[Info-vax] Job logicals linked to a process

Fri Jan 8 20:15:50 EST 2021

On 09/01/2021 00:54, Stephen Hoffman wrote:
> On 2021-01-09 00:11:22 +0000, Chris Townley said:
> 
>> All in the past,
> 
> Yet you're here, asking this, which implies this mess is seemingly 
> rather less in the past than might be preferred.
> 
>> ...but we only allowed shared usernames in either totally read only , 
>> or with updates authenticated and logged by other means.
>> The former had no password, and the second password was well known, 
>> but without tyhe secondary credentials was read only. Worked for years!
>>
>> Sadly now all in the past
> 
> Not the first time I've heard folks ask for logins to manage logins, and 
> not the first time—as has been done here—folks have implementing 
> per-user logins to manage shared logins.
> 
> Privileges to control privileges was another similarly classic request. 
> Fun fact: there's a means to grant a user SETPRV privilege, but where 
> that privilege is entirely unavailable for committing mayhem. But I 
> digress.
> 
> Generally, it's either best to either fix the shared login problem with 
> per-user logins issued, or to do what management seemingly wants done 
> here and ignore it.
> 
> Which means you'll prolly end up adding your own login mechanism into 
> SYLOGIN or the user's LOGIN, and preferably with the shared user marked 
> as CAPTIVE or RESTRICTED or it'll get bypassed. Create your own login.
> 
> It's been interesting watching how fast some these cases can get fixed 
> when management decides, too—more than a few of these cases go from 
> "impossible" or "never" or "infeasible" or "unaffordable" to "done", 
> once the issue is re-decided.
> 
> But in other cases, management was somewhere between oblivious or 
> overloaded or otherwise overwhelmed, and some management seemingly 
> enjoyed keeping IT staff into intractable and untenable situations. Been 
> there. Not Fun.
> 
Totally not relevant now. The system was decommissioned in 2013, and the 
company went into administration last May, and is now moribund.

Actually the solution was forced onto me by management,and I didn't 
disagree with the reasoning. We already had a pretty good secondary 
login, by clock number for our RDT users on FLT, or later with HHTs. I 
simply extended this onto the captive generic accounts so that any 
access for more than read only required secondary authorisation (note no 
Z over here!)

It worked well, and avoided the productivity loss of multiple warehouse 
users logging an out just to enter one document or whatever.

I would probably not do it again, but back in the early noughties many 
non technical users struggled to get a password in within the timeout.

My only reason for asking was out of interest, as many years ago I could 
have used it. I did reset the process name to include the clock number, 
but that didn't always work.

Chris