Configuring Your System to Enable View Security

CA Datacom SQL Security › Implementing the SQL Security Model › Adding View Security Authorizations › Configuring Your System to Enable View Security

Configuring Your System to Enable View Security

The following information is designed for Security Administrators familiar with basic external security concepts related to CA Datacom/DB.

View security is implemented in level 04 or higher security. This level is defined in the same way as the other security levels. To enable this level, the user ID which is associated with the MUF submission must be allowed access to DTSYSTEM resource ACTIVATE.LEVEL04.PASS and denied access to DTSYSTEM resource ACTIVATE.LEVEL04.FAIL.

This feature is enabled based on denial of access to resources to ensure that pre-existing access authorizations that are already in place on your system do not inadvertently enable the feature.

If level 04 or higher security is in place, an additional DTSYSTEM resource (cxxname.SV.ENABLE) is checked at MUF startup. If access is denied to this resource, views can be secured externally. An additional DB00220I message is printed indicating VIEW security is in place.

The following additional edits are performed at MUF startup if YES is specified for the SQLOPTION Multi-User startup option view-security choice that sets the default for the VIEWSEC= Preprocessor option:

Level 04 security is checked to make certain it is in place.
A DTSYSTEM resource name of cxxname.SV.DEFAULT is checked. Access is denied to this resource if default YES is specified. This edit prevents views from being inadvertently changed to use view security.

If either edit fails MUF does not enable but instead receives a DB00205E error with an error code of 1092.

SQLOPTION Multi-User Startup Option

The view-security specification in the SQLOPTION Multi-User startup option is used to specify the default for the SQL VIEWSEC= Preprocessor option (see View Security SQL Preprocessor Option (VIEWSEC=)).

 ►►─ SQLOPTION ─ option ───────────────────────────────────────────────────────►

 ►─┬────────────────────────────────────────────────────────────┬─────────────►◄
   └─ ,ttmid ─┬───────────────────────────────────────────────┬─┘
              └─ ,mode ─┬───────────────────────────────────┬─┘
                        └─ ,t-out ─┬──────────────────────┬─┘
                                   └─ ,v-sec ─┬─────────┬─┘
                                              └─ ,both ─┘

option

(Required) Indicate if SQL is generated for this MUF.

Valid Entries:: YES or NO
Default Value:: (No default)

,ttmid

(Optional) Specify the CA Datacom/DB database ID used for the SQL Temporary Table Manager area. Allowed only if option (see previous) is set to YES.

Valid Entries:: The DATACOM-ID of the database
Default Value:: 17

,mode

(Optional) Specify the edit mode in which SQL programs are processed. You must specify the above parameters before you can specify this parameter.

Value	Meaning
ANSI	All SQL statements must be coded according to ANSI standards. Specifying ANSI overrides any specification for the SQLMODE= Preprocessor option.
DATACOM	CA Datacom/DB extensions to the ANSI standards are allowed in SQL statements. When you specify DATACOM, the SQLMODE= Preprocessor option can be used to specify ANSI, FIPS, or DB2 on a program-by-program basis.
FIPS	All SQL statements must be coded according to Federal Information Processing Standards (FIPS). Specifying FIPS overrides what you specify for the SQLMODE= Preprocessor option.

Valid Entries:: ANSI, DATACOM, or FIPS
Default Value:: DATACOM

,t-out

(Optional) Specify the time-out value in minutes after which inactive SQL logical units of work are automatically closed in a CICS system. SQL Preprocessor option ISOLEVEL= information includes details about logical units of work in an SQL environment. You must specify the above parameters before you can specify this parameter.

If you code zero, no automatic close occurs.

Valid Entries:: 0—1440
Default Value:: 120

,v-sec

(Optional) Specify the default view security value for the SQL Preprocessor option VIEWSEC= (see View Security SQL Preprocessor Option (VIEWSEC=)). Specify YES to indicate that view security is to be used during the execution of newly prepared and newly rebound plans.

Specify NO to indicate that view security is not to be used during the execution of newly prepared and newly rebound plans.

Note: This choice of security method is made at prepare time rather than during execution. A choice of YES is rejected if view security has not been activated for the MUF using external security.

Important Subsequently rebound plans (rebound explicitly or automatically) that do not have an explicit view security specification are caused by the value of the SQLOPTION view-security option to change security methods, if necessary, to match the specification. Be aware, therefore, that the security method used by existing plans can be changed intentionally or inadvertently in this way.

Valid Entries:: YES or NO
Default Value:: NO

,both

(Optional) Specify whether both update and read-only cursors are allowed within a plan. YES indicates both are allowed. NO indicates either an update or read-only cursor is allowed.

Valid Entries:: YES or NO
Default Value:: NO

View Security SQL Preprocessor Option (VIEWSEC=)

The VIEWSEC= Preprocessor option is used to specify whether view security is to be used during the execution of newly prepared and newly rebound plans.

VIEWSEC=

Whether view security is used for a particular plan is based on the value of the VIEWSEC= Preprocessor plan option. If VIEWSEC= is not specified, whether a plan uses view security is determined by the value of the view-security specification in the SQLOPTION Multi-User startup option. If neither VIEWSEC= nor the view-security specification in SQLOPTION is used, view security is not used for newly bound or rebound plans.

Specify Y to indicate that view security is to be used during the execution of newly prepared and newly rebound plans.

Specify N to indicate that view security is not to be used during the execution of newly prepared and newly rebound plans.

Note: The default for the VIEWSEC= Preprocessor option is the value of the view-security option in the SQLOPTION Multi-User startup option (see SQLOPTION Multi-User Startup Option for more information) or N if no default was specified.

Also note, the choice of security method is made at prepare-time rather than during execution. A choice of Y is rejected if view security has not been activated for the MUF using external security.

Valid Entries:: Y or N
Default Value:: Value of the view-security specification in the SQLOPTION Multi-User startup option, which itself defaults to N.

Important! Subsequently rebound plans (rebound explicitly or automatically) that do not have an explicit view security specification are caused by the value of the SQLOPTION view-security option to change security methods, if necessary, to match the specification. Be aware, therefore, that the security method used by existing plans can be changed intentionally or inadvertently in this way.