When CA Datacom implements security features, it does so by implementing a level of security in the DTSYSTEM resource class. This resource class is defined for each CA ACF2 system, therefore we recommend that you define this resource class last (or after all other specifications are defined). A level consists of a pair of resource names in the DTSYSTEM resource class.
The resource names ACTIVATE.LEVELnn.PASS and ACTIVATE.LEVELnn.FAIL are validated against the logon ID associated with the CA Datacom MUF. If access is allowed to the PASS resource and access is denied for the FAIL resource, that level of security is considered in force (external security is active) and further checks are made based on the level. For more information regarding CA Datacom external security and security levels, see Process Overview.
The following is an example of the step, which activates CA ACF2 external security for the CA Datacom system at LEVEL04. This activates CA ACF2 external security for CA Datacom/DB, CA Datacom Datadictionary, and CA Dataquery. It allows the MUF to make further checks to verify that the user attempting to access specific resources has the appropriate authority.
SET RESOURCE(DTS) COMPILE $KEY(ACTIVATE) TYPE(DTS) $USERDATA(Rule to activate CA ACF2 security for CA Datacom) LEVEL04.PASS UID(logonid) ALLOW LEVEL04.FAIL UID(logonid) PREVENT STORE
The following is an example of how to change the permission from denied to allowed for the CA Datacom system. This definition allows full access to CA Datacom/DB, CA Datacom Datadictionary, and CA Dataquery while you are completing your definitions.
SET RESOURCE(DTS) COMPILE $KEY(ACTIVATE) TYPE(DTS) $USERDATA(Rule to suppress security) LEVEL04.PASS UID(logonid) PREVENT LEVEL04.FAIL UID(logonid) ALLOW STORE
LEVEL04 represents the security level (LEVELnn where nn can be 01 through 05). The logonid in these examples is the CA ACF2 UID string for the logonid associated with the MUF address space.
For sites that have the logonid that starts the MUF address space defined as NON-CNCL, the rules discussed previously have no effect on determining the use of CA ACF2 for external security for CA Datacom. To control the use of external security, use CA ACF2 SAFDEFs to return the proper return codes to CA Datacom/DB to enforce the desired level of security. For example, the following SAFDEFs are equivalent to the first example, on how to activate external security for CA Datacom/DB, CA Datacom Datadictionary, and CA Dataquery for all MUF address spaces, that have the NON-CNCL privilege:
SET CONTROL(GSO) INSERT SAFDEF.DCFAIL FUNCRET(8) FUNCRSN(0) ID(DATACOMF) MODE(IGNORE) - RACROUTE(REQUEST=AUTH,CLASS=DTSYSTEM,ENTITYX=ACTIVATE.LEVEL04.FAIL) - RETCODE(8) USERID(********) INSERT SAFDEF.DCPASS FUNCRET(0) FUNCRSN(0) ID(DATACOMP) MODE(IGNORE) - RACROUTE(REQUEST=AUTH CLASS=DTSYSTEM,ENTITYX=ACTIVATE.LEVEL04.PASS) - RETCODE(0) USERID(********)
When changing GSO records, remember to issue the REFRESH command and subsequently any other appropriate commands, such as RELOAD, REBUILD, and so on.
|
Copyright © 2014 CA.
All rights reserved.
|
|