You can maintain a count of successive logon violations for each usercode or accesscode, and the usercode or accesscode can automatically be suspended when the number of logon violations reaches a specified limit. You can automatically reactivate the usercode or accesscode after a delay. The following usercode attributes control this feature:

Usercodes

Accesscodes

You can enable logon violation counting for usercodes, accesscodes, or both. The SAVELOGONVIOL and ACSAVELOGONVIOL attributes determine which counter is incremented. If both are enabled, each logon violation affects only one counter. If an accesscode is being validated, the accesscode counter is incremented; otherwise the usercode counter is incremented.

SAVELOGONVIOL Attribute

The usercode attribute SAVELOGONVIOL causes logon violations for the usercode to be tallied. If SAVELOGONVIOL is set to TRUE, the LOGONVIOLCOUNT attribute maintains a count of successive logon violations.

If both the SAVELOGONVIOL and SAVEVIOLCOUNT attributes are set, logon violations are only tallied in the LOGONVIOLCOUNT attribute; other violations are tallied in the VIOLATIONCOUNT attribute.

LOGONVIOLLIMIT Attribute

Use the usercode attribute LOGONVIOLLIMIT to determine whether the usercode is to be automatically suspended after a specified number of successive logon violations. If the LOGONVIOLCOUNT is greater than the LOGONVIOLLIMIT attribute value, then the usercode is suspended.

When the usercode is suspended, the following occurs:

Automatic Reactivation of a Suspended Usercode

If the SUSPENDDELAY security option has a non-zero value, then a suspended usercode automatically reactivates after the specified number of minutes.

If a further logon attempt is made once the SUSPENDDELAY time has elapsed, the following occurs:

These actions are only taken if the SUSPENDEDCODE usercode attribute has the value of 4. Otherwise you can manually reactivate the usercode by following these steps:

Use the following MAKEUSER syntax or Security Center to manually reactivate a suspended usercode:

USER U -SUSPENDED SUSPENDEDCODE = 0 LOGONVIOLCOUNT = 0

Clearing the Logon Violations Count

After a successful logon, the LOGONVIOLCOUNT usercode attribute is set to 0.

ACSAVELOGONVIOL Attribute

The usercode attribute ACSAVELOGONVIOL causes successive logon violations for the accesscodes for the usercode to be tallied. This includes attempts to change the accesscode for a session. If ACSAVEVIOLCOUNT is set to TRUE, the ACLOGONVIOLCOUNT attribute (a member of the ACLOGONINFO group) maintains a count of successive logon violations caused by each accesscode for the usercode.

ACLOGONVIOLCOUNT is a system-maintained usercode attribute. For additional information about system-maintained attributes, refer to System-Maintained Usercode Attributes.

ACDEFLOGONLIMIT Attribute

Use the usercode attribute ACDEFLOGONLIMIT to determine the default value of the ACLOGONVIOLLIMIT group attribute when an accesscode logon violation causes a new group entry to be made in the ACLOGONINFO group.

ACLOGONVIOLLIMIT Attribute (an item in the ACLOGONINFO group)

Use the usercode attribute ACLOGONVIOLLIMIT to determine whether an accesscode is to be automatically suspended after a specified number of successive logon violations have occurred. If the ACLOGONVIOLCOUNT value is greater than the ACLOGONVIOLLIMIT attribute value, then the accesscode is suspended. When a new entry is made to the ACLOGONINFO group, the value of ACLOGONVIOLLIMIT is set from the ACDEFLOGONLIMIT attribute.

When the accesscode is suspended, the following occurs:

Automatic Reactivation of a Suspended Accesscode

If the SUSPENDDELAY security option has a non-zero value, a suspended accesscode is automatically reactivated after the specified number of minutes.

If a further logon attempt is made once the SUSPENDDELAY time has elapsed, the following occurs:

These changes are usually made by deleting the ACLOGONINFO and ACVIOLINFO group entries for the accesscode. If the value of ACLOGONVIOLLIMIT differs from ACDEFLOGONLIMIT, the ACLOGONINFO entry is retained. If the value of ACVIOLLIMIT differs from ACDEFVIOLLIMIT or the value of ACVIOLCOUNT is greater than 0, the ACVIOLINFO entry is retained.

These actions will only be taken if the ACSUSPENDEDCODE usercode attribute has the value 4. Otherwise, you can manually reactive the accesscode by following these steps:

To reactivate a suspended accesscode, use Security Center or the following MAKEUSER syntax:

USER U ACVIOLINFO AT ACVIOLNAME = “A”
           (- ACSUSPENDED ACSUSPENDEDCODE = 0)
       ACLOGONINFO AT ACLOGONNAME = “A”
           (ACLOGONVIOLCOUNT = 0) 

Clearing the Accesscode Logon Violation Count

After a successful logon, the ACLOGONINFO and ACVIOLINFO group entries for the accesscode are deleted. If the value of ACLOGONVIOLLIMIT differs from ACDEFLOGONLIMIT, the ACLOGONINFO entry is retained. If the value of ACVIOLLIMIT differs from ACDEFVIOLLIMIT or the value of ACVIOLCOUNT is greater than 0, the ACVIOLINFO entry is retained.