The FUNCEQU example provided in Defining SAF Authorization Levels shows a single level authorization. This means that all MENUAUTH/ACTIONS are defined in the FUNCEQU entry with a single SAF value or attribute level of READ. When a user requests an action, the pseudo data set is built and is passed to the site security package. The user's authorization level is returned to ESI and the user can invoke the action for as long as the user has READ access to the pseudo data set.
You can also secure actions by modifying the FUNCEQU entry. Actions should be logically grouped and mapped to different SAF values or attribute levels. When the ACTION_ INITIATION or PACKAGE_ACTIONS security control point is encountered, the pseudo data set is built and passed to the site security package. The user's authorization level is returned to ESI and is compared to the SAF value coded for the action. If the user's authorization level is equal to or greater than the level defined in the SAFAUTH parameter the action is allowed. Otherwise, the action is denied.
The following is an example of a modified FUNCEQU entry with four authorization levels:
FUNCEQU SAFAUTH=READ, X
C1ACTNS=(RETRIEVE,SIGNIN,PDISPLAY,PLIST)
FUNCEQU SAFAUTH=UPDATE, X
C1ACTNS=(ADD,UPDATE,GENERATE)
FUNCEQU SAFAUTH=CONTROL, X
C1ACTNS=(MOVE,SIGNOVR,ARCHIVE,DELETE)
FUNCEQU SAFAUTH=ALTER, X
C1ACTNS=(ENVRNMGR,ALTER, X
PCREATE,PCAST,PREVIEW,PEXECUTE, PDYNAMIC, X
PBACKOUT,PCOMMIT,PSHIP,PUTILITY)
FUNCEQU TYPE=END
In order to initiate a MOVE, SIGNOUT OVERRIDE, ARCHIVE, or DELETE action, the user must have control authority to the pseudo data set. Because DISPLAY is not explicitly coded in a FUNCEQU entry and therefore defaults to SAFAUTH=NONE, all users are granted DISPLAY access provided they pass other appropriate security control points.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|