The data set access authorization exit (NMDSNCHK) allows you to check whether a user attempting to dynamically allocate a data set is permitted to do so. This exit is invoked in two situations:
The data set access authorization exit is specified in the NMSECURITY parameter group (enter /PARMS). The default value is usually NMDSNCHK. If you have implemented the NMSAF solution, the default is NMSECDSN.
You can write your own data set access authorization exit to perform any required security checking, and implement it by updating the NMSECURITY parameter group.
Note: This section only applies to CA SOLVE:FTS.
CA SOLVE:FTS does not attempt to control or prevent access by private users to any data sets. The system does, however, provide an exit to an installation-provided routine that may verify that access is to be granted to the requesting user and indicate to CA SOLVE:FTS that the transmission request may or may not proceed.
When a transmission definition is created, it is classified as either a private or system definition. A private definition is usually associated with an individual user, whereas a system definition is usually associated with the installation as a whole and would often be part of the regular operational schedule.
When a private transmission request is scheduled, CA SOLVE:FTS drives the exit at both the transmitting and receiving hosts, with information that includes the user ID of the requestor, the data set to be accessed, and the function to be performed (read for the transmitting host and write for the receiving host).
The user-provided exit may decide whether the user is entitled to request personal access to the data set in question and, if necessary, refer to a proprietary security package in use by the installation, for example, CA ACF2, CA Top Secret, or RACF.
When a system request is scheduled, CA SOLVE:FTS drives the exit specifying that access is required by CA SOLVE:FTS itself, not by the individual user that issued the transmission request. The user exit may therefore identify access requests to sensitive data sets and determine whether the requests are a legitimate part of normal operations or are illegal attempts by individuals to reference data sets to which they should not have access.
Installations that use a security system to govern access to data sets may have to take steps to enable CA SOLVE:FTS itself to access the data sets that it is to transmit. Failure to do this may result in the transmission request failing with a security violation termination. Certain proprietary security packages (for example, RACF) allow access to data sets to be read and written under the auspices of the requesting user ID, rather than CA SOLVE:FTS itself, allowing greater security control at an individual level. For more information, see the Administration Guide.
In addition to the authorization of access to data sets, this exit can be used to fail requests for allocation of new data sets that exceed installation space allocations, attempt to allocate on reserved volumes, or use restricted transmission classes.
If no existing security package is in place, this exit could also be used to verify passwords associated with the access of data sets.
A sample data set access authorization exit called NMDSNCHK is supplied in the distribution libraries. It comes in both load module format and source form. The distributed version authorizes all requests. The source contains extensive documentation and can be used as the base product for tailoring to your installation's requirements.
A second exit (called NMSECDSN) is supplied for use with NMSAF.