When using preauthorization to restrict a user, the CCDB administrator defines preauthorization relationships between that user and the limited dictionary entities, which s/he is allowed to modify.
For example, you may want to restrict a programmer trainee (EDBADMIN) to modify only a limited set of training entities (beginning, in this example, with the characters DEPT). Once a list of preauthorized entities has been established for that user, the user is automatically denied the ability to modify any other dictionary entities.
To accomplish this, you can use the Online front end or Batch front end. In Batch, you would use the ADD PREAUTHORIZATION command. The Batch commands that equate to the next eight Online screens would be as follows:
ADD PREAUTHORIZATION ENTITY NAME = DEPT* TO USER EDBADMIN. MOD SECURITY CLASS DEFAULT-SECURITY NO-AUTH = N LIM-AUTH = N A-OPT NONE.
To accomplish this through the Online front end, perform the following:
CA-E/DB nn.n volser PRE-AUTHORIZATION FUNCTIONS mm/dd/yy NDVRU200 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 2 1 - BROWSE PRE-AUTHORIZATIONS 2 - ADD PRE-AUTHORIZATIONS 3 - DELETE PRE-AUTHORIZATIONS 4 - MODIFY PRE-AUTHORIZATIONS ENTITY: (IF OPTIONS 1 - 4 ) NAME ===> DEPT* TYPE ===> VERSION ===> USER ===> EDBADMIN (IF OPTIONS 1 - 4 ) CCID ===> (IF OPTIONS 1 - 4 )
The system responds with a Pre-authorization List screen, which identifies all available entities as specified (DEPT). In the following example, all available programmer training entities (beginning with the characters DEPT) have been listed since the wildcard (*) was specified as part of the ENTITY name qualifier.
CA-E/DB nn.n volser PRE-AUTHORIZATION LIST mm/dd/yy NDVRU210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> AUTHORIZE USER CCID OUT AUTH DER ENTITY NAME TYP VERS _ N N N DEPTINQ DIA 1 _ N N N DEPTINQ-ENTER PRC 1 _ N N N DEPTINQ-PREMAP PRC 1 _ N N N DEPTMAP LOA 1 _ N N N DEPTMAP MAP 1 _ N N N DEPTMAP MOD 1 s N N N DEPTUPD DIA 1 s 001 CCIDS N Y N DEPTUPD-ENTER PRC 1 s 001 CCIDS N Y N DEPTUPD-PREMAP PRC 1 * END *
Where AUTH is Y, the entity is already preauthorized. Where DER is Y, one or more preauthorizations exist for the entity to a CCID with the DERIVE CCID option specified. Where OUT is Y, the entity is signed-out. The USER and CCID fields indicate the number of Users and CCIDs to which an entity is preauthorized. In the above example, the last listed entity (DEPTUPD-PREMAP) is preauthorized to one CCID (0001 CCID) with the DERIVE CCID option specified. For more information, use the Browse Preauthorization function for this entity.
Note: This screen lists all entities that have not been preauthorized to user EDBADMIN. User EDBADMIN, as specified on the Pre-authorization Functions screen, will reappear on the Pre-authorization Detail screen on the next page.
The system responds with a Pre-authorization Detail screen for each selected entity. A sample detail screen is shown below.
CA-E/DB nn.n volser PRE-AUTHORIZATION DETAIL mm/dd/yy NDVRM210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> AUTHORIZE *********************** PRE-AUTHORIZATION INFORMATION *********************** DERIVE CCID ===> N SIGNED OUT ===> N PRE-AUTHORIZED ===> N EST. WORK COMPLETION ===> ACT. WORK COMPLETION ===> COMMENT ===> **************************** ENTITY INFORMATION **************************** NAME ===> DEPTUPD VERSION ===> 1 TYPE ===> DIALOG COMMENT ===> **************************** USER INFORMATION **************************** NAME ===> EDBADMIN LOCKED ===> N SECURITY CLS ===> NDVR-GLOBAL CURRENT CCID ===> COMMENT ===> CCDB ADMINISTRATOR **************************** CCID INFORMATION **************************** NAME ===> SECURITY CLASS ===> LOCKED ===> COMMENT ===>
User information has already been filled in, based on earlier input from the Pre-authorization Functions screen. This information can be changed to preauthorize a different user, or it can be "spaced out" and replaced with CCID information to preauthorize a CCID.
By pressing ENTER after each detail screen as it appears, you're building a list of the entities preauthorized to the restricted user (EDBADMIN).
By pressing PF3, the system cancels your preauthorization request.
When all selected entities (DEPTUPD) have been entered, the system responds with a final list of all "leftover" (not preauthorized) entities remaining from the previous list. This enables you to double-check the list for any entities you may have missed.
CA-E/DB nn.n volser PRE-AUTHORIZATION LIST mm/dd/yy NDVRU210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE NDVRM210: I002 ALL SELECTED RECORDS PROCESSED ACTION ===> AUTHORIZE USER CCID OUT AUTH DER ENTITY NAME TYP VERS _ N N N DEPTINQ DIA 1 _ N N N DEPTINQ-ENTER PRC 1 _ N N N DEPTINQ-PREMAP PRC 1 _ N N N DEPTMAP LOA 1 _ N N N DEPTMAP MAP 1 _ N N N DEPTMAP MOD 1 * END *
Note: To preauthorize the same entities to another user, follow the same procedure as above. Another method is to preauthorize entities to a CCID, and then preauthorize users to that CCID. Entities may be preauthorized to single or multiple CCIDs, single or multiple users, or a combination of CCIDs and users. When entities are preauthorized to both Users and CCIDs, this does not force the preauthorized user to use one of the preauthorized CCIDs.
Now that you've built the preauthorization list for the user (EDBADMIN), "alert" the CA Endevor/DB Security System to heed that list. To do this:
CA-E/DB nn.n volser MAIN FUNCTION MENU mm/dd/yy NDVRU000 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 10 1 - SIGNIN/SIGNOUT FUNCTIONS 2 - AUTHORIZATION FUNCTIONS 3 - LOCK FUNCTIONS 4 - ENTITY AND ENTITY CHANGE HISTORY 5 - CCID AND CCID CHANGE HISTORY 6 - STATUS AND STATUS ASSOCIATIONS 7 - USER AND USER CHANGE HISTORY 8 - DICTIONARY AND DICTIONARY HISTORY 9 - MANAGEMENT GROUPS AND CCIDS 10 - ENDEVOR/DB CONTROL FUNCTIONS 11 - ENDEVOR/DB SIGNON FUNCTION 12 - RETURN TO IDMS/DC
Press ENTER.
The system responds with the CA-Endevor/DB SYSTEM CONTROL FUNCTIONS screen.
CA-E/DB nn.n volser CA-ENDEVOR/DB SYSTEM CONTROL FUNCTIONS mm/dd/yy NDVRUA00 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 5 1 - BROWSE CCDB DESCRIPTOR RECORD 2 - MODIFY CCDB DESCRIPTOR RECORD 3 - BROWSE SECURITY DESCRIPTORS 4 - ADD A SECURITY DESCRIPTOR 5 - MODIFY SECURITY DESCRIPTORS 6 - DELETE SECURITY DESCRIPTORS 7 - BROWSE MONITOR DICT STAT BLOCKS 8 - MODIFY MONITOR DICT STAT BLOCKS SECURITY CLASS ===> (IF OPTIONS 3, 4, 5, 6 ) DICTNAME ===> SRCNDVR (IF OPTIONS 7, 8 )
Press ENTER.
The system then provides a list of all the Security Classes in the CCDB on the SECURITY CLASS LIST screen.
CA-E/DB nn.n volser SECURITY CLASS LIST mm/dd/yy NDVRUA10 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> MODIFY SECURITY CLASS COMMENT s DEFAULT-SECURITY SECURITY CLASS FOR RESTRICTED CAPABILITIES s QA SECURITY CLASS FOR QUALITY ASSURANCE s DEVELOPMENT SECURITY CLASS FOR DEVELOPMENT s SUPPORT SECURITY CLASS FOR TECHNICAL SUPPORT s NDVR-DDA DICTIONARY ADMINISTRATION CAPABILITIES s NDVR-GLOBAL UNIVERSAL ENDEVOR/DB AND DICTIONARY CAPABILITIES ** END **
Press ENTER.
The system responds with a SECURITY CLASS DETAIL screen for each Security Class selected on the above list.
LIM-AUTH=Y NO-AUTH=Y
Also, set all A-Opt flags to Y.
LIM-AUTH=N NO-AUTH=N
Also, set all A-Opt flags to N.
Important! Do not set both LIM-AUTH and NO-AUTH to N for the dictionary Security Class NDVR-GLOBAL unless your intentions are to preauthorize all users to every entity before they update it.
CA-E/DB nn.n volser SECURITY CLASS DETAIL mm/dd/yy NDVRMA10 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> MODIFY ************************** SECURITY CLASS INFORMATION *********************** NAME ===> DEFAULT-SECURITY COMMENT ===> SECURITY CLASS FOR RESTRICTED CAPABILITIES MENU 1 2 3 4 5 6 7 8 9 MENU 1 2 3 4 5 6 7 8 CONTROL: Y N Y N N N N N SIGNOUT: Y N N LOCK: N N N N N N N N N AUTH: N N N N CCID: Y N N N Y N N N Y ENTITY: Y N N N Y Y STATUS: Y N N N Y N N N USER: Y N N N Y N N N M-GRP: Y N N N Y N N N DICT: Y N N Y N N SIGNIN: Y SO-CCID: N SO-USER: Y NO-USER: Y NO-CCID: Y NO-AUTH: N LIM-AUT: N NM-MODE: Y ARCHIVE: Y MIGRATE: Y DE-CCID: N BATCH: N ENTITY: SCH DMC FIL TAS SUB USE DES REC SYS APO SET DIA APP ELE QFI PRC TAB FUN MODS: Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y A-OPT: N N N N N N N N N N N N N N N N N N ENTITY: MOD PHY CLA ATT MAP LOG LIN MSG LOA LR PRO CCD DIC EUS CCI MGR STA SEC MODS: Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y A-OPT: N N N N N N N N N N N N N N N N N N
Note: If there are specific entity types for which preauthorization rules are to be ignored, set those individual A-Opt flags to Y.
Now that the preauthorization list has been built, and the Security Class flags have been set, user EDBADMIN's access (and all other users with Security Class DEFAULT-SECURITY) is restricted to only those preauthorized entities. If user EDBADMIN attempts to modify an entity to which s/he is not preauthorized, the CA Endevor/DB Security System will prevent access and display an error message to that effect.
To remove preauthorization, select option 3 (DELETE PREAUTHORIZATION) on the Pre-authorization Functions screen.
|
Copyright © 2013 CA.
All rights reserved.
|
|