a user's security profile, the user process is logged off, if TCL access is attempted.

Attribute 9 of the Account Definition Item can contain letters other than T. In particular, an R indicates that the account logon Proc is to be executed when appropriate. The account logon Proc takes precedence over the TCL-inhibit Proc, but if it exits to TCL any TCL-inhibit Proc will be executed.

Example

The following is attribute 9 of the Account Definition Item for account SALES:

009 TB    TCL-inhibited and break disabled

The following item is in DICT ACC:

    :22
001 SALESMENU

Account SALES must contain Proc SALESMENU in its MD. If a user logs on to account SALES from port 22, the system executes the Proc SALESMENU any time the user tries to access TCL.