search cancel

How to implement DMLO security using program DBMSDMLO

book

Article ID: 38674

calendar_today

Updated On:

Products

IDMS IDMS - Database

Issue/Introduction

How to implement IDMS DMLO security using program DBMSDMLO.

 

 

Environment

Release: 19.0
Component: IDMS DML Online

Resolution

DMLO security is implemented via the program DBMSDMLO versions 1, or 2 or 3. However, Centralized CA IDMS security facility supersedes any validation by CA IDMS DMLO. That is, if access to a dictionary or database is prohibited by the central security facility, you cannot use IDMS DMLO to bypass or override that level of security.

Program DBMSDMLO version 1, is default security level (Level 1) and means that there is no security check for DMLO users.

Program DBMSDMLO version 2 is Level 2 DMLO security and at this level, access to DMLO is restricted by a valid IDD user and password for that dictionary.

Program DBMSDMLO version 3 (Level 3), validates the DMLO user and password, but also verifies that the user has authorization to access the requested subschema in the specified dictionary.

For each of the three DMLO security levels do the following to verify IDD access:

First, issue a DCUF to that DICTIONARY,

Then in IDD, issue a DIS OPTIONS FOR DICTIONARY and see what the security settings are set to:

INDIVIDUAL PASSWORD SECURITY OVERRIDE IS OFF  

USER SIGNON OVERRIDE IS NOT ALLOWED

SECURITY FOR IDD IS ON                                             

SECURITY FOR IDD SIGNON IS ON.        

 

Example of DMLO Level 1 security minimum requirements

In IDD, add a program DBMSDMLO and User with Retrieval access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 1
PROGRAM DESCRIPTION IS 'SR,PR,ER'.
ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SR,SU' .

DMLO Level 2 security requirements

In IDD, add a program DBMSDMLO and User with Update and Retrieval access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 2
PROGRAM DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'.
ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'
INCLUDE AUTHORITY FOR UPDATE IS IDD.

DMLO Level 3 security requirements

In IDD, add a program DBMSDMLO and User with Update, Retrieval and Subschema access:

ADD PROGRAM NAME IS DBMSDMLO VERSION IS 3
PROGRAM DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'.
ADD/MOD USER userid PASSWORD pswd USER DESCRIPTION IS 'SU,PU,EU,SR,PR,ER'
INCLUDE AUTHORITY FOR UPDATE IS IDD
INCLUDE ACCESS TO SUBSCHEMA subname OF SCHEMA schname V vers-nbr.

 

Additional Information

From IDMS documentation section IDMS DMLO Security and Access Considerations

This appendix describes security and access restrictions that can be applied to any dictionary that contains subschemas to be accessed using IDMS DMLO. IDMS DMLO provides security checking on three levels.

Level 1 security indicates that a security check is not needed. Any user who signs on to IDMS DMLO and specifies a valid subschema for the requested dictionary is permitted to access the database. Level 1 is the default security level.

Level 2 security indicates that IDMS DMLO verifies that the user and password combination specified during IDMS DMLO sign-on exist in the requested dictionary. If they do exist, the user can access any valid subschema in that dictionary.

Level 3 security indicates that IDMS DMLO not only validates the user and password, but also verifies that the user has authorization to access the requested subschema. The user must be registered for access to the requested subschema in the requested dictionary.

Use the following syntax to register for access to a given subschema:

(ADD/MOD) USER userid PASSWORD pswd
INCLUDE ACCESS TO SUBSCHEMA subname OF SCHEMA schname V vers-nbr.

For both Level 2 and Level 3 security, special consideration is given to a situations in which the user ID used to sign on to the IDMS DMLO session is the same as the user ID used to sign on to the IDMS/DC system. In this case, the password is not checked even though the user must still be defined to the requested dictionary. Non-validation of the password conforms to the processing done by the dictionary task.

To implement security for IDMS DMLO, you must register program DBMSDMLO. with a version number of 1, 2 or 3. The version number corresponds to the desired security level. Use the following IDMS/DDDL syntax to add this program:

ADD PROGRAM NAME IS DBMSDMLO. VERSION IS n.

You must register DBMSDMLO. in each dictionary for which security beyond the default is required.

IDMS DMLO Access Restrictions

IDMS DMLO has six possible usage modes:

  • SR -- Shared Retrieval
  • SU -- Shared Update
  • PR -- Protected Retrieval
  • PU -- Protected Update
  • ER -- Exclusive Retrieval
  • EU -- Exclusive Update

You can restrict the READY modes available both globally (all users in a given dictionary) and by user. Any such restrictions are applied each time a user request is made to ready an area.

Central IDMS Security
Remember that the centralized IDMS security facility at all times is superior to any validation by IDMS DMLO. For example, if access to a dictionary or database is prohibited by the central security facility, you cannot use IDMS DMLO to bypass or override that level of security.