System Resources

Using CA IDMS Internal Security › CA IDMS Resources › System Resources

System Resources

What is a System Resource

A system resource is an entity shared by all CA IDMS processing under the central version.

The following table shows the system resource types and the corresponding resource type keywords used in the SRTT and security information databases:

Resource type	Keyword
Activity	ACTI
Application	SAPP
Category	CATE
Signon	SGON
System	SYST
System profile	SPRF

System Dictionary

The system dictionary includes all information required to establish, maintain, and control the processing environment. System resources are defined in the DDLDML area of the system dictionary. A system resource is available to all systems generated from the system dictionary.

Purpose of Categories

The category is a mechanism that allows you to group occurrences of several resource types that you have secured internally so that you can grant privilege on the group of resources.

When you create a category, you assign it a name, allowing you to associate a meaningful identifier with the resources. For example, if you secure tasks internally, you might create a category 'SYS_TASKS' and add the DCMT and DCUF tasks to it. If you secure both tasks and programs, one category could contain both task and program resources.

You can define as many as 32,768 categories for your security scheme.

The following table shows resource types that can be categorized and the corresponding resource type keywords used in the SRTT and security information databases:

Resource type	Keyword
Task	TASK
Program	SPGM
Load module	SLOD
Access module (loadable entity)	SACC
Run unit	NRU
Queue	QUEU

Important! If you secure the DB resource, you secure run units and access modules system-wide. You must then categorize load modules in order to grant users execution privilege on them, and you must do the same with access modules unless you choose to grant execution privilege on individual access modules rather than grouping them first.

For more information, see Securing Database Resources.

Defining a Category

You add resources to a category with a CREATE or ALTER CATEGORY statement, as in this example:

create category dcmt
   add program cdmslib.rhdcmt*;

Granting Privilege on the Category

After you define the category, the only means of access to a resource in the category is execution privilege on the category. You give this privilege to a user with a GRANT statement, as illustrated in this example:

grant execute
      on category dcmt
      to sam;

Runtime Category Selection

At runtime a given resource name may appear to qualify for assignment in more than one category. Consider these two categories:

create category dcmt
   add program cdmslib.rhdcmt*;

create category dcmtab
   add program cdmslib.rhdcmtab;

When the security system processes as security check, it determines the category of the resource being checked by selecting the mask that is closest to the fully qualified name of the resource. For example, given the preceding two categories, the security system will determine that:

Use of resource CDMSLIB.RHDCMTXY requires execution privilege on category DCMT.
Use of resource CDMSLIB.RHDCMTAB requires execution privilege on category DCMTAB.