How to implement DMLO security, using program DBMSDMLO?

book

Article ID: 38674

calendar_today

Updated On:

Products

CA IDMS CA IDMS - Database CA IDMS - ADS

Issue/Introduction

Question:

How to implement DMLO security, using program DBMSDMLO?

 

Answer:

DMLO security is implemented via the program DBMSDMLO versions 1, or 2 or 3. However, Centralized CA IDMS security facility supersedes any validation by CA IDMS DMLO. That is, if access to a dictionary or database is prohibited by the central security facility, you cannot use CA IDMS DMLO to bypass or override that level of security.

Program DBMSDMLO version 1, is default security level (Level 1) and means that there is no security check for DMLO users. Program DBMSDMLO version 2 is Level 2 DMLO security and at this level, access to DMLO is restricted by a valid IDD user and password for that dictionary. Program DBMSDMLO version 3 (Level 3), validates the DMLO user and password, but also verifies that the user has authorization to access the requested subschema in the specified dictionary.

 

For each of the three DMLO security levels do the following to verify IDD access:

First, issue a DCUF to that DICTIONARY,

Then in IDD, issue a DIS OPTIONS FOR DICTIONARY and see what the security settings are set to:

INDIVIDUAL PASSWORD SECURITY OVERRIDE IS OFF  

USER SIGNON OVERRIDE IS NOT ALLOWED

SECURITY FOR IDD IS ON                                             

SECURITY FOR IDD SIGNON IS ON.        

 

Here’s an example of DMLO Level 1 security minimum requirements:

In IDD, add a program DBMSDMLO and User with Retrieval access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 1

PROGRAM DESCRIPTION IS 'SR,PR,ER'.

ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SR,SU' .

 

DMLO Level 2 security requirements:

In IDD, add a program DBMSDMLO and User with Update and Retrieval access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 2

PROGRAM DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'.

ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'

INCLUDE AUTHORITY FOR UPDATE IS IDD.

 

DMLO Level 3 security requirements:

In IDD, add a program DBMSDMLO and User with Update, Retrieval and Subschema access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 3

PROGRAM DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'.

ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'

INCLUDE AUTHORITY FOR UPDATE IS IDD

INCLUDE ACCESS TO SUBSCHEMA subname OF SCHEMA schname V vers-nbr.

 

From the IDMS 17.0 Installation Guide which is valid for IDMS releases 18.0, 18.5 and 19.0: 
Appendix G.2 CA IDMS DMLO Security and Access 
This section describes security and access restrictions that can be applied to 
dictionaries containing subschemas to be accessed using CA IDMS DMLO. 
G.2.1 CA IDMS DMLO Security 
CA IDMS DMLO provides security checking on the following three levels: 
? Level 1 security indicates that a security check is not needed. Any user 
who signs on to CA IDMS DMLO and specifies a valid subschema for the 
requested dictionary is permitted to access the database. Level 1 is the 
default security level. 
? Level 2 security indicates that CA IDMS DMLO verifies that the user and 
password combination specified during CA IDMS DMLO sign-on exist in the 
requested dictionary. If they do, the user can access any valid subschema 
in that dictionary. 
? Level 3 security indicates that CA IDMS DMLO not only validates the user 
and password, but also verifies that the user has authorization to access the 
requested subschema. The user must be registered for access to the 
requested subschema in the requested dictionary. 
Use the following syntax to register for access to a given subschema: 
(ADD/MOD) USER userid PASSWORD pswd 
INCLUDE ACCESS TO SUBSCHEMA subname OF SCHEMA schname V vers-nbr. 
For both Level 2 security and Level 3 security, special consideration is given to 
situations where the user ID used to sign on to the CA IDMS DMLO session is 
the same as the user ID used to sign on to the CA IDMS/DC system. In this 
case, the password is not checked even though the user must still be defined to 
the requested dictionary. Non-validation of the password conforms to the 
processing done by the dictionary task. 

To implement security for CA IDMS DMLO, you must register program 
DBMSDMLO with a version number of 1, 2, or 3. The version number 
corresponds to the desired security level. Use the following syntax to add this 
program: 
ADD PROGRAM NAME IS DBMSDMLO VERSION IS n. 
You must register DBMSDMLO in each dictionary for which security beyond the 
default is required.

G.2.2 CA IDMS DMLO Access Restrictions 
CA IDMS DMLO has the following usage modes: 
? SR—Shared Retrieval 
? SU—Shared Update 
? PR—Protected Retrieval 
? PU—Protected Update 
? ER—Exclusive Retrieval 
? EU—Exclusive Update 
You can restrict the READY modes available both globally (all users in a given 
dictionary) and by user. Any such restrictions are applied each time a user 
request is made to ready an area. 
G.2.2.1 Restricting Usage Mode Access Globally 
To restrict access to specific usage modes for all users for all subschemas in a 
given dictionary, use the PROGRAM DESCRIPTION clause of the ADD 
PROGRAM statement. 
Example: With the following example, Level 1 security is established, but only 
retrieval modes are allowed for any subschema within the dictionary with this 
registration. 
ADD/MOD PROGRAM DBMSDMLO VERSION IS 1 
PROGRAM DESCRIPTION IS 'SR,PR,ER'. 
When specifying more than one usage mode, use the following guidelines: 
? Abbreviations must be separated by commas. 
? Cannot contain any imbedded blanks. 
? The string must be enclosed in single quotation marks. 
G.2.2.2 Restricting G.2.2.2 Restricting Usage Mode Access by User 
To restrict usage mode access by user within a given dictionary, you must have 
specified Level 2 security or Level 3 security for that dictionary. 
For each user with particular restrictions, you must specify the allowable usage 
modes with the USER DESCRIPTION clause. 
Example: The following example shows that the specified user cannot access 
any subschemas in the given dictionary with other than “shared” access modes: 
ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SR,SU' . 

G.2.2.3 Central CA IDMS Security 
Remember the centralized CA IDMS security facility supersedes any validation 
by CA IDMS DMLO. That is, if access to a dictionary or database is prohibited 
by the central security facility, you cannot use CA IDMS DMLO to bypass or 
override that level of security.

Additional Information:

CA IDMS Installation and Maintenance Guide,

Appendix G (17.0) and H (at higher releases)

CA IDMS DMLO Implementations

 

RI75574 (18.5) DMLO IMPLEMENTATION DROPPED FROM MANUAL

Information on DML Online implementation was dropped from the     

CA IDMS Installation and Maintenance Guide for z/OS.  It is       

present in the CA IDMS Installation and Maintenance Guide - for   

z/VSE as Appendix D and E.                                        

  Refer to Appendix D and Appendix E of the CA IDMS Installation    

 

and Maintenance Guide for z/VSE for the required information.     

Environment

Release: IDADSO00100-18.5-ADS-for CA-IDMS
Component: