search cancel

Defining External Security for CA 7 only for DBSQLPR


Article ID: 211369


Updated On:


DATACOM - AD CA 7 Workload Automation


We are using CA Datacom/AD External Security with RACF, and would like to define this security for one user to only use DBSQLPR in batch to only read the data. Is that possible?



Component : CA Datacom/AD

Component : CA 7 Workload Automation


With CA Datacom, you can define specific accesses for different databases and tables that are tied to how the data would be accessed, called paths. There are ten different paths, and access can be granted in different ways for them. For example, you can have CICS access using SQL or non-SQL requests, access through CA Datacom Server, or other possibilities. These ten paths and the related resource classes are identified through the MUF Startup Options SECURITY statement.

Having all ten paths use the same resource class (DCTABLE, or [email protected] for RACF) allows you to generically grant access to your data in one RACF resource class set of profiles. In order to allow your user to only have read access using SQL in batch mode, we need to first define a new resource class that will be used for SQL batch and grant everyone access who has access in the current DC class. We will then deny access for this user to everything in the current DC class and permit read access in the new SQL batch class.

Finally, we need to change the SECURITY option to use the new class for SQL batch requests.

Here are the details to make this change.

1. Define a new resource class, called DS, modeled after the DC class statements used with CA 7 configuration

RDEFINE CDT [email protected] UACC(NONE) -                             
OTHER(ALPHA,NUMERIC,SPECIAL) POSIT(?) RACLIST(REQUIRED))                                
SETROPTS RACLIST(CDT) REFRESH                          
SETROPTS CLASSACT([email protected]) RACLIST([email protected]) GENERIC([email protected])               
RDEFINE [email protected] cxxname.DB00002.* UACC(NONE)
RDEFINE [email protected] cxxname.DB00015.* UACC(NONE)
RDEFINE [email protected] cxxname.DB00770.* UACC(NONE)
RDEFINE [email protected] cxxname.DB01000.* UACC(NONE)

2. Grant access to [email protected] based on current [email protected] definitions. You will need to review these and change them if you have modified the default settings that we delivered.

PERMIT cxxname.DB00015.* CLASS([email protected]) ID(CA7STC) ACC(READ)
PERMIT cxxname.DB00770.* CLASS([email protected]) ID(CA7STC) ACC(ALTER)
PERMIT cxxname.DB01000.* CLASS([email protected]) ID(CA7STC) ACC(READ) 
*  Set system programmer access
PERMIT cxxname.DB00002.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB00015.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB00770.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT cxxname.DB01000.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)

3. Grant the desired user access to SQL batch through the DS class for CA 7 (DB 770) and for the CA Datacom Dynamic System Tables (DB 1000)

PERMIT cxxname.DB00770.* CLASS([email protected]) ID(userid1) ACC(READ)
PERMIT cxxname.DB01000.* CLASS([email protected]) ID(userid1) ACC(READ)

4. Deny the user access to all other paths that use the DC class

PERMIT cxxname.DB00770.* CLASS([email protected]) ID(userid1) ACC(NONE)
PERMIT cxxname.DB01000.* CLASS([email protected]) ID(userid1) ACC(NONE)

5. Change MUF Startup Options for SECURITY

Your current MUF Startup Options contain multiple SECURITY parameters, and to implement this, change the DBDCSQL parameter to DBDSSQL. All other class-path parameters stay the same.

Once you make the changes and refresh the RACF classes, you will need to recycle the MUF to pick up the MUF Startup Option changes and to apply the new security profiles.

Additional Information

For more information on setting up External Security for CA Datacom/AD that works with the CA Workload Automation CA 7 Edition product, please see the CA Datacom/AD Security documentation.