How to Implement External Security for Datacom - Defining Table, Administration, and DBUTLTY Resources.
search cancel

How to Implement External Security for Datacom - Defining Table, Administration, and DBUTLTY Resources.


Article ID: 51501


Updated On:


Datacom Datacom/AD Datacom/DB


This article briefly describes the remaining types of Resource Classes you can define to implement external security for the Datacom features or data to the table or view level.


Release: 15.1
Component: Datacom/AD
Component: Datacom/DB


There are four types of Resource Classes you can define to protect your Datacom products, features or data to the table or view level. These are:

  1. System Resource Classes (read article 51404 -
    How to Implement External Security for Datacom - Defining the System Resource Class?)
  2. Administrator Resource Classes
  3. Table Resource Classes
  4. Utility Resource Classes

Administrator Resource Classes

Define the Administrator Resource Class, DTADMIN. This resource class consists of the CXXname plus a two-character product code (DB or DD). It is used to define product administrator authority.

When you associate the CXXname.DB administrator resource class with a user accessor (ACID), that user will be able to create a schema for SQL access, issue GRANT or REVOKE SQL statements, or DROP any SQL table.

A user with CXXname.DD is a Datadictionary Security Administrator and will be able to run 4099 Field transactions, add and maintain relationship definitions.

Table Resource Classes

Beginning with CA Datacom release 11.0, you can now define up to ten Table Resource Classes:


To define Table Resource Classes, add the following to the commands to the appropriate external security product:

DnTABLE cxxname.DB0nnnn.table

          DnTABLE      Table Resource Name - substituting n by C, F, G, H, P, Q, R, S, T, or X
                       These Table Resource Names are arbitrary, in other words they don't have significance other
                       than assisting you in categorizing or associating the table to the path from which the requests are made.
                       See "Defining Multi-User Startup Security Options and Path Security" below.
          cxxname      Name of the CXX associated with the Datacom Multi-User Facility whose data is being secured.
          DB0nnnn      DBID of the database.
          table        3-character Datacom name of the table. 

You can identify Datacom tables and multiple access levels for each table. The access levels correspond to:


Defining Security Startup Option and Path Security

Release 11.0 and forward is delivered with ten separate security paths.

Defining Multi-User Startup SECURITY Option

The SECURITY Multi-User startup option allows you to code class-and-path options as follows:

SECURITY class-and-path1,class-and-path2,...class-and-path10

The class and path options can be coded in any order. They are keyword driven and up to one class-and-path option per table resource class may be coded.

Path Security

The format of an individual class-and-path parameter is as follows:

               Where:  DB      Constant
                       aa        Valid class codes:  DC, DF, DG, DH, DP, DQ, DR, DS, DT, DX,  and NO
                                 These class codes correspond to the table classes defined in the external security system,
                                 NO refers to no path security.
                       bbb     Valid path codes:  
                               SCI       CICS SQL
                               SCQ       CICS SQL for CA-Dataquery
                               RCI       CICS non-SQL
                               RCQ       CICS non-SQL for CA-Dataquery
                               RAQ       non-CICS, non-SQL for CA-Dataquery 
                               SSR       Server SQL 
                               RSR       Server non-SQL
                               SQL       All other paths SQL
                               SQQ       SQL non-CICS for CA-Dataquery
                               RAT       All other paths non-SQL

An example of a startup option with all ten possible classes specified for six different paths is:


Utility Resource Classes

Define Utility Resource Classes with DTUTIL. This is required if any non-SQL access path is defined. Each resource in the DTUTIL resource class represents one Datacom DBUTLTY function, and the users allowed to execute them. The format of this resource class varies with each of the three products it supports ? DB, DD and DQ. It can also be used to secure SQL plans.

The following is an example of securing the DBUTLTY BACKUP function:

               DTUTIL            Constant - Resource Class
               cxxname           Name of the Directory (CXX) for the Datacom Multi-User Facility being secured
               DBUTLTY           Constant - Name of the utility
               BACKUP            Name of the DBUTLTY function 
               DATA              Indicates backup of a data area

NOTE: Some DBUTLTY functions also require that certain table and/or DTUTIL resources be defined. Go to Using External Security for Datacom in our Datacom documentation for details.

Set up User or Group Permissions

Define specific user or group permissions to the resources defined. Define all information for user/group permissions and resource table classes before defining access path permissions or securing the CXX (Directory) with the DTSYSTEM resource.