Previous Topic: Security FacilitiesNext Topic: Security Implementation

Security System OverviewSecurity Components

Security Components

The CA Endevor/DB Security System consists of assigned security procedures in the CCDB, the security enforcement logic inside the Change Monitor itself, the portions of the MIS Front End used to maintain the CCDB, and the portions of the Promotion Support utilities that perform SIGNOUT and SIGNIN processing. The security administrator uses the MIS Front End to establish the security procedures in the CCDB, and the Change Monitor automatically watches over those procedures. To understand the CA Endevor/DB Security System, it is essential to understand the various security-related data structures in the CCDB, how they interrelate, and how the Change Monitor uses them to provide the features described above.

Component

Description

Dictionary Descriptor

Contains control flags that affect all dictionary entities and users. Some of the SIGNON rule control flags are kept in the Dictionary Descriptor, along with the MONITOR flags and the AUTO SIGNOUT flags. This descriptor also contains a LOCK flag for the dictionary, the name of the Security Class for the dictionary, and the name of a Security Class to use when signon processing is performed without a specified user.

Security Class Descriptor

Contains the remainder of the control flags (not contained in the Dictionary Descriptor). There is a Security Class associated with the dictionary, with each USER, and with each CCID. During signon processing, the security administrator identifies a dictionary, and optionally a USER and up to 12 CCIDs -- each with an associated Security Class. It is possible, then, to have a total of up to 14 Security Class Descriptors as implied by the signon process.

The control flags from these Security Class Descriptors are merged under the following rules:

  • An N value for a flag in any Security Class means the user operates with N.
  • A Y value for all security classes means the user operates with Y.

USER Descriptor

Contains the name, password, security class, and most recent list of CCIDs for a user. When a user signs on, if no CCIDs are specified, the list is assumed to identify the CCIDs to use; if one or more CCIDs are specified, they are assumed to replace the old list. An exception to this use of Signon CCIDs is when DERIVED CCID processing is in effect for the user. Then Signon CCIDs are not used, and predefined CCID to entity associations are used to identify what CCIDs to associate as the updates to dictionary entities occur. The USER Descriptor also contains a LOCK flag for the user.

CCID Descriptor

Contains the name and security class for a CCID. It also contains a LOCK flag for the CCID.

SIGNOUT and PREAUTH Record

Acts as a junction between ENTITY and either USER or CCID. It contains a signout flag, a PREAUTH flag, and a DERIVE CCID flag. A given SIGNOUT/ PREAUTHORIZATION record can serve three purposes:

  • To record that an entity is signed out to the user or CCID involved in the junction
  • To record that the user of the CCID involved in the junction is preauthorized to the entity.
  • To record that changes made by any user running in DERIVED CCID mode will be attributed to the CCID that participates in the junction.