(* This file contains examples of $FORBID statements to implement *)
(* special security requests.                                     *)

(* Restrict TEST account users to a list of LDEVs *)
$FORBID
   "POS('/'+STRWRITE(HPLDEVIN)+'/', '/21/25/100/113/134/150/') = 0"
   "Sorry, you are not permitted to sign on to this terminal."
   @.TEST&ONLINE

(* Don't let anyone without AM capability on at night. *)
$FORBID
   "NOT BETWEEN(CLOCK,6AM,6PM)"
   "Sorry, you may not sign on after 6PM or before 6AM."
   CAP<>AM&CAP<>SM&ONLINE

(* Don't allow dialins on weekends *)
$FORBID "HPDAY=1 OR HPDAY=7"
   "Sorry, you may not sign on to the dialin port on weekends."
   LDEV=21 LDEV=22 LDEV=23

$FORBID "JSCOUNT(HPJOBNAME+',@.@&ONLINE')>1"
   "Only one session allowed per session name!"
   @.@&ONLINE

$FORBID "JSCOUNT('@,'+HPUSER+'.@,@&ONLINE')>1"
   "Only one session allowed per user-id, regardless of account."
   @.@&ONLINE

$FORBID "JSCOUNT('@.'+HPACCOUNT&ONLINE)>5"
   "Only 5 sessions at a time are allowed in this account"
   @.ACCT&ONLINE

$FORBID "HPUSER<>HPGROUP"
   "Logon group must match user name."
   @.acct&ONLINE

$FORBID "HPGROUP<>HPHGROUP"
   "You must log on to your own home group."
   @.acct&ONLINE

$FORBID "HPLDEVIN=HPCONSOLE&(HPUSER<>'OPERATOR'|HPACCOUNT<>'SYS')"
   "Only OPERATOR.SYS allowed to sign on to the CONSOLE."
   @.@

$FORBID "HPGROUP='PRIV'"
   "Sorry, you are not allowed to log into group PRIV."
   CAP<>AM&CAP<>SM

$FORBID "JSCOUNT('userset&BATCH')>2"
   "Sorry, only 2 report jobs allowed at a time."
   userset&BATCH

(* Forbid ;HIPRI logons from LDEV 25. *)
$FORBID "HPSESLIMIT=0"
   "Can't logon now."
   LDEV=25

(* Set up a profile of sessname,@.@ that can log on anywhere that *)
(* doesn't have SM capability. *)
$FORBID "CAPABILITY('SM')"
   "Sorry, you are not allowed to sign on as an SM user."
   sessname,@.@

(* Don't allow logons during backups.  The first example assumes *)
(* the backup job builds a file called BACKUP.FLAG.SYS when it   *)
(* starts, and purges it when it is finished.                    *)
$FORBID "FEXISTS('BACKUP.FLAG.SYS')"
   "The system backup is still in progress..."
   @.@&CAP<>SM
(* or *)
$FORBID "JSCOUNT('BACKUP,@.@')>0"
   "The BACKUP job is still running..."
   @.@&CAP<>SM

(* Let the operator prevent logons to certain accounts.   *)
(* To keep people out of the FOOBAR account, OPERATOR.SYS *)
(* simply does a :BUILD FOOBAR.FORBID; to re-enable the   *)
(* account, do a :PURGE FOOBAR.FORBID                     *)
$FORBID "FEXISTS(HPACCOUNT+'.FORBID.SYS')"
   "Access to this account temporarily forbidden by operator."
   @.@&CAP<>SM&ONLINE

(* Additional password for SM users *)
$FORBID
"'YOUR PASSWORD'<>READSTRING('Enter SM password: ','NOECHO,UPSHIFT')"
"Sorry, that was the wrong answer!"
CAP=SM&ONLINE