Security System Overview › Security Facilities

Security Facilities

The CA Endevor/DB Security System is designed to prevent unauthorized users from modifying entities in the CCDB and/or IDD. There are several reasons for wanting to closely control who modifies what. For example:

• Some entities may be critical or sensitive, and should only be updated by specific users (for example, disbursement programs).
• Some users may be restricted to updating only specific types of entities (for example, programmers may not be allowed to modify schema definitions).
• Some users may be restricted to updating only specific entity occurrences (for example, trainee programmers may be restricted to only updating the classroom study applications).
• Some shops may want to enforce a rule allowing only one programmer (or one group of programmers) to work on an entity at a time. In this case, once someone modifies an entity, no one else is allowed to modify it until the "initial modifier" releases it.
• Certain actions may only be performed by appropriate personnel (for example, migration).

The CA Endevor/DB Security System provides these capabilities through special security facilities.

Note: No CA Endevor/DB security facility is required - they are all optional. If a facility is not needed at a site, it can be disabled.

Entity Type MONITOR Flags

For each entity type that CA Endevor/DB handles, there is a MONITOR flag. The effects of these flags are global: if you set a MONITOR flag to N, then CA Endevor/DB simply ceases to pay any attention to that entity type. At installation time, all MONITOR flags are Y.

SIGNON Rules

There are various rules that govern the CA Endevor/DB signon process. These rules can be determined on a user-by-user basis, or a CCID-by-CCID basis, or can be set globally. These rules determine:

• Whether a USER must be predefined in the CCDB before SIGNON is allowed;
• Whether a password must be correctly specified before SIGNON is allowed;
• Whether the CA IDMS/DC userid must be used as the CA Endevor/DB userid;
• Whether changes by the user to entities in the dictionary must be attributed to the user alone or to a CCID.
• If changes must be attributed to a CCID, whether the user must identify that CCID at SIGNON time or if predefined CCID associations will be used.

SIGNOUT Processing

An entity can be signed out to a USER or a CCID. Once signed out, only users signed on as that USER or under that CCID can update the entity. An entity can be signed out manually or automatically. There is a set of entity type AUTO SIGNOUT flags. For each entity type that CA Endevor/DB handles, there is an AUTO SIGNOUT flag. The effects of these flags are global: if you set an AUTO SIGNOUT flag to Y, an entity is automatically signed out when it is modified. It is signed out to the USER or CCID who modified it. There is also a SIGNOUT function in the Promotion Support Selection utility - if used, all entities selected for migration are signed out when selected, and then signed in when the migration is confirmed.

PREAUTHORIZATION Processing

A USER or CCID can be preauthorized to an entity. Preauthorizations can be used in any or all of five places:

• For specific entities - to set restrictions so that only preauthorized users can change them.
• For specific users - to restrict which entities they are allowed to change.
• To control which users are allowed to SIGNON or to make changes under given CCIDs.
• To control which users are allowed to establish entity-status relationships for certain statuses. These relationships are used to control the promotion process.
• To predefine the CCID to which changes will be attributed for certain entities.

LOCK Processing

A USER, a CCID, or the entire dictionary can be locked.

• Once a USER is locked, no one can sign on as that user or perform any updates as that user.
• Once a CCID is locked, no one can sign on under that CCID or make changes attributed to that CCID.
• Once a DICTIONARY is locked, no one can update anything in that dictionary.

ACTION Rules

There are rules governing the ability to perform various CA Endevor/DB actions. These rules can be set on a user-by-user basis, or a CCID-by-CCID basis, or globally. These rules determine:

• Whether a user is allowed to run the Archive/Compress utility;
• Whether a user is allowed to run the Promotion Support utilities;
• Which functions of the Online front end a user is allowed to operate.
• Whether a user is allowed to run the Batch front end and if so, which functions of the Batch front end a user is allowed to operate.