Managing IDMS Security USERs and GROUPs
search cancel

Managing IDMS Security USERs and GROUPs

book

Article ID: 49474

calendar_today

Updated On:

Products

IDMS IDMS - Database IDMS - ADS

Issue/Introduction

CA IDMS supports both internal and external security, at various levels. Managing user and group definitions can be done in various ways and can be implemented with different levels of authorization.

When users are secured, any access to userids is limited by the security held by the user trying to access them. There are no errors issued for a display, but the user will only see what they have authority to see. If a user does not have any authority, the attempts to DISPLAY a user, or DISPLAY ALL USERS, will yield no rows found and with no error message.

 

Environment

IDMS - all supported releases

Resolution

First, if the goal is to secure access to user and group definitions, then RESTYPE=USER and RESTYPE=GROU should be secured in your SRTT. This is recommended because you don't want just anyone to update your user definitions. RESTYPE=SYSA  (SYSADMIN) should also be secured, because that controls who will have this important level of access.

When users are secured, any access to userids is limited by the security held by the user trying to access them. There are no errors issued for a display, but the user will only see what they have authority to see. If the issuing user has not been granted access to any userids, or any global level of authority, then they will see nothing; that is the way this is designed to work. There are a few levels of security involved here, so you have a few options, depending on what you want users to be able to do:

  1. If you want someone to be able to display user & group definitions, then you must grant them that authority. That can be done with these commands:

    GRANT DISPLAY ON USER * TO userid/Group;
    GRANT DISPLAY ON GROUP * TO userid/Group;

    In these commands, you see that we've granted DISPLAY-level authority on user * (and group *) which means to all users (or all groups). Also as noted, you can grant this authority to a single user or to a group. If your site goal is to grant this level of security to several users, we would recommend that you include them in a group and grant authorizations at the group level, to ensure that that all effected users have the same authority levels.

 

     2. If you want users to be able to display (punch), create, and drop users and groups, they will need a DEFINE level of security on users and groups. That can be granted using these commands:

GRANT DEFINE ON USER * TO userid/Group;
GRANT DEFINE ON GROUP * TO userid/Group;

DEFINE allows someone to create, alter, and drop the entity on which they've been granted that level of authority.

 

Additional Information

Security for IDMS documentation

Powered by Wolken Software