Open topic with navigation

Client Access

Overview

MOMI has the ability to limit the screens and features available to users of the PC Client. Virtually every screen (with some exceptions) may be turned on or off. Client Access configuration is optional but is provided to allow system administrators a means to tailor MOMI more closely to the requirements of their environment.

 

Users are identified to MOMI using the standard Guardian User Id or Safeguard Alias. Client Access relies on host to perform authentication. MOMI does not maintain a database of passwords.    

 

Client Access is configured and enabled after MOMI is installed and operational. Client Access configuration information is stored on the currently connected NonStop System in the file CNF01DB.

 

This section describes Client Access and gives examples of turning Client Access on and configuring.

 

What Client Access does not do

Client Access does not grant users accessing the Nonstop System security for sensitive commands such as: stop a process, purge a file, view file contents, delete spooler jobs, etc.... Operations of this type are performed within the context of the user logon so the 'security success' of the operation is determined by the Operating System as discussed in Security Logon / Logoff.

 

The User ID's defined within Client Access do not store passwords.

 

Default Security User | Security User

The overall security of MOMI is controlled by two users known as the Default Security User and the Security User.

 

The user that starts the MOMI server on the Nonstop System is considered the Default Security User. There may be only one Default Security User. This user can perform and has full control over internal MOMI functions. The Default Security User is the only user that can activate or deactivate Client Access. The default may be overridden with the CONFMOMI keyword DEFAULT-SECURITY-USER.

 

Any user, except ones that are predefined, created within Client Access may also be enabled as a Security User. There may be zero or more Security Users. A Security User has the same authority as the Default Security User except it does not have the ability to turn off Client Access nor perform emergency database actions (see bottom of page here for details).

 

The Initial state of Client Access

The initial state Client Access is OFF meaning that the MOMI PC Client displays all of its screens to any user of the client and that any User with a valid User ID on the NonStop System may logon. Sensitive functions external to MOMI, such stopping a process, deleting a file, viewing the contents of a file, etc... require the user to have sufficient authority granted by the Operating System. Internal functions to MOMI, such as Alarm configuration (i.e. add / delete / change) and enabling Client Access, may only be performed by the user that starts the MOMI server.

 

In this state, the user that starts the MOMI server is the only user with full control and full access over the MOMI environment.

 

Enable Client Access

To enable Client Access, the Default Security User logs on to the MOMI PC Client, navigates to the screen Configure / Client Access / Global Settings and checks the box Enable Client Access Checking on this System, and also usually checks Enable User Access Checking on this System. Press Change Global Client Access Settings at the bottom of the screen to save the settings. Client Access is enabled immediately (no restart is required).

 

Special predefined users

Two users are automatically created and may not be deleted within Client Access:

 

NOT LOGGED ON  determines what screens / functions are available prior to a logon or after a logoff. This is also the initial client state.

USER NOT DEFINED  determines what screens / function are available when the User ID entered for logon is not found in the Client Access database. This predefined user provides a default environment or may be set to prevent logon to MOMI.

 

Client Access order of precedence

When the MOMI PC Client connects to a system, the predefined user NOT LOGGED ON determines what screens / functions are initially available. When a user attempts to log on, the Client Access database is searched in the following order, stopping at the first "match":

 

1) an exact match to the User ID with a case insensitive comparison

2) match User ID by wild card

3) default to USER NOT DEFINED

 

How MOMI 6.00 and later affects Client Access

Prior to MOMI version 6.00, the MOMI PC Client could display screens of meaningful data prior to logon.

 

MOMI 6.00 and later, by default, severely limits data displayed prior to logon. The operation is controlled by the CONFMOMI keyword CLIENT-LOCKDOWN-MODE which directs the client to display a virtually blank screen prior to logon and after logoff. This functional change effectively overrides the Client Access predefined user NOT LOGGED ON.

 

The administrator of MOMI can restore the previous manner in which MOMI operated by setting CLIENT-LOCKDOWN-MODE to false (also see this setting for additional information).

 

Examples

The following examples (denoted by a Æ) describe the sequence of steps necessary to perform certain activities. With the exception of the first two examples, which assume an initial configuration,  all other steps assume that Client Access is enabled.

 

Æ The MOMI server is initially started

 

Results

 

 

Æ Enable Client Access checking

 

Results

 

 

Æ Change the predefined user NOT LOGGED ON

 

Results

 

 

Æ Change the predefined user USER NOT DEFINED

 

Results

 

 

Æ Add an individual User ID  

 

Results

 

 

Æ Add a Group ID  

 

Results

 

 

Æ Add an User ID to a group  

 

Results

 

 

Æ Allow a user to add/delete/operate an Alarm (assumes the user was already added)

 

Results

 

 

Æ Assign a Security User (assumes the user was already added)

 

Results

 

 

Æ Limit AutoUpdate time

 

Results

 

 

Æ Restore the default state of Client Access and Disable (use only if you really mess up)  

 

Results

 

 

Æ Disable Client Access Checking

 

Results