If you have users that you want to limit to certain devices only, such as generic profiles, or profiles for temporary personnel, the AS/400 does not provide a method to do this.
To overcome this, create a CL that passes the user ID and workstation ID to an RPG program. The RPG program will chain out to a file that is owned by QSECOFR with Public Excluded. This file will contain User ID's and workstations. Keyed by the same two fields respectively. The RPG program will pass back to the CL whether it finds a match or not.
If it did, the CL will call the normal startup program, if not it will inform the user that they are not authorized to the workstation and sign the user off.
PGM DCL VAR(&amp;WSID) TYPE(*CHAR) LEN(10) /* WORKSTATION */ DCL VAR(&amp;USER) TYPE(*CHAR) LEN(10) /* USER */ DCL VAR(&amp;AUTH) TYPE(*CHAR) LEN(1) /* AUTHORIZED? */ RTVJOBA JOB(&amp;WSID) USER(&amp;USER) CALL PGM(MYLIB/CHECKER) PARM(&amp;USER &amp;WSID &amp;AUTH) IF COND(&amp;AUTH *EQ 'Y') THEN(DO) CALL PGM(MYLIB/NORMALSTRT) GOTO CMDLBL(END_OF_PGM) ENDDO IF COND(&amp;AUTH *EQ 'N') THEN(DO) SNDBRKMSG MSG('YOU ARE NOT AUTHORIZED TO SIGN ON TO + THIS WORK STATION') TOMSGQ(&amp;WSID) SIGNOFF LOG(*LIST) END_OF_PGM: ENDPGM
The tip already listed sends a break message to the workstation, and then executes a SIGNOFF. This means the user will never see the message; he or she is not allowed to that workstation. It is better to send the message to the user and add the workstation-name in the message:
RTVJOBA USER(&amp;USER) JOB(&amp;JOB)
SNDMSG ('User' *BCAT &amp;USER *BCAT 'not allowed on workstation' *BCAT
An alternative is to use object authorities; a device is known to the AS/400 as an object of type *DEVD. You can give a user *EXCLUDE to a specific *DEVD, or give *PUBLIC *EXCLUDE and the user who has to work on that workstation *USE.
-- Wim van den Heuvel
This was first published in March 2001