Administering Security › Customizing Parameters that Affect Security

Customizing Parameters that Affect Security

Note: This section does not apply to CA SOLVE:FTS, CA SOLVE:Access, CA SOLVE:InfoMaster, and CA SOLVE:NetMail.

Review the following Customizer parameter groups (/PARMS) for security:

• CMDREPLS
• SECSHIPPING

Command Replacement

The CMDREPLS parameter group specifies which commands are to be intercepted and have an NCL procedure of the same name started instead of the command being executed. This allows you to perform additional security checking on these commands.

Important! If you change the default set of replacements, the functioning of some of the supplied applications may be impacted.

More information:

Product Commands from the OCS Panel or Command Entry Panel

Synchronizing Updates Across Linked Regions

To automatically update UAMS records across all active linked regions, you must enable the automatic propagation facility, known as security shipping.

Note: If security shipping is enabled, it occurs when a user ID or group definition is added, updated, or deleted.

Synchronization depends on whether you make an update from a focal point region or a subordinate region as follows:

• If the update is in a focal point region, the update is synchronized across all active linked regions that are enabled for this feature.
• If the update is in a subordinate region, the update is synchronized across only those active linked focal point regions that are enabled for this feature.

Enabling or disabling the update of UAMS records across multiple regions is the function of parameter group SECSHIPPING. To set or alter this parameter group:

1. Enter /PARMS at the command prompt to display the Customizer : Parameter Groups panel.
2. Apply the U (Update) action to SECSHIPPING, which is located in the SECURITY category.

   With the SECSHIPPING - Ship UAMS Maintenance panel displayed, you can make various settings, by choosing one of the following:

   • Respond YES to both questions.

     This allows all add, update, delete, and password change operations for UAMS records to be propagated to linked regions. (This setting is for regions that do not share a UAMS file and do not use NMSAF or a partial security exit.)

   • Respond YES to the question Ship to Linked Systems? and NO to the question Including Password Changes?

     This allows all add, update and delete operations for UAMS records to be propagated to the linked regions. Update requests from linked regions are processed, but changes to the password field are not. (This setting is for regions that do not share a UAMS file and use NMSAF or a partial security exit.)

   • Respond NO to both questions.

     This means that no UAMS records changes are propagated. If an update is requested from a remote region via this facility, it is refused. If linked regions share a UAMS file, you should choose this setting. Otherwise, you will get error messages when updating shared values on the User Description panel of the user profile.

UAMS updates are sent to linked regions immediately, for security reasons. A UAMS update report is displayed immediately, indicating the success or failure of those updates.

More information:

Defining User Profiles

Troubleshooting

Possible reasons for a remote region update not working include the following:

• The region is not profiled for remote updates. To profile it for remote updates, specify YES in the Ship to Linked Systems? field of its SECSHIPPING parameter group.
• The link or remote region is not active. (Because UAMS update records are not written to a staging file, no record of the update is retained, and the UAMS record in the remote region is not updated.)
• The user does not have UAMS administration authority on the remote region.
• The record or database is locked.
• The UAMS record does not exist. This condition occurs when an administrator updates a user profile record, without providing a new initial password, and there is no associated UAMS record for the remote region. The administrator can remedy this by supplying an initial password. This results in the automatic generation of a UAMS record for the remote region, and resets the users password across all regions.
• You based the user access on a customized user group that does not exist in the remote region.