This article summarizes how external security for Datacom works from Multi-User start-up through how access is allowed or denied.

Release: 15.1
Component: DB

1. At MUF Start-up, the UserID is obtained via CAISSF and passed to Datacom.
   
   
2. Datacom calls external security system to determine whether external security is in effect or not.
   
   This check is done regardless of what the user enters in the SECURITY Multi-User Startup Option.
   
   Datacom determines: 
   
   • User's identity
     
     
   • Facilities the user is authorized to access
     
     
   • If user is an administrator
     
     
3. External security product checks security status for resource names.
   
   
   1. Checking if ACTIVATE.LEVELnn.PASS is allowed and ACTIVATE.LEVELnn.FAIL is denied for the UserID that starts the Multi-User.
      
      The check begins with LEVEL05 and continues until a resource name pair is identified.
      
      
   2. Once the resource pair is found, the DTSYSTEM is queried to determine the access path level of security being used.
      
      
   3. The next security check looks for the table class resources for the UserID associated with the Multi-User Facility.
      
      
4. This check consists of a pair of resource names relating to the level of external security to be checked, so that new security features can be implemented without affecting the existing external security System.
   
   
   • For example, in the following Multi-User Startup Option:
     
     SECURITY DBBDTRAT,DBDCSCI,DBDRSSR,DBDFRCI,DBDSSQL,DBDXRSR
     
     
   • Multi-User checks for the following resources:
     
     cxxname.DBDTRAT
     cxxname.DBDCSCI
     cxxname.DBDRSSR
     cxxname.DBDFRCI
     cxxname.DBDSSQL
     cxxname.DBDXRSR
     
     The "cxxname" can be found by looking at the MUF startup message "DB00201I for CXX=" information. It is also available on the DBUTLTY CXX Report on the right-hand of the flower box after the string "CXXNAME".
     
     
   • If the user that starts up the Multi-User is denied access to the DTSYSTEM resource class, external security is activated.
     
     
5. If access is allowed and the class-and-path definition is coded in the Multi-User startup SECURITY option, an error is returned and the Multi-User Facility will not enable.
   
   Also, if no class is coded for a path in the Multi-User startup and access is denied for more than one class in that path, an error is returned and the Multi-User Facility will not enable.