How can we restrict IDMS DMLO user security access to retrieval mode only, without allowing permission for update.

Release : 19.0

Component : IDMS DML Online

DMLO provides 3 levels of security to restrict access to subschemas. It is implemented by adding program DBMSDMLO to each dictionary you want to protect.

To restrict update access to all users, add program DBMSDMLO to the dictionary with a PROGRAM DESCRIPTION indicating only retrieval usage modes are allowed.

For example, if level 1 security is to be used for this dictionary and only retrieval access modes allowed:

ADD PROGRAM DBMSDMLO VERSION IS 1
        PROGRAM DESCRIPTION IS 'SR,PR,ER'.

This will have to be defined in each dictionary you want to restrict access.

To allow update access to specific users only, security level 2 or level 3 needs to be used. 
The user must be defined in the dictionary.
Add program DBMSDMLO at version 2 or 3 and then specify the usage modes allowed in the PROGRAM DESCRIPTION of the USER statement. 

For example, to restrict access to retrieval only except for one specific user:

ADD PROGRAM DBMSDMLO VERSION IS 2
        PROGRAM DESCRIPTION IS 'SR,PR,ER'.
ADD USER userid USER DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'.

If centralized IDMS security is in use, users still need to be granted retrieval or update access to the database in IDMS security to be able to access the database. DMLO security does not override centralized IDMS security. 

For more information on DMLO security see article 38674 - How to implement DMLO security using program DBMSDMLO

And documentation section IDMS DMLO Security and Access Considerations