Establishing Signon Processing › Signon Processing Execution Flow › Establishing the Resource Class Entity Name › SECPRFX

SECPRFX

In the external security system, users are defined with access to specific entities in specific resource classes. When a user signs on to CA Ideal, the resource class for that user ID is checked to determine whether the user can access the signon entity for CA Ideal. Normally for CA Ideal, the signon entity name is $ISIGNON. However, you can change the name of the signon entity by including the SECPRFX parameter in the IDOPTS table. This lets you restrict access to CA Ideal systems in different CICS regions through the resource class definitions in your security system, based on the signon entities defined for each region with a different @IIDOPTS load module. See the section titled Enabling External Security in this chapter for specific information about external security.

Note: This option is used only with external security systems.

The format of the SECPRFX option is:

SECPRFX=xx

The value of xx is a two-character value used as the prefix to the value SIGNON to create a resource class member name for the CA Ideal environment controlled by this @IIDOPTS load module. If you do not specify this parameter, the prefix is $I.

In a production environment that uses transparent signon, users do not normally see the CA Ideal signon screen. This provides an extra measure of security for the production environment. However, the CA Ideal signon screen displays if an undefined user tries to signon and your external security system does not reject undefined users. To prevent this from happening:

• Define all users of the CA Ideal production environment to the security system, with the appropriate resource class (CACMD) and signon entity.
• Set up the security system so that a resource check prevents signon when a user is not defined or the security system is not active.

If your production region uses a separate @IIDOPTS load module, you can also use the resource class entity names to enhance security for production systems. To use the resource class as an additional security measure for your production region, use the SECPRFX parameter in the IDOPTS table to establish different resource entity names for each CICS region that has a separate @IIDOPTS load module. Then you can define your user groups in the security system with separate CACMD entity names, restricting their access to a specific CICS region.

For example, if you have separate development and production environments, you can set the SECPRFX parameter to two different values, one in each version of the @IIDOPTS load module. If the SECPRFX parameter for the development system is DI and the SECPRFX parameter for the production system is PI, you could then define two or more user groups with access to these different resource class signon entities.

In the following table, three user groups are defined:

• Developers (DEV1)-Access only to the development system
• Quality assurance people (QA)-Access to the development system for testing, and to the production system for upgrading with approved changes
• Production system users (PROD)-Access only to the production system

The resource class name is not CACMD for all security products. The value set by the SECPRFX parameter is prefixed to the value SIGNON to create the resource class signon entity name. Specific examples for different security products are shown in the upcoming section titled Enabling External Security.