The External Security Interface (ESI) allows you to establish security rules for access to your Environments, Systems, Subsystems, Actions, and so on, within CA Endevor SCM. This is accomplished by defining pseudo data set names and functional access levels in the ESI table (BC1TNEQU) that are tested against the user's access level through the SAF (Security Authorization Facility) interface.
Example: Use the External Security Interface for Functional Access
This example shows how to give developers access to browse (display) elements, listings, packages, and so on, in any environment; perform various update actions (add, delete, generate, and so on) in the DEV environment only, but no access to perform environment changes or archive actions in any environment.
Assume that you have three environments, DEV, QA and PRD and you want the developers to have complete access to the DEV environment and read access to the QA & PRD environments.
This sample BC1TNEQU table includes definitions for three different levels of authority required for three groups of actions in the function equates portion of the table:
********************************************************
ACCESS FOR DEVELOPERS
********************************************************
FUNCEQU SAFAUTH=READ,
C1ACTNS=(DISPLAY,PDISPLAY)
********************************************************
ACCESS FOR DEVELOPERS
********************************************************
FUNCEQU SAFAUTH=UPDATE,
C1ACTNS=(ADD,DELETE,
GENERATE,MOVE,
PBACKOUT,PCAST,PCOMMIT,PCREATE,PDYNAMIC,
PEXECUTE,PLIST,PMODIFY,PREVIEW,PSHIP,PUTILITY,
RETRIEVE,SIGNIN,SIGNOVR,UPDATE)
********************************************************
ACCESS FOR ENDEVOR ADMIN
********************************************************
FUNCEQU SAFAUTH=CONTROL,
C1ACTNS=(ENVRNMGR,ARCHIVE)
In the name equates portion of the table, which forms the pseudo data set name to be tested, the action initiation parameters are set as follows:
NAMEQU ACTION_INITIATION,
L1=('C1'),
L2=(ENVIRONMENT),
L3=(SYSTEM),
L4=(SUBSYSTEM),
L5=(MENUAUTH)
Note: The quoted values in the NAMEQU entries are fixed values; the unquoted values are variables that are resolved at the time an action is attempted.
This sample BC1TNEQU table shows that if developers are given Read access to C1.* and update access to C1.DEV.*, they will be able to browse (display) elements, listings, packages, and so on, in any environment; perform various update actions (add, delete, generate, and so on) in the DEV environment only and will not be able to perform environment changes or archive actions in any environment.
The L1 qualifier in this example should not be an actual high–level qualifier that is in use in your shop. Although you may want developers to be able to update source in the DEV environment within CA Endevor SCM, you do not want them to be able to do so outside of CA Endevor SCM. If the actual physical files for DEV are BST.DEV.*, you should give them only read access to this prefix, so that they will only be able to read these files when accessing them outside of CA Endevor SCM.
Note: For more information, see the chapter "Enabling External Security Interface" in the Security Guide.
|
Copyright © 2014 CA.
All rights reserved.
|
|