Security in Unicenter NetMaster
The Unicenter NetMaster product range supports multiple users. It allows very close control over the facilities that each user is allowed to access. This control is managed via the NetMaster User Access Management System (known as UAMS).
This security facility can operate in one of 3 modes:
What are the pros and cons of each mode?
The recommended security approach for NetMaster products is the partial security exit, in conjunction with a UAMS dataset. Specifically, we recommend use of the NMSAF security exit solution.
NOTE: You can share the UAMS dataset across NetMaster regions. This includes across LPARs. NetMaster will preserve dataset integrity during updates.
The security exit interface in NetMaster is fully documented. In addition, the product comes with sample exits (in source form) that can be used as a starting point for writing your own exit.
While this is fine for those installations that have the time and expertise to write and maintain an exit, what about other installations that just want to use the product, but with an external security system?
To this end, we supply 2 supported exits that can be used with NetMaster:
You can control the type of security that a NetMaster region will use with the SEC JCL parameter, which is typically specified in the RUNSYSIN PDS member in the execution JCL for the NetMaster region. The following values can be specified:
SEC=NO | No security exit. UAMS-based security only. |
SEC=PARTSAF | Use the supplied basic SAF security exit. |
SEC=NMSAF | Use the supplied advanced SAF security exit. |
SEC= lmname | Use an installation-supplied security exit where the name of the load module is lmname. (Refer to the documentation for details on how the exit informs Unicenter NetMaster that it is a partial or full exit). |
As mentioned above, we recommend use of the NMSAF partial security exit.
Use of this exit means that the UAMS dataset is still required. However, we believe that the split between what is stored in the UAMS dataset and what is maintained in the external security system is a sensible one.
The design philosophy of the NMSAF security solution is based on:
The main reason why it was decided to not to implement the NMSAF solution using the full security exit approach was because the external security systems are not set up to easily (if at all) store additional user data. Not everything that Unicenter NetMaster needs to know about a user maps to simple access levels. As an example, one field in the UAMS database record for a user is the initial OCS command, which is a character string that is treated as a command when the OCS facility is started. There are many other examples.
The NMSAF solution utilizes the external security system and the NetMaster UAMS database in the following ways:
To make administration easier, we recommend the use of, and distribute the system with a set of model userid records that in turn are members of a group. In NetMaster, a userid record that is a member of a group takes all the important information from the group record ad logon time. The basic userid record only has personal information (and the group name). Thus, it is very simple to alter the privileges etc. for all members of a group my merely altering the group definition.
Of course, password maintenance, and so on is completely managed by the external security system. (You can allow a Unicenter NetMaster user to change their external security system password via a NetMaster panel, or you can prevent this, requiring them to change the password through some other means).
If a user is not defined on the external security system or is suspended or revoked, they will not be able to log on to the Unicenter NetMaster region.
At this time, the only ongoing UAMS maintenance that is required is the occasional cleanup of old userids (that is, users that have been deleted from the external security system).
If you need to change the authority of a user, you can simply delete the UAMS record. The next time they log on, the latest resource access levels will be used to choose a new model (and thus group) for the user.
Of course, for users with special privileges, you can use the standard UAMS definition facilities to add the appropriate profiles. The external security system is still used to maintain the password (and prevent login if the user is suspended or revoked).
As mentioned above, the NMSAF solution uses a configuration file. This allows you to alter processing to suit your installation's requirements.
These parameters are fully documented in the manual (see the reference at the end of this article). However, some of the useful parameters are mentioned here:
We have changed the Unicenter NetMaster WEB interface (WebCenter) security interface. Now, external security systems (including NMSAF) have the option of being told that a logon request is from a web interface user rather than APPC. To enable this:
Security is a very important part of any installation. Unicenter NetMaster provides a sophisticated and comprehensive security regime. The NMSAF solution is one way to easily exploit these facilities.
The NMSAF security solution is fully described in the Unicenter NetMaster, NetSpy, and SOLVE Security Guide. Chapter 2 describes the solution, and Appendix A covers the parameter file that is used to control processing.
This same manual covers many other aspects of security, including details on how to write your own security exit.