Security definitions for TASK codes in IDMS
search cancel

Security definitions for TASK codes in IDMS

book

Article ID: 25506

calendar_today

Updated On:

Products

IDMS IDMS - Database

Issue/Introduction

This article describes how to implement security for TASK codes in IDMS.

Environment

Release: All supported releases.

Resolution

Securing IDMS resources is implemented by assembling and linking a series of #SECRTT macros to produce the security table load module RHDCSRTT (See #SECRTT for complete parameter descriptions). TASK security is implemented by including a #SECRTT macro for RESTYPE=TASK. In the following example of assembling the RHDCSRTT, only the SIGNON and TASK resource types are being secured. The default value is SECBY=OFF for all resource types. In this example the TASK resource type is secured internally.

  //ASMSTEP EXEC PGM=ASMA90,
  //             REGION=512K
  //SYSLIB    DD DSN=your.IDMS.DISTMAC,DISP=SHR
  //             DD DSN=SYS1.MACLIB,DISP=SHR
  //SYSUT1    DD DSN=&&SYSUT1,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSUT2    DD DSN=&&SYSUT2,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSUT3    DD DSN=&&SYSUT3,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSPRINT  DD SYSOUT=*
  //SYSLIN    DD DSN=&&OBJECT,DISP=(NEW,PASS),UNIT=SYSDA,
  //             SPACE=(CYL,(15,10))
  //SYSIN     DD *
   #SECRTT TYPE=INITIAL,SVCNUM=176,SYSPROF=(DEFAULT,ON)
   #SECRTT TYPE=ENTRY,RESTYPE=SGON,SECBY=INT
   #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=INT
   #SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=INT
   #SECRTT TYPE=FINAL
   END
  //LKED     EXEC PGM=IEWL,
  //            PARM=(XREF,LET,LIST,NCAL)
  //SYSPRINT DD SYSOUT=*
  //SYSUT1   DD UNIT=SYSDA,SPACE=(1700,(500,100))
  //SYSLMOD DD DSN=your.IDMS.DBA.LOADLIB,DISP=SHR
  //SYSLIN   DD DSN=&&OBJECT,DISP=(OLD,DELETE)
  //         DD *
  ENTRY SRTTEP1
  MODE  AMODE(31),RMODE(ANY)
  NAME  RHDCSRTT(R)


The next step is defining specific task codes or wild-carded task code names in a Resource Category and granting the EXECUTE privilege to specific users or groups of users. You must create one or more resource categories to contain the task definitions and grant to the appropriate users or groups.

  CREATE RESOURCE CATEGORY DBATASKS 
   ADD TASK IDD 
   ADD TASK SCHEMA 
   ADD TASK SSC  
   ADD TASK DCMT  
   ADD TASK P*   
   ADD TASK OPER  
   ADD TASK SYSGEN   
   ADD TASK *     ;    

  GRANT EXECUTE ON CATEGORY DBATASKS     TO DBAGROUP     ;

Be careful using wildcarded names. Be certain that you do not have tasks codes in more than one category that could match to the same task code.
 
  CREATE RESOURCE CATEGORY CAT_001  
    ADD TASK PAYROLL    ; 
 
  CREATE RESOURCE CATEGORY CAT_002  
    ADD TASK PAY*    ;

When a user attempts to execute a task code for the first time since startup, IDMS performs a dictionary lookup for the full task code and will find the most fully qualified match, then check to see if the user holds the EXECUTE privilege on the relevant category. The search stops there.

In this example, it would find the PAYROLL task code in CAT_001. If a user had been granted execute on CAT_002 and not CAT_001 they would get a security violation trying to execute the PAYROLL task code.

Another thing to keep in mind is that once IDMS does the lookup for any categorizable resource, it caches the resource name and the category in which it was found in memory for efficiency. Therefore if you ever delete a task code from one category and add to another you will need to refresh security by either recycling CV or by marking nucleus module RHDCSRTT for new copy and doing a nucleus reload.

Securing tasks using an external security manager

To secure tasks externally, the #SECRTT macro needs two extra parameters, EXTCLS and EXTNAME.

#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=EXT,
        EXTCLS='IDMST',EXTNAME=(SYST,RESNAME)

EXTCLS is a literal that must match the Class high-level qualifier defined to the external security system. For instance, in TOP SECRET this is RESCLASS. In ACF2 it is TYPE. For RACF it is CLASS.
EXTNAME is one or more keywords to tell IDMS how to construct the actual resource name that will be passed to the external security manager.

For TASK, clients sometimes just pass RESNAME, which for the TASK resource means we pass the actual task code. Since clients often have multiple IDMS CVs that execute the same task codes, many clients further qualify the resource name by adding system id as shown in the above example.

You can also qualify with an environment name that can be defined in the #SECRTT TYPE=INITIAL macro.

#SECRTT TYPE=INITIAL,SVCNUM=176,ENVNAME=PROD100
#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=EXT,
        EXTCLS='IDMST',EXTNAME=(ENVIR,RESNAME)