A user ID security exit can be used to provide partial or full security processing:
Source code for sample exits is distributed with your product. These include a SAF partial exit, CA ACF2 full exits, and RACF full exits. These are supplied as-is, to show how an exit should be written.
Note: Using any form of security exit can have ramifications on some products; for example, on system user IDs. These issues are explained in more detail in the following sections.
If your region operates with a partial security exit, then UAMS password checking functions are disabled. Instead, the exit is called to validate a user ID and password. Typically, this is done with a call to the external security system (for example, RACF).
The exit can also supply overriding or additional user profile attributes. The exit can also control modeling, whereby users can be dynamically created in the UAMS data set the first time that they use this product.
Your product includes a standard partial security exit that uses SAF to communicate with your external security package. If the JCL parameter SEC=PARTSAF is coded, then your region operates with this partial security exit. This exit performs straightforward processing; for example, for logons, it requires the user to be defined to the external security system and validates the password. If a model name is set (by using the SYSPARMS MODLUSER command), and the user is not known to the region, then the user is defined to the region and the nominated model user ID is used to build the user's profile in UAMS.
If your region operates with a full security exit, then no UAMS data set is used. The security exit must perform all required security functions. Specifically, it must provide all information about user authority on the region.
Some products might not operate correctly if a security exit is in use. This is because many products make use of system users to perform work. A system user is an internal user, automatically logged on. System users do not correspond to any real user. The internal logon occurs even if the security exit says that the user is not defined. These users can log on to other regions. However, when this occurs, the target region's security exit attempts to validate the user.
Thus, if you are using a security exit, these user IDs (that log on to other regions) must be defined to the external security system. However, no specific password is required, because the validation call simply checks that the user is known.
If you have many regions that interconnect, then, by using the NMSUP JCL parameter, you can reduce the number of unique user IDs that must be defined this way. Set the value of NMSUP for all the regions to the same value (for example, NETM). The system user IDs in each region will then have the same names (for example, NETMBSYS, NETMBLOG, NETMAOMP). By default, the prefix is the value of the NMDID parameter.