External Security Considerations › How Security Options Interact

How Security Options Interact

An understanding of all the options and how they interact is essential to choosing the right combination for your site. CA OPS/MVS has several security options that can interact in the following ways:

• When a user attempts to access a resource, a security check determines the authority of the user initiating the request.
• The user ID the security check (SAF call) uses depends on where the CA OPS/MVS command or function was issued, for example:
  • Commands and functions that are issued from within a REXX program and initiated from the CA OPS/MVS address space use the user ID assigned to the CA OPS/MVS started task.
  • When users execute commands and functions on one of the OSF servers, security uses the value in OPSCONSOLE or OSFPRODUCT to verify the following resources:
    • The user when OSFSECURITY is set to CHECKUSERID.
    • The user ID associated with the OSF started task when OSFSECURITY is set to NOSECURITY.
• When running CA OPS/MVS with the parameter EXTSECURITY set to ON, also set the following OSF parameters as shown:

  OSFSECURE   CHECKUSERID
  OSFCONSOLE  <site-defined-userid>
  OSFPRODUCT  <site-defined-userid>
  

  site-defined-userid

  Specifies the user ID to authorize for any or all of the CA OPS/MVS facilities secured using external security.

• Security performs the following steps when EXTSECURITY is OFF:
  • Checks for TSO OPER authority.
  • Checks for the existence of security rules and calls the rule when defined.
  • Calls the user exit when no security rule exists for the event.

  Generally, when EXTSECURITY is OFF, the logic flow does not change.

• Security performs the following steps when EXTSECURITY is ON:
  • The SAF call reviews the security for external security resources as follows:
    • If the SAF result is 0 or 4, it reviews your security rules.
    • If the SAF result is 0, it calls the rules. The call is made because the security rules provide a greater degree of refinement than external security.
    • If the SAF result is greater than 4, it rejects the command and it stops further checks.
  • CA OPS/MVS calls the user exit OPUSEX, if available, when no security rule exists for the event.

  When EXTSECURITY is ON its external resource checking takes control except for the security rules, which can still be coded to supplement or refine it.

Review the following security rules, which perform more specific checks:

• Limit Update Authority to Specific Parameters (Limit Update Authority to Specific Parameters, Limit Specific Users Update Authority)
• Limit Specific Users Update Authority