Understanding Security › Implementing Security

Implementing Security

Security is implemented on two levels:

• Signon access
• Access to functions and resources

There are also additional security options available, in the form of exits.

Note: Background User IDs must be defined to the security system. If you are using an external security package, you must create these definitions within your security system; if you are using UAMS, the definitions are created automatically.

Controlling Signon Access

Signon access to a region is controlled by one or more of the following:

• The User ID Access Maintenance Subsystem (UAMS)
• The NMSAF security solution
• An external security package that performs some or all of the security functions through a full or partial security exit.

UAMS

UAMS is a database of user details and access authority levels used by your product. You can maintain all security details (including user passwords) in UAMS, or you can replace UAMS, either partially or fully, with an external security package.

You can either define each user's user ID separately or add users with the same security requirements by using a UAMS group.

NMSAF Security Solution

The NMSAF security solution is based on the partial security exit facility. It does not replace UAMS but works in conjunction with it.

User ID Security Exits

If your organization has an external security package, such as CA ACF2, CA Top Secret, or IBM RACF, access to that package is provided through one of the following types of exit:

• Partial security exit—password and logon access maintenance is controlled by the external security package while UAMS stores the user access authorities.
• Full security exit—all security functions are maintained and stored by your external security package.

Controlling Access to Functions and Resources

A user's privileges (as defined in their UAMS record or by a full security exit) provide a base level of control over their access authorities to your product region.

You can implement a more granular level of control by implementing resource-level security. This level of security can allow or deny user access to the following functions and resources:

• Individual menus and menu options
• Specific Automation Services system images and resources
• Individual commands
• Individual Customizer parameter groups

You can implement resource-level security by using the Network Partitioning Facility (NPF), or by using an external security option.

NPF uses resource tables to contain access permissions. For resource security to be activated for a user, the user's UAMS record (or its associated group definition) must include an NPF resource list member name.

Alternatively, your external security package can provide resource-level security if it supports SAF. With this option, SAF calls to your external security packages are used to check a user's access permissions. Sample definitions are distributed for CA ACF2, CA Top Secret, and RACF. SAF security checking is performed if the user's UAMS record (or its associated group definition) includes a special, reserved name.

You can also implement a combination of NPF and SAF checking.