Securing IDMS Resources is implemented by assembling and linking a series of #SECRTT macros to produce the security table load module RHDCSRTT (See #SECRTT for complete parameter descriptions).

Application (Activity) security is implemented by including a #SECRTT macro for RESTYPE=ACTI.

In the following example of assembling the RHDCSRTT, only the SIGNON, TASK and ACTIVITY resource types are being secured. The default value is SECBY=OFF for all resource types.

In this example, the ACTIVITY resource type is secured internally.

//ASMSTEP EXEC PGM=ASMA90,
//             REGION=512K
//SYSLIB    DD DSN=your.IDMS.DISTMAC,DISP=SHR
//             DD DSN=SYS1.MACLIB,DISP=SHR
//SYSUT1    DD DSN=&&SYSUT1,UNIT=SYSDA,SPACE=(CYL,(15,10))
//SYSUT2    DD DSN=&&SYSUT2,UNIT=SYSDA,SPACE=(CYL,(15,10))
//SYSUT3    DD DSN=&&SYSUT3,UNIT=SYSDA,SPACE=(CYL,(15,10))
//SYSPRINT  DD SYSOUT=*
//SYSLIN    DD DSN=&&OBJECT,DISP=(NEW,PASS),UNIT=SYSDA,
//             SPACE=(CYL,(15,10))
//SYSIN     DD *
#SECRTT TYPE=INITIAL,SVCNUM=176,SYSPROF=(DEFAULT,ON)
#SECRTT TYPE=ENTRY,RESTYPE=SGON,SECBY=INT
#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=INT
#SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=INT
#SECRTT TYPE=FINAL
END
//LKED     EXEC PGM=IEWL,
//            PARM=(XREF,LET,LIST,NCAL)
//SYSPRINT DD SYSOUT=*
//SYSUT1   DD UNIT=SYSDA,SPACE=(1700,(500,100))
//SYSLMOD  DD DSN=your.IDMS.DBA.LOADLIB,DISP=SHR
//SYSLIN   DD DSN=&&OBJECT,DISP=(OLD,DELETE)
//         DD *
ENTRY SRTTEP1
MODE  AMODE(31),RMODE(ANY)
NAME  RHDCSRTT(R)

The next step is defining specific application activities and granting the EXECUTE privilege to specific users or Groups of users.

The ACTIVITY resource name must start with the application name, followed by a dot and then an activity name. It is important to note that the activity name is for descriptive purposes only. It is never used in the actual security checking. When an ACTIVITY security check is done, the application name and the number of the secured response are the two values passed.

CREATE RESOURCE ACTIVITY PAYROLL.UPDATE NUMBER 19;
CREATE RESOURCE ACTIVITY BCF.FIXPAGE NUMBER 9;
CREATE RESOURCE ACTIVITY BCF.TUNEINDEX NUMBER 7;
CREATE RESOURCE ACTIVITY DCMT.DBASTUFF NUMBER 9;
CREATE RESOURCE ACTIVITY DCMT.VARY_AREA NUMBER 1;
CREATE RESOURCE ACTIVITY OCF.TUNEINDEX NUMBER 7;

GRANT EXECUTE ON ACTIVITY DCMT.VARY_AREA TO USER123;
GRANT EXECUTE ON ACTIVITY DCMT.DBASTUFF TO DBAGROUP;
GRANT EXECUTE ON ACTIVITY PAYROLL.UPDATE TO PAYADMIN;

So how does the DBA or security administrator determine what number to assign to a specific activity definition?

Application security checks are issued by ADS runtime when an ADSA application is being executed and also by RHDCMT00 if DCMT commands are being secured using the #CTABGEN macro, by OCF and IDMSBCF if you have secured utility execution using the #UTABGEN macro, and by the online debugger if you have secured debugger commands using the #DGTBGEN macro (See Syntax for Assembler Macros for detailed information on the #CTABGEN, #UTABGEN and #DGTBGEN macros).

For example, in this ADSA application, this particular response has been assigned security class 8.

Response Definition

  Application name:   PAYROLL      Version:    1

    Response name:      EMPADD                                  Drop response (/) _

    Function invoked:   PAYAFUNC

    Description . . . . ADD AN EMPLOYEE                        Security class:   8

This corresponds to activity number 8 in the PAYROLL application, so that is the number that must be associated with the resource activity when it is defined.

CREATE RESOURCE ACTIVITY PAYROLL.EMPADD NUMBER 8;

If the response had been assigned a security class of 0 in the ADSA definition, the response would be unsecured.

At runtime, when a user selects an ADSA application response, ADS checks the Application Definition Block (ADB) to see if the requested response has been assigned a non-zero security class (activity number). If so, it will issue a security check passing application name and the activity number.

One more example using DCMT.
In this case, the number 9 has been assigned to what are considered some of the more dangerous DCMT commands such as SHUTDOWN, ABORT and VARY MEMORY.

#CTABGEN LOGIN=YES,                                                                 X
         (A,1,B,2,C,9),                                                             X
         (N033,C,N001,C,N002,C,N028,A,N009,A,N030,A,N059002,B)
END

Therefore, an activity resource has been defined for application DCMT that is assigned number 9.

CREATE RESOURCE ACTIVITY DCMT.DANGEROUS NUMBER 9;

Once the activity definitions for all secured application responses have been created, GRANT the EXECUTE privilege to the relevant users or groups.

GRANT EXECUTE ON ACTIVITY DCMT.DANGEROUS TO DBA_GROUP;

This GRANT creates or updates a record in the security dictionary containing a 256-bit bitmap in which the relevant bit numbers are turned on for each activity number in that application that has been granted to the indicated user or group.

It should also be mentioned that when IDMS does the lookup for the application name, if it does not find a match, it will look for an application called DEFAULT and do the check for that application.

CREATE RESOURCE ACTIVITY DEFAULT.ACT_001 NUMBER 1;
CREATE RESOURCE ACTIVITY DEFAULT.ACT_002 NUMBER 2;
CREATE RESOURCE ACTIVITY DEFAULT.ACT_009 NUMBER 9; 

If all of the applications assign activity numbers in the same way, it would be possible to simply define and grant the DEFAULT activities, but for more precise documentation and reporting, it is recommended to define activity resources that match the actual application names.

SECURING APPLICATIONS USING AN EXTERNAL SECURITY MANAGER

To secure tasks externally, the #SECRTT macro needs two extra parameters, EXTCLS and EXTNAME.

#SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=EXT, 
EXTCLS='IDMST',EXTNAME=(SYST,ACTIVITY)

EXTCLS is a literal that must match the class high-level qualifier defined to the external security system. For instance, in TOP SECRET this is RESCLASS. In ACF2 it is TYPE. For RACF it is CLASS.
EXTNAME is one or more keywords to tell IDMS how to construct the actual resource name that will be passed to the external security manager.
For RESTYPE=ACTI, clients typically use keyword ACTIVITY, often including a high-level qualifier of the SYSTEM name or environment name since the same application names may be executed on multiple IDMS CVs.
Keyword ACTIVITY causes IDMS to construct the resource name as a combination of the application name and the activity number. The maximum length is 8 bytes. The name begins with the application name or the first 5 bytes of the application name, followed by a 3-digit activity number.

So, if the application name is BENEFITS and the response selected has been assigned number 15, IDMS would pass BENEF015 as the resource name to the external security manager, or in the case of the DCMT.DANGEROUS activity, it would pass DCMT009.