All about users - both domain and local - and how that affects CA XCOM Data Transport?

Document ID : KB000011222
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

It's important to understand the difference between a domain user and a local user and how that affects CA XCOM Data Transport.

Environment:
XCOM r11.6 for WindowsXCOM r11.6 or r12 for z/OS
Answer:

Some CA XCOM Data Transport platforms (e.g. z/OS and UNIX) now include the DOMAIN parameter as one of their array of transfer control parameters. Using this parameter you can organize your userids under the auspices of various Windows domains. On the z/OS platform for example, the DOMAIN parameter may be specified using any of the following:

  • XCOMJOB PARM parameter

  • Default options table parameter

  • Destination parameter

  • SYSIN01 parameter

The DOMAIN parameter is only effective for transfers to CA XCOM Data Transport (at 3.1 or later) running under Windows, as the concept of DOMAIN has no meaning on other platforms. If specified for other platforms, it is ignored. A non-blank DOMAIN parameter specified on the transfer will override the DOMAIN parameter specified in the xcom.glb file on the Windows machine.

When initiating transfers on CA XCOM for Windows, you can specify (e.g. via the GUI) both a local and a remote user. For the local user you can only specify userid and password, no domain. But these local user credentials will only be used when you do a transfer which reads/writes a network file. Such a transfer will cause a login to the network server, using that userid and password. Windows on that network server first looks for a locally-defined user with that userid. If found, it uses that one (provided the password is correct of course). If there's no such locally-defined user, then Windows looks for that user in its default domain, i.e. Windows asks the domain server. Should that user be defined there (again with the right password of course) then it should only be a conflict with the security requirements to access the actual file that could fail the transfer. Except for this network file access scenario, all locally-initiated transfers will use the user who initiated the transfer.

Now, for incoming transfers, initiated on a remote CA XCOM:

They can come with userid and password only, or they can additionally specify the domain name. CA XCOM on Windows then does a Windows LOGONUSER call with the credentials it has received from the remote partner. Should it only be userid and password then Windows tries to find a local user first. If there's none, it uses its default domain, i.e. it asks the domain server. So there should be no problem for a user who is just a domain user, when this domain is the CA XCOM machine's default domain and the other CA XCOM does not, or cannot, explicitly specify a domain name in its transfer parameters. It might be troublesome if the user is defined both locally and in the domain.

A domain user can log on locally as long as his userid is defined in both the domain and the PC.