When using preauthorization to protect critical or sensitive entities, the CCDB administrator is restricting those entities from modification by the general user population. Typical examples would be company payroll and personnel programs that contain confidential information. In this case, users would be preauthorized to make modifications to those sensitive programs. Dictionary entities that were not deemed to be sensitive could be modified by any user.
To accomplish this, the entity can be preauthorized to the user or CCID that will make modifications to the entity. The security classes for the general user population would be modified to disallow modifications to entities, which have been preauthorized to another user. You can do this by using either the Online front end or the Batch front end. In Batch, you would use the ADD PREAUTHORIZATION and MODIFY SECURITY CLASS commands. The Batch commands that equate to the next eight Online screens would be as follows:
ADD PREAUTHORIZATION ENTITY NAME = DEPT* TO USER EDBADMIN. MOD SECURITY CLASS NDVR-DDA NO-AUTH = N LIM-AUTH = Y A-OPT NONE. MOD SECURITY CLASS SUPPORT NO-AUTH = N LIM-AUTH = Y A-OPT NONE. MOD SECURITY CLASS PROJECT-LEADER NO-AUTH = N LIM-AUTH = Y A-OPT NONE. MOD SECURITY CLASS GMG-SECURITY NO-AUTH = N LIM-AUTH = Y A-OPT NONE.
The first command preauthorizes the user EDBADMIN to make modifications to all entities, which begin with DEPTUPD. The MODIFY SECURITY commands modify all the security classes for the general user population to disallow modifications to entities for which they have not been preauthorized.
To accomplish this through the Online front end, perform the following:
CA-E/DB nn.n volser PRE-AUTHORIZATION FUNCTIONS mm/dd/yy NDVRU200 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 2 1 - BROWSE PRE-AUTHORIZATIONS 2 - ADD PRE-AUTHORIZATIONS 3 - DELETE PRE-AUTHORIZATIONS 4 - MODIFY PRE-AUTHORIZATIONS ENTITY: (IF OPTIONS 1 - 4 ) NAME ===> DEPT* TYPE ===> VERSION ===> USER ===> EDBADMIN (IF OPTIONS 1 - 4 ) CCID ===> (IF OPTIONS 1 - 4 )
Press ENTER.
The system responds with a Pre-authorization List screen, which identifies all available entities as specified (DEPT). In the following example, the entities beginning with the characters DEPT have been listed since the wildcard (*) was specified as part of the ENTITY name qualifier.
CA-E/DB nn.n volser PRE-AUTHORIZATION LIST mm/dd/yy NDVRU210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> AUTHORIZE USER CCID OUT AUTH DER ENTITY NAME TYP VERS _ N N N DEPTINQ DIA 1 _ N N N DEPTINQ-ENTER PRC 1 _ N N N DEPTINQ-PREMAP PRC 1 _ N N N DEPTMAP LOA 1 _ N N N DEPTMAP MAP 1 _ N N N DEPTMAP MOD 1 s N N N DEPTUPD DIA 1 s 001 CCIDS N Y N DEPTUPD-ENTER PRC 1 s 001 CCIDS N Y N DEPTUPD-PREMAP PRC 1 * END *
Where AUTH is Y, the entity is already preauthorized. Where DER is Y, one or more preauthorizations exist for the entity to a CCID with the DERIVE CCID option specified. Where OUT is Y, the entity is signed-out. The USER and CCID fields indicate the number of users and CCIDs to which an entity is preauthorized. In the above example, the last listed entity (DEPTUPD-PREMAP) is preauthorized to one CCID (0001 CCID) with the DERIVE CCID option specified. For more information, use the Browse Preauthorization function for this entity.
Note: This screen lists all entities that have not been preauthorized to User EDBADMIN. User EDBADMIN, as specified on the Pre-authorization Functions screen, will reappear on the Pre-authorization Detail screen on the next page.
Press ENTER.
The system responds with a Pre-authorization Detail screen for each selected entity. A sample detail screen is shown below.
CA-E/DB nn.n volser PRE-AUTHORIZATION DETAIL mm/dd/yy NDVRM210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> AUTHORIZE *********************** PRE-AUTHORIZATION INFORMATION *********************** DERIVE CCID ===> N SIGNED OUT ===> N PRE-AUTHORIZED ===> N EST. WORK COMPLETION ===> ACT. WORK COMPLETION ===> COMMENT ===> **************************** ENTITY INFORMATION **************************** NAME ===> DEPTUPD VERSION ===> 1 TYPE ===> DIALOG COMMENT ===> **************************** USER INFORMATION **************************** NAME ===> EDBADMIN LOCKED ===> N SECURITY CLS ===> NDVR-GLOBAL CURRENT CCID ===> COMMENT ===> CCDB ADMINISTRATOR **************************** CCID INFORMATION **************************** NAME ===> SECURITY CLASS ===> LOCKED ===> COMMENT ===>
User information has already been filled in, based on earlier input from the Pre-authorization Functions screen. This information can be changed to preauthorize a different user, or it can be "spaced out" and replaced with CCID information to preauthorize a CCID.
By pressing ENTER after each detail screen as it appears, you're building a list of the entities preauthorized to the restricted user (EDBADMIN).
To cancel your preauthorization request, press PF3.
When all selected entities (DEPTUPD) have been entered, the system responds with a final list of all "leftover" (not preauthorized) entities remaining from the previous list. This enables you to double-check the list for any entities you may have missed.
CA-E/DB nn.n volser PRE-AUTHORIZATION LIST mm/dd/yy NDVRU210 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE NDVRM210: I002 ALL SELECTED RECORDS PROCESSED ACTION ===> AUTHORIZE USER CCID OUT AUTH DER ENTITY NAME TYP VERS _ N N N DEPTINQ DIA 1 _ N N N DEPTINQ-ENTER PRC 1 _ N N N DEPTINQ-PREMAP PRC 1 _ N N N DEPTMAP LOA 1 _ N N N DEPTMAP MAP 1 _ N N N DEPTMAP MOD 1 * END *
Note: To preauthorize the same entities to another user, follow the same procedure as above. Another method is to preauthorize entities to a CCID, and then preauthorize users to that CCID. Entities may be preauthorized to single or multiple CCIDs, single or multiple Users, or a combination of CCIDs and Users. When entities are preauthorized to both Users and CCIDs, this does not force the preauthorized user to use one of the preauthorized CCIDs.
Now that you've built the preauthorization list for the user (EDBADMIN), "alert" the CA Endevor/DB Security System to heed that list. To do this:
CA-E/DB nn.n volser MAIN FUNCTION MENU mm/dd/yy NDVRU000 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 10 1 - SIGNIN/SIGNOUT FUNCTIONS 2 - AUTHORIZATION FUNCTIONS 3 - LOCK FUNCTIONS 4 - ENTITY AND ENTITY CHANGE HISTORY 5 - CCID AND CCID CHANGE HISTORY 6 - STATUS AND STATUS ASSOCIATIONS 7 - USER AND USER CHANGE HISTORY 8 - DICTIONARY AND DICTIONARY HISTORY 9 - MANAGEMENT GROUPS AND CCIDS 10 - ENDEVOR/DB CONTROL FUNCTIONS 11 - ENDEVOR/DB SIGNON FUNCTION 12 - RETURN TO IDMS/DC
Press ENTER.
The system responds with the CA-ENDEVOR/DB SYSTEM CONTROL FUNCTIONS screen.
CA-E/DB nn.n volser CA-ENDEVOR/DB SYSTEM CONTROL FUNCTIONS mm/dd/yy NDVRUA00 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE OPTION ===> 5 1 - BROWSE CCDB DESCRIPTOR RECORD 2 - MODIFY CCDB DESCRIPTOR RECORD 3 - BROWSE SECURITY DESCRIPTORS 4 - ADD A SECURITY DESCRIPTOR 5 - MODIFY SECURITY DESCRIPTORS 6 - DELETE SECURITY DESCRIPTORS 7 - BROWSE MONITOR DICT STAT BLOCKS 8 - MODIFY MONITOR DICT STAT BLOCKS SECURITY CLASS ===> (IF OPTIONS 3, 4, 5, 6 ) DICTNAME ===> SRCNDVR (IF OPTIONS 7, 8 )
Press ENTER.
The system then provides a list of all the Security Classes in the database on the SECURITY CLASS LIST screen.
CA-E/DB nn.n volser SECURITY CLASS LIST mm/dd/yy NDVRUA10 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> MODIFY SECURITY CLASS COMMENT s DEFAULT-SECURITY SECURITY CLASS FOR RESTRICTED CAPABILITIES s QA SECURITY CLASS FOR QUALITY ASSURANCE s DEVELOPMENT SECURITY CLASS FOR DEVELOPMENT s SUPPORT SECURITY CLASS FOR TECHNICAL SUPPORT s NDVR-DDA DICTIONARY ADMINISTRATION CAPABILITIES s NDVR-GLOBAL UNIVERSAL ENDEVOR/DB AND DICTIONARY CAPABILITIES ** END **
Press ENTER.
The system responds with a SECURITY CLASS DETAIL screen for each Security Class selected on the above list.
LIM-AUTH=Y NO-AUTH=N
Also, set all A-Opt flags to N.
These screens will set the flags in all the security classes that you have selected.
Important! Do not set both LIM-AUTH and NO-AUTH to N for the dictionary Security Class NDVR-GLOBAL unless your intentions are to preauthorize all users to every entity before they update it.
CA-E/DB nn.n volser SECURITY CLASS DETAIL mm/dd/yy NDVRMA10 USER ===> EDBADMIN DICTNAME ===> SRCNDVR MODE ===> UPDATE ACTION ===> MODIFY ************************** SECURITY CLASS INFORMATION *********************** NAME ===> DEFAULT-SECURITY COMMENT ===> SECURITY CLASS FOR RESTRICTED CAPABILITIES MENU 1 2 3 4 5 6 7 8 9 MENU 1 2 3 4 5 6 7 8 CONTROL: Y N Y N N N N N SIGNOUT: Y Y Y LOCK: N N N N N N N N N AUTH: N N N N CCID: Y N N N Y Y Y Y Y ENTITY: Y Y Y Y Y Y STATUS: Y N N N Y Y Y Y USER: Y N N N Y N N N M-GRP: Y N N N Y N N N DICT: Y N N Y Y Y SIGNIN: Y SO-CCID: N SO-USER: Y NO-USER: Y NO-CCID: Y NO-AUTH: N LIM-AUT: Y NM-MODE: N ARCHIVE: N MIGRATE: N DE-CCID: N BATCH: N ENTITY: SCH DMC FIL TAS SUB USE DES REC SYS APO SET DIA APP ELE QFI PRC TAB FUN MODS: Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y A-OPT: N N N N N N N N N N N N N N N N N N ENTITY: MOD PHY CLA ATT MAP LOG LIN MSG LOA LR PRO CCD DIC EUS CCI MGR STA SEC MODS: Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y A-OPT: N N N N N N N N N N N N N N N N N N
If there are specific entity types for which preauthorization rules are to be ignored, set those individual A-Opt flags to Y.
Now that the preauthorization list has been built, and the Security Class flags have been set, user EDBADMIN's access (and all other users with Security Class DEFAULT-SECURITY) is restricted to only those preauthorized entities. If user EDBADMIN attempts to modify an entity to which s/he is not preauthorized, the CA Endevor/DB Security System will prevent access and display an error message to that effect.
To remove preauthorization, select option 3 (DELETE PREAUTHORIZATION) on the Pre-authorization Functions screen.
|
Copyright © 2013 CA.
All rights reserved.
|
|