Previous Topic: Table ClassesNext Topic: DBUTLTY and External Security

Using External Security for CA DatacomSetting Up Resource ClassesDTUTIL

DTUTIL

DBUTLTY is secured using the DTUTIL resource class if any non-SQL access path is secured. For example, record-at-a-time commands. Most CA Datacom/DB Utility (DBUTLTY) functions secure table access through a DTUTIL resource. A few functions secure READ or ADD access using the specified table class for the record-at-a-time path.

The DTUTIL resource class is used to identify CA Datacom product utility functions and the users that are allowed to execute them. Each resource in the DTUTIL class represents one CA Datacom product function. The resource format varies within and for each of the three products it supports.

The following are the formats that are discussed later in this chapter:

 cxxname.DBUTLTY.function.subfunction
 cxxname.DB0nnnn.table.right
 cxxname.DQutility.function
 cxxname.DD0nnnn.DDutility.function
 cxxname.DD0nnnn.table.status.function
 cxxname.SQCHECKBINDER
 cxxname.SQEXE.plan-authid.plan-name
 cxxname.SQBND.plan-authid.plan-name

Some DTUTIL resource class security calls are done using LOG=NONE. They are internal CA Datacom product calls that need to be performed when a selected function spans multiple database resources but the user only has access rights to some of the resources. The resources to which the user does not have access are bypassed.

Externalization of Plan Security

The DTUTIL resource class can be used to secure the use of SQL plans.

Users of CA ACF2, CA Top Secret, and RACF can take advantage of SQL plan security by using statements in the security package. These statements are equivalent to the SQL GRANT and REVOKE statements to control the plan EXECUTE, plan BIND, and system level CHECKBINDER privileges.

Use the following resource names to secure plans. The resource class for all three resource names is DTUTIL. System-level authority to secure plans is established with cxxname.SQCHECKBINDER.

To execute and bind privileges on a plan:

 cxxname.SQCHECKBINDER
 cxxname.SQEXE.plan-authid.plan-name
 cxxname.SQBND.plan-authid.plan-name

Because resource names are limited to 40 characters in at least one external security package, the combination of plan-authid, plan-name, and the "." should (assuming a cxxname of 8 characters) be limited to a maximum of 25 characters. This could be accomplished by establishing a naming convention limiting plan names to 16 characters and authids to 8 characters.