We are using Datacom/AD External Security with RACF, and would like to define this security for one user to only use DBSQLPR in batch to only read the data. Is that possible?

Component : Datacom/AD

Component : Datacom/DB

Component : CA 7 Workload Automation

With Datacom, you can define specific accesses for different databases and tables that are tied to how the data would be accessed, called paths. There are ten different paths, and access can be granted in different ways for them. For example, you can have CICS access using SQL or non-SQL requests, access through Datacom Server, or other possibilities. These ten paths and the related resource classes are identified through the MUF Startup Options SECURITY statement.

Having all ten paths use the same resource class (DCTABLE, or DC@ABLE for RACF) allows you to generically grant access to your data in one RACF resource class set of profiles. In order to allow your user to only have read access using SQL in batch mode, we need to first define a new resource class that will be used for SQL batch and grant everyone access who has access in the current DC class. We will then deny access for this user to everything in the current DC class and permit read access in the new SQL batch class.

Finally, we need to change the SECURITY option to use the new class for SQL batch requests.

Here are the details to make this change.

1. Define a new resource class, called DS, modeled after the DC class statements used with CA 7 configuration

RDEFINE CDT DS@ABLE UACC(NONE) -                             
  CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(42) -     
  OTHER(ALPHA,NUMERIC,SPECIAL) POSIT(?) RACLIST(REQUIRED))                                
*                                                            
SETROPTS RACLIST(CDT) REFRESH                            
*                                                        
SETROPTS CLASSACT(DS@ABLE) RACLIST(DS@ABLE) GENERIC(DS@ABLE)               
*                                                        
RDEFINE DS@ABLE cxxname.DB00002.* UACC(NONE)
RDEFINE DS@ABLE cxxname.DB00015.* UACC(NONE)
RDEFINE DS@ABLE cxxname.DB00770.* UACC(NONE)
RDEFINE DS@ABLE cxxname.DB01000.* UACC(NONE)

2. Grant access to DS@ABLE based on current DC@ABLE definitions. You will need to review these and change them if you have modified the default settings that we delivered.

PERMIT cxxname.DB00015.* CLASS(DS@ABLE) ID(CA7STC) ACC(READ)
PERMIT cxxname.DB00770.* CLASS(DS@ABLE) ID(CA7STC) ACC(ALTER)
PERMIT cxxname.DB01000.* CLASS(DS@ABLE) ID(CA7STC) ACC(READ) 
*                                                            
*  Set system programmer access
PERMIT cxxname.DB00002.* CLASS(DS@ABLE) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB00015.* CLASS(DS@ABLE) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB00770.* CLASS(DS@ABLE) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB01000.* CLASS(DS@ABLE) ID(CA7SPG) ACC(ALTER)

3. Grant the desired user access to SQL batch through the DS class for CA 7 (DB 770) and for the CA Datacom Dynamic System Tables (DB 1000)

PERMIT cxxname.DB00770.* CLASS(DS@ABLE) ID(userid1) ACC(READ)
PERMIT cxxname.DB01000.* CLASS(DS@ABLE) ID(userid1) ACC(READ)

4. Deny the user access to all other paths that use the DC class

PERMIT cxxname.DB00770.* CLASS(DC@ABLE) ID(userid1) ACC(NONE)
PERMIT cxxname.DB01000.* CLASS(DC@ABLE) ID(userid1) ACC(NONE)

5. Change MUF Startup Options for SECURITY

Your current MUF Startup Options contain multiple SECURITY parameters, and to implement this, change the DBDCSQL parameter to DBDSSQL. All other class-path parameters stay the same.

Once you make the changes and refresh the RACF classes, you will need to recycle the MUF to pick up the MUF Startup Option changes and to apply the new security profiles.

For more information on setting up External Security for Datacom/AD that works with the CA Workload Automation CA 7 Edition product, please see the Datacom/AD Security documentation.