Securing Global Resources › Securing User Profiles

Securing User Profiles

About User Profiles

You define a user profile to specify attributes for a user session in the domain (that is, irrespective of the system to which the user is signed on) whether the execution mode is online or batch.

Until you secure the user profile resource, any user can maintain user profile definitions in the user catalog.

How to Secure User Profiles

To secure user profiles internally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,
      RESTYPE=UPRF,                                           X
      SECBY=INTERNAL                                          X

To secure the user profiles externally, include an entry in the SRTT:

#SECRTT    TYPE=ENTRY,
      RESTYPE=UPRF,                                           X
      SECBY=EXTERNAL,                                         X
      Additional parameters required

Note: For more information, see #SECRTT.

Attributes

An attribute is the combination of a keyword and a value associated with the keyword. A user profile can contain multiple attributes.

Attributes are used by CA IDMS software to control the user session. Attributes can also be retrieved by application programs for additional application security and other purposes.

When you specify an attribute in a user profile definition, you have the option of marking it to indicate that the user is not permitted to override the attribute value at runtime with a DCUF SET PROFILE statement or, for attribute keywords with meaning to CA IDMS, with a SYSIDMS parameter.

Note: For more information about DCUF SET PROFILE, see the CA IDMS System Tasks and Operator Commands Guide.

For more information about SYSIDMS parameters, see the CA IDMS Common Facilities Guide.

How to Define User Profiles

You define a user profile with the CREATE USER PROFILE statement.

In this example, the first statement creates a user profile called MISPROF and the second statement associates the profile with user RKN:

create user profile misprof
  attributes
    dept='0056' override no,
    jobcode='42' override no,
    schema='&user'.,
    prtdest='gdnc005';

alter user rkn
  profile misprof;

Note: For more information about creating and maintaining user profile definitions, see the following sections:

• CREATE USER PROFILE
• ALTER USER PROFILE
• DROP USER PROFILE

Granting Definition Privileges on User Profiles

You can delegate the authority to define and maintain user profiles by granting definition privileges on user profiles. You can specify any combination of CREATE, ALTER, DROP, and DISPLAY privileges, or you can specify all definition privileges (DEFINE). You can specify WITH GRANT OPTION when you grant these privileges to allow the user to grant the same privileges to another user.

Note: For more information, see GRANT Definition Privileges.

Associating User Profiles with Users

You can associate a user profile with a user in one of the following ways:

• Explicitly in the PROFILE parameter of a CREATE USER or ALTER USER statement.

  Note: For more information, see the following sections:

  • CREATE USER
  • ALTER USER
• Implicitly by assigning the user profile a name matching the user ID.

  This user profile is located at signon if no user profile has been specified in the user definition.

User Attributes in a System Profile

A system profile allows you to set the attributes of a user's session for a specific system. The system profile associated with the user is determined in one of the following ways:

• By the specification, if any, made in the GRANT SIGNON statement for the user.
• By the specification of default system profile made on the initial #SECRTT macro.
• If not specified on the #SECRTT macro, the system profile DEFAULT, if it exists.

Even if there is no system profile specification in GRANT SIGNON or on the #SECRTT, you can tailor a system profile to a user or the user's default group by specifying INCLUDE='&USER'. or INCLUDE='&GROUP'. in a system profile named 'DEFAULT.' because the system will search for the system profile DEFAULT at signon time.

If you have created a system profile with a name that matches the ID of the signed-on user and system profile DEFAULT contains INCLUDE='&USER'., the attributes of the nested system profile with a name matching &USER. are set for the session profile.

If you have created a system profile with a name that matches the name of the signed-on user's default group and system profile DEFAULT contains INCLUDE='&GROUP'., the attributes of the nested system profile with a name matching &GROUP. are set for session profile.

Scope of Profiles

The scope of system profile DEFAULT is the set of systems that share the SYSTEM.DDLDML area in which DEFAULT is defined. The scope of a user profile is the CA IDMS domain, which is the set of systems that share the SYSUSER.DDLSEC area. System profile attributes take precedence over matching user profile attributes unless the user profile attribute is defined with the OVERRIDE NO parameter.

Note: For more information about system profiles, see the CA IDMS System Tasks and Operator Commands Guide.