The CA IDMS Visual DBA (VDBA) feature "Enhanced Object Security" allows sites to create tailored views which limit the types of entities that the end user can access on the mainframe, as well as the verbs which VDBA will allow the user to submit. This level of security prevents the user from accessing or submitting commands that are not explicitly granted them. Because Enhanced Object Security is defined on the IDMS CV, a client using VDBA can access a mix of IDMS CVs and each one can have a unique configuration either with or without Enhanced Object Security.
VDBA provides a GUI front-end interface through which end users can access mainframe IDMS systems. All tasks initiated through VDBA are run as external run-units through the CV, associated with the userid that was used when signing on to that mainframe to initiate the VDBA session. In addition to the limitations imposed by the VDBA Enhanced Object Security, all security that is in place on the mainframe is enforced for tasks originating from a VDBA front-end.
Here are the steps to restrict a user to read-only access using VDBA within a specific CV:
1- Turn on enhanced object security for Visual DBA by ensuring that the table procedure definition SYSCA.VDBA_VERSION5 does NOT contain the column NO_SERVER_ROLE. If it does contain that column, drop and re-add the table procedure without that column, using the following commands:
drop table procedure SYSCA.VDBA_VERSION5;
create table procedure SYSCA.VDBA_VERSION5 (
, VDBA_EXE_BUILD_1 int
, VDBA_DLL_BUILD_1 int
, VDBA_VIEW_BUILD_1 int
) EXTERNAL NAME VDBAVER;
2- Create an IDD module that specifies the access you want your users to have. Here is a sample which grants users access to all the capabilities within Visual DBA, but only for retrieval access:
MODULE NAME IS VIDMS_RETRIEVAL_ONLY VERSION IS 1
USER IS ########
REGISTERED FOR ALL
RESPONSIBLE FOR NONE
PUBLIC ACCESS IS ALLOWED FOR DISPLAY
MODULE SOURCE FOLLOWS
CMD CONSOLE DCMT
CMD CONSOLE DCUF
CMD CONSOLE IDD
CMD CONSOLE OCF
CMD CONSOLE SQL
CMD CONSOLE SSC
CMD CONSOLE SCHEMA
CMD CONSOLE SYSGEN
Note that this example gives the user access to all entity types within all dictionaries defined to VDBA on this CV; and all command console functions; for read only. If you wish to restrict this further, see the links in "Additional Information" below.
3- Create a user profile with an attribute of VIDMSR17 which points to this module you just created. Here is sample syntax to do that; note that the module name must be qualified by the DBname in which you created it:
CREATE USER PROFILE VIDMS_RETR_PROF
VIDMSR17 = 'SYSTEM.VIDMS_RETRIEVAL_ONLY' OVERRIDE NO ;
If you prefer, you can do this in a system profile.
4- Associate your userid(s) or groups with this profile.
ALTER USER "########"
PROFILE VIDMS_RETR_PROF ;
That's it! Now when the user(s) sign on to VDBA, their tree structure will ONLY allow them to initiate retrieval commands.
Full documentation regarding syntax and options in creating profiles can be found in the CA IDMS Visual DBA Users Guide, in the chapter entitled "Enhanced Object Security".
An additional example of how to create a profile that displays only an abbreviated tree structure that can be seen by the end user, thereby which limiting the entities they can access, can be found in Knowledge Document TEC1981448.