NODECHECK is a utility which gives VAX Cluster managers the ability to allow and disallow the users of that cluster to log into a given node. NODECHECK is entirely driven by the identifiers that the user holds and needs no privileges. Some system setup is required. NODECHECK unconditionally allows users onto a node if they hold an identifier of the form ``_ACCESS'' where the string is equal to the SYSGEN parameter SCSNODE (this should also be the DECnet node name). It will conditionally allow users holding an identifier in the list of identifiers specified by the /ALLOW qualifier to log in. Finally, users holding identifiers in the list of identifiers specified by the /DISALLOW qualifier will not be allowed to log in. The /ALLOW and /DISALLOW qualifiers are conditional in that the user is allowed to log in if they have an identifier on the /ALLOW list and they don't have an identifier on the /DISALLOW list. If they hold an identifier on both lists, then the conflict is resolved by whether the user holds the ``_ACCESS'' identifier. The precedence of identifiers is: 1) Users holding ``_ACCESS'' identifiers always get on. 2) Users only holding one or more identifiers on the /ALLOW list get on iff they do not hold any identifiers on the /DISALLOW list. 3) Users only holding one or more identifiers on the /DISALLOW list are not allowed to log on. 4) Users who do not hold either the ``_ACCESS'' identifier or an identifier on the /ALLOW list are not allowed to log on. SYSTEM SETUP: (The utterly simplified version.) 1) PAScal and LINk NODE_ACCESS 2) Move NODE_ACCESS.EXE to wherever you want it to live. (I use the system logical PRIV: to point to a directory where all system-type public-domain and locally written software live). 3) Edit NODECHECK.CLD so that the image line of the verb NODECHECK points to that directory. 4) Add the NODECHECK CLD file into the appropriate DCLTABLES. (In an environment where all systems share the same DCLTABLES, the command for this is: $ SET COMMAND /TABLE=SYS$LIBRARY:DCLTABLES - /OUTPUT=SYS$COMMON:[SYSLIB]DCLTABLES NODECHECK ) 5) Reinstall DCLTABLES on each node in the cluster. (On each node execute the command: $ MCR INSTALL INSTALL> SYS$LIBRARY:DCLTABLES/REPLACE ) 6) Add the appropriate NODECHECK command to SYLOGIN.COM. EXAMPLES: 1) Say Joe Random Prof owned a workstation named RANDOM and he didn't want any STUDENTS to log on to his workstation but would allow all SYSTEM_MANAGEMENT and FACULTY on. Assuming that all students hold the identifier STUDENTS, all faculty hold the identifier FACULTY, and all system management types hold the identifier SYSTEM_MANAGEMENT, the command in SYLOGIN.COM would be: $ NODECHECK/OWNER="Joe Random Prof"/ALLOW=(SYSTEM_MANAGEMENT,FACULTY)- /DISALLOW=STUDENTS If user held both the STUDENT and SYSTEM_MANAGEMENT identifier, but not the RANDOM_ACCESS identifier, that student could not log on. 2) If it is desired to allow most users onto the system and only exclude those who hold identifiers on the /DISALLOW list from a given node, then the system manager may grant an identifier to all users, say "USER" and include the USER identifier in the /ALLOW list. The above command would change to: $ NODECHECK/OWNER="Joe Random Prof"/ALLOW=(SYSTEM_MANAGEMENT,FACULTY,USER)- /DISALLOW=STUDENTS This would allow all users who do not hold the STUDENT identifier to log onto the node RANDOM. Of course, users with the STUDENT identifier who also hold the RANDOM_ACCESS identifier are allowed to log in.