In addition to a logonid, each user is associated with a user identification string (UID). Your CA ACF2 implementation team determines the structure of your site’s UID based on the requirements of your site. You cannot use the UID to sign on to the system. Instead, the UID identifies the users or groups of users who can access a resource. You specify a UID in the UID parameter of CA ACF2 Option for DB2 rules. It provides greater flexibility than a logonid because you can define subsets of users in ways that the logonid cannot. The logonid is effective only in grouping users who have the same beginning characters of their logonids, while the UID permits you to group users by any combination of attributes that your organization defines. The UID lets you write rules that apply to groups of users who share certain functions, departments, divisions, groups, or whatever unit that your site defines.
A well‑designed UID can eliminate the need for secondary authorization IDs when they are used to group IDs for resource access, and can ensure that individual accountability is retained and performance is increased. It takes advantage of masking, which lets you represent multiple characters with a single character. This eliminates the need to write multiple rules to cover similar users. Another feature of the UID enables you to dynamically alter its construction when signing on to z/OS.
Your organization defines what your UID looks like when you install CA ACF2. It forms this 1‑ to 24‑character field by combining selected fields of the logonid record. This enables you to use criteria such as department, group, project name, job responsibility, or other data to determine access privileges to resources.
The UID can include fields supplied with CA ACF2 and fields defined by your site. For example, the following sample UID consists of four site‑defined fields and the user’s logonid:
MM22DBAUSER01
The fields are laid out like as follows:
|
Position |
Value |
Description |
|---|---|---|
|
1 |
M (Munich) |
Site |
|
2 |
M (Marketing) |
Division |
|
3-4 |
22 |
Department |
|
5-7 |
DBA |
Function Code |
|
8-13 |
USER01 |
Logonid |
CA ACF2 Option for DB2 uses the UID to determine who can perform functions on its resources. It matches a user’s UID against the CA ACF2 Option for DB2 rule UID parameter to determine if a rule entry exists that grants access for this user. If the user’s UID matches the UID parameter of the rule entry, the rule is used to determine access. If a rule entry does not exist, access is denied.
The UID permits you to group users by any combination of attributes that your organization defines. This concept is similar to the way secondary IDs are used in native DB2 security. A secondary ID enables multiple IDs to gain additional privileges. For example, suppose you create a secondary ID, DBA, using native DB2 security. This ID is granted access to all resources required by a database administrator (DBA). All IDs using this secondary ID can access these resources.
With CA ACF2 Option for DB2, the UID could replace the function of the secondary ID. One way might be to include job function in its concatenation. CA ACF2 Option for DB2 could determine access to a resource by whether users have that job function in their UIDs. For example, the following UID represents a DBA in the accounts payable (AP) department of the Chicago (C) office. His logonid is APJOHN.
CAPDBAAPJOHN
When you write rule entries to grant access to a resource, you can mask the UID in the UID parameter so that the rule entry applies to multiple users. For example, you can mask the above UID like this:
***DBA
This lets the rule entry apply to any DBA at this site who wants to access the resource. Of course, you can also mask the UID like *APCLK, for example, if you want the rule entry to apply to only accounts payable clerks. See the “Masking the UID” section for more information about masking.
You can construct your UID in any way that fits your organization. If your users have multiple job functions, you can designate several fields for job function. Or you can use the GROUP field to change the group that a user can associate with. See the “Dynamically Altering the UID” section for more information.
A powerful feature of the UID is masking. Masking enables you to represent multiple UIDs by using special masking characters in the UID parameter of the rule. The UID that you specify in the UID parameter is automatically treated as a mask. For example, the UID MM02DBAUSER01 matches not only itself but also any string that begins with MM0244USER01 and contains no more than 24 characters.
You can form a more general UID mask by omitting ending characters. For example, by omitting DBAUSER01 from MM02DBAUSER01, you form a mask that represents all marketing users in department 02 in the Munich office: MM02. See, “Masking the UID” in the “Writing CA ACF2 Option for DB2 Rules” chapter for more information about masking UIDs.
Typically, a user’s UID remains the same for each system entry. However, in CA ACF2, you can enable a user’s UID to change at system entry time by including a special logonid field (GROUP) in the UID. This field is different from other UID fields because its value can change at system entry, depending on what the user enters. Its use enables users to automatically access data available to a group without changing CA ACF2 Option for DB2 rules.
This feature is available to CA ACF2 Option for DB2 users only under certain circumstances:
When you use the GROUP field in your UID concatenation, each user’s UID changes based on what the user enters at sign‑on or in batch. For example, you might structure your site’s UID something like the following. The UID values for Mary, a manager in the accounts payable department of the Los Angeles office, are shown. She entered the ACCTPAYB value at sign‑on time.
|
Position |
Value |
Description |
|
1 |
L |
Location |
|
2 |
P |
Department |
|
3‑10 |
ACCTPAYB |
Group |
|
11‑12 |
MG |
Function code |
|
13‑17 |
APMARY |
Logonid |
The group that Mary belongs to varies depending on the value that she enters when she signs on to TSO or in batch. If she enters ACCTRECV for the GROUP logon parameter and she has the authority to enter this value, she can access any resource that the accounts receivable group can access. Then, Mary’s UID would look like this:
LPACCTRECVMGAPMARY
The rule entries that apply to the accounts receivable group (providing that they are properly masked, that is, **ACCTRECV) apply to Mary. See the CA ACF2 Administrator Guide for complete details about using the GROUP field in the UID.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|