Logging On

This section describes the rules which apply when a user logs on to Natural under Natural Security. It covers the following topics:


Logon Procedure

Note:
If a user invokes Natural under Natural Security and the FNAT system file specified in the parameter file/module used is a non-Security system file, Natural cannot be started, and the user will receive an appropriate error message.

The logon procedure is used by Natural Security to ensure that the user who is logging on to Natural is authorized for the library requested.

A logon must be executed successfully before any Natural session can be started.

A logon screen (on mainframe computers and Linux) or logon dialog box (under Windows) is provided for the user to enter the information required for the logon.

Logon Screen / Logon Dialog Box

When Natural Security is installed, the Natural Security logon screen will be displayed whenever a user invokes Natural.

Under Windows, the logon screen is displayed as a dialog box (for the sake of consistency, however, it will also be referred to as "logon screen").

The logon screen requests the user to enter the following:

Field Explanation
Library ID

The ID of the library to be used.

To determine which libraries are available, the user may enter his/her user ID in the user ID field and an asterisk (*) in the library ID field: a list of all libraries available to the user will be displayed. The list contains all non-protected libraries and all protected libraries to which the user is linked (either directly, or via a group whose security profile is activated). The list also contains all libraries available to the user's terminal (if the terminal is defined to Natural Security. To view a list of all libraries available to the terminal, the user may enter an asterisk (*) in the library ID field without entering a user ID.)

Note:
For a logon from the Natural Studio in a client environment via the Natural Development Server to a Map Environment on a mainframe server, the specification of an asterisk (*) as library ID is not possible.

User ID  

The ID by which the user is defined to Natural Security.

The ID of a group must not be entered. A terminal ID must not be entered either.

If a user ID is entered, a password must also be entered. If no user ID is entered, no password is required.

If no user ID is entered, Natural Security will use the ID of the terminal being used. In this case the terminal has to be defined to Natural Security; otherwise the logon will be rejected.

Password  

The password specified in the user's security profile.

If no password has been specified in the user's security profile, the password will be identical to the user ID (when a newly defined user logs on for the first time and the password is identical to the user ID, the user must change his/her password by entering a new password in the New Password field).

New Password 

A new password can only be entered in this field, if a valid password is entered in the Password field.

If a valid password has been entered in the Password field and the user wishes/has to change that password, the user enters a new password in this field. This new password then replaces the old one and will from then on be the valid password for the user.

Note:
If the user authentication is performed via an LDAP server, this field is not available.

Passwords

By default, Natural Security uses "regular" passwords of up to 8 characters. However, it also supports the use of password phrases, that is, passwords which are longer than 8 characters. The use of password phrases is activated by the option Password phrases active in the User Preset Values section of Administrator Services.

Unless otherwise stated, the term password in the Natural Security documentation applies to passwords of any length.

In a user's security profile, a Natural Security administrator may set or change the user's password. The administrator may also set a time interval, after which the user will be forced to change his/her password when logging on. See New Password and Change after nnn days in Components of a User Profile.

If a user has forgotten his/her password, he/she has to contact the Natural Security administrator, who then specifies a new password in the user's security profile. This will then be the valid password for the user (which he/she may change again in the logon screen).

Several rules can be applied to the usage of passwords. For this purpose, various options are available in the User Preset Values section of Administrator Services.

Rejected Logon

A logon to a library will be rejected if:

  • the user is not defined to Natural Security;

  • the user's security profile is currently inactive (due to Activation Dates settings);

  • the user is defined as user type "Member" and has not been assigned to a group;

  • the user is defined as user type "Member", and the security profile of the group to which he/she is assigned is currently inactive (due to Activation Dates settings);

  • the library is not defined to Natural Security;

  • the time window restrictions defined in the library's security profile do not permit use of the library at the time of the logon;

  • the library is protected and the user is not linked to the library;

  • the library is protected and the user is linked to it, but the link has been temporarily locked;

  • the library is protected, and the group via which the user is linked to the library is currently inactive (due to Activation Dates settings in the group security profile);

  • a non-existent startup transaction is specified in the library's security profile;

  • the NEXT/MORE line is not allowed nor a startup transaction specified in the library's security profile.

Logon Without Library ID

If no library ID is entered in the logon screen, the default library specified in the user's security profile will be invoked.

If no default library is specified in the user's security profile, the Privileged Groups specified in the user's security profile will be checked (in order of entry) for a default library.

If none of the Privileged Groups has a default library either, the user's private library will be invoked.

If neither default libraries nor a private library exist, the user must enter a library ID when he/she logs on.

RESTART and FIN as Library IDs

If RESTART is entered as the library ID, the last RESTARTable library to which the user was logged on will be invoked (for details on the "RESTART" option, see Transactions in the section Components of a Library Profile).

Note:
The ID of the last RESTARTable library to which a user was logged on is shown in the field Last Library in the user security profile.

If FIN is entered as the library ID, the Natural session will be terminated.

Successful Logon

After a successful logon to a library, the startup transaction specified in the library's security profile is invoked. If no startup transaction is specified there, the Natural main menu is invoked.

Note:
Internally, Natural Security performs an END OF TRANSACTION statement after a successful logon if any of the following applies:

  • the user's password has been changed during the logon procedure;

  • a logon error has occurred during the logon procedure;

  • the Logon recorded option in the user's or the library's security profile is set to "Y";

  • the Restart option in the library profile is set to "Y";

  • the general option Lock User Option in Administrator Services is set to"X".

LOGON Command

If the first logon to a library at the beginning of a Natural session was successful, a user may change from one library to another by using the Natural system command LOGON.

See also the Natural System Commands documentation for information on the LOGON system command.

The LOGON command takes the following parameters:

  • If no parameter is specified, the default library will be invoked (either the user's or one of the privileged group's); if no default library is specified, the Natural Security logon screen will be invoked. For example:

    LOGON
  • If one parameter is specified, it will be interpreted as a library ID. For example:

    LOGON LIBX
    LOGON *
  • If two parameters are specified, the first will be interpreted as a user ID, the second as a password. For example:

    LOGON USERX PASSWX
  • If three parameters are specified, the first will be interpreted as a library ID, the second as a user ID, the third as a password. For example:

    LOGON LIBX USERX PASSWX
  • If four parameters are specified, the first will be interpreted as a library ID, the second as a user ID, the third as a password, the fourth as a new password. For example:

    LOGON LIBX USERX PASSWX NEWPASSX

LOGON Command Errors

If an error is detected during logon processing, Natural Security will display an error message.

If the LOGON command has been issued from a library, Natural Security will invoke the error transaction defined for that library. If no error transaction is defined, the logon screen will be invoked.

Automatic Logon

Users would normally have to log on twice, first to the operating system and second to Natural. To eliminate the need for a second logon, you may set the Natural profile parameter AUTO to AUTO=ON (see Natural Parameter Reference documentation).

As a result, an internal Natural Security logon procedure will be invoked, which uses the operating-system login name (as contained in the Natural system variable *INIT-USER) as the user ID, but no password (on the assumption that this has been verified by the operating-system logon procedure). The Natural Security logon screen will be suppressed. A logon with a user ID other than the operating-system login name will not be possible.

If AUTO=ON is used, the user has no possibility of specifying a library ID. The library to which the user will be logged on is determined by the same rules as described under Logon Without Library ID above. This means that automatic logon is only possible if a default library is specified (for the user or one of his/her Privileged Groups) or the user has a private library.

If you combine AUTO=ON with specifying a default library in a user's security profile and with specifying a startup transaction for that library, the user will receive the first screen of the default library immediately after invoking Natural without having to pass any intermediate screens (default libraries are described under Components of a User Profile in the section User Maintenance, startup transactions under Transactions in the section Library Maintenance).

If AUTO=ON is set, the system command LOGOFF has the same result as the system command FIN (see How to End a Natural Session below).

If AUTO=ON is set, and after the initial automatic logon the user tries to log on to another library and causes a logon error, the error transaction for the current library will be invoked. If no error transaction is specified, an error message will be issued and then the startup transaction (if specified) for the current library will be invoked.

Note:
With Natural Single Point of Development, the user must always specify his/her user ID and password in the Map Environment dialog, even if AUTO=ON is set.

Logon Customization

This section describes the options available for logon customization:

Customization of Logon Screen / Logon Dialog Box

You can change the layout of the logon screen / dialog box to suit your requirements.

By default, the logon screen / dialog box is invoked by the user exit LOGONEX1.

Logon Screen on Mainframe Computers and Linux

The source code of the logon screen is the map NOGONM1,which is provided in the library SYSSEC.

Start of instruction setTo customize the logon screen:

  1. Make a copy of NOGONM1 and store it under the name LOGONM1.

  2. Modify LOGONM1 to suit your requirements, and catalog it.

  3. Copy the cataloged object LOGONM1 into the library SYSLIB.

Should LOGONM1 be missing from SYSLIB, the Natural Security installation procedure will automatically copy the object module NOGONM1 from SYSSEC to SYSLIB and store it there under the name LOGONM1. This ensures that a default logon screen is always present if no customized one is used.

Logon Dialog Box on Windows

For the logon dialog box on Windows, the customization procedure is the same as described above - except that the source/object names are different; see table below.

Logon Screen / Dialog Box for Password Phrases

If the option Password phrases active in User Preset Values is set to "Y" or "A", the logon screen / dialog box is invoked by the user exit LOGONEX0 instead of LOGONEX1. The customization procedure is the same as described above - except that the source/object names are different; see table below.

Logon Screen / Dialog Box with LDAP (on Linux and Windows only)

If the Authentication Type is set to "LDAP" in the LDAP security profile, the logon screen / dialog box is invoked by the user exit LOGONSX1 instead of LOGONEX1. The customization procedure is the same as described above - except that the source/object names are different; see table below.

Source/Object Names of Logon Screen / Dialog Box

Logon Screen / Dialog Box Invoked by User Exit Source in Library SYSSEC Object in Library SYSLIB
LOGONEX1 NOGONM1 (map) LOGONM1
NOGONG1 (dialog box) GLOGONM1
LOGONEX0 (if authentication option is not active) NOGONMX1 (map) LOGONMX1
NOGON0G1 (dialog box) GLOGON01
LOGONEX0 (if authentication option is active) NOGONMZ1 (map) LOGONMZ1
NOGONXG1 (dialog box) GLOGONX1
LOGONSX1 NOGONSM1 (map) LOGONSM1
NOGONSG1 (dialog box) GLOGONS1

Logon-Related User Exits

In addition to those mentioned above, Natural Security provides several other user exits which may be used to customize the logon procedure. See Logon-Related User Exits.

APIs for Access Verification and User Authentication

Natural Security provides several application programming interfaces (APIs) which can be used for access verification and user authentication. See Application Programming Interfaces.

How to End a Natural Session

The following Natural system commands may be used to end a Natural session under Natural Security:

Command Explanation
LOGOFF This command terminates a Natural session and invokes the logon screen. To leave the logon screen, you enter FIN as the library ID.

If the profile parameter AUTO=ON is set (see Automatic Logon above), the LOGOFF command has the same effect as the FIN command.

LOGON
(without parameters) 
This command  terminates a Natural session and starts the logon procedure, invoking either a default library or the logon screen (if no default library is defined).

See also Automatic Logon above.

FIN   This command terminates a Natural session and is used to leave Natural altogether.
Warning:
Natural Security cannot protect your Natural environment against unauthorized use if Natural users leave their terminals unattended whilst being logged on to Natural. Therefore, users should be reminded to use the LOGOFF command before they leave their terminal. Unauthorized persons will then be confronted with the Natural Security logon screen and may only use what has been defined for them to use under Natural Security.

In library security profiles, you can specify a non-activity time limit, after which a logoff will be executed automatically.