In all cases, control over the operation of CA SOLVE:FTS in an organization depends heavily upon the number of users that are allowed access and the privileges that those users are given. Access is allocated by user ID, and the various access privileges are described in the following sections.
Functions fall into the following major categories:
When defining a transmission request, you can classify a user as being allowed to define private definitions or system definitions.
A user authorized to define private definitions is entitled to create, modify or delete transmission request definitions on the region's VSAM database, where the names of those definitions are controlled by an access mask associated with the user's user ID. This access mask can be used to limit the user's range of definition names according to installation standards or requirements.
For example, a user's mask of USER01* lets the user access transmission definitions starting with USER01, with the * signifying that the rest of the 12 character definition name may contain any other valid characters.
Alternatively, a mask of ****Z limits the user to accessing definition names of five characters in length that end in Z and with any other combination of characters in the first four positions.
The use of access masks allows transmission definition naming standards to be enforced according to installation requirements.
The default mask value requires definitions accessible to the user to start with their user ID and be followed by any other combination of characters.
When a transmission definition is filed in the VSAM database in which all CA SOLVE:FTS definitions are maintained, the definition is attributed a status of system or private. The status that is applied depends on the definition privilege assigned to the user filing the definition. This attribute cannot be overridden and is not a definition parameter.
Transmission requests that specify execution of a private definition may be issued only by users privileged to issue private transmission requests. When such a transmission request is issued, the access authorization user exit is driven, requesting authorization for personal access to the data sets involved in the transmission by the user that issued the request.
System definitions are assumed by CA SOLVE:FTS to represent transmissions of a production nature (for example report files, off-site backup data sets, data collection files, and so on), which are used in the normal operational processing of the installation. A system definition is assigned the system attribute because it is a definition filed by a user who has system definition privilege assigned to their user ID. The names of the system definitions accessed by a user are limited by their system definition access mask.
The authorization access user exit is driven by CA SOLVE:FTS when a system definition is selected for transmission, specifying that the region requires authorization to access the data sets involved in the transmission.
A user that has authority to create or modify system definitions is not also allowed to define private definitions. This allows complete isolation of the maintenance aspect of system definitions to a specific user ID. It should be noted that the effect of system definition privilege is that the user is entitled to specify that CA SOLVE:FTS will take responsibility for accessing the data sets involved in a transmission.
Important! The assignment of system request privilege to the same user may cause a security exposure by allowing one individual effective personal access to any data set that CA SOLVE:FTS is authorized to transmit. You should not assign both system definition and system request privilege to any users without good cause.
When issuing a transmission request, you may allow a user to request the transmission of private requests, where the names of the definitions whose execution may be requested are limited by the same access mask as described above.
The request for execution of a private definition is regarded by CA SOLVE:FTS as a request for personal access to the two data sets involved in the definition. The system will drive the authorization access exit specifying the data sets involved and supplying the user ID of the individual that requested execution of the definition. The installation-supplied exit may therefore determine whether the individual should have access to the data sets in question, and if not, may indicate that the transmission should not proceed.
Private request privilege can be held in conjunction with or independently of private or system definition privilege.
A user with system request privilege is entitled to request execution of system definitions according to the restrictions imposed by their system access mask. System request privilege is usually allocated only to CA SOLVE:FTS operators involved in scheduling transmissions associated with production processing.
System request privilege may be held in conjunction with private request privilege. There are different access masks to control the system and private definitions that the user is allowed to request.
By using control privilege, you can allow a user limited control over private requests defined by their private access mask. The control allowed includes the monitoring of the requests' progress or status, and the ability to interrupt or modify the status of the private requests. Private control privilege does not allow access to system requests or the various control panels such as initiator supervision.
A user that is allocated system control privilege is allowed full control over any private requests regardless of their private access mask, and control over those system requests that match the user's system access mask. System control allows full access to all supervisory panels. This privilege level is usually reserved for system operators.
System control privilege is required for operational aspects of CA SOLVE:FTS such as changing the number of initiators active for a particular destination or the request classes being serviced by those initiators.
Although this privilege level allows operational control of the system, the user's ability to modify the status of system requests is still limited by the system mask assigned to their user ID. This allows control over specific system requests to be limited to particular users if so required.