Enhancements to Existing Features › Components › Security › Security Data Set Conversion

Security Data Set Conversion

During installation, the conversion utility GSVXCNVS converts the security data set from a previous CA SYSVIEW release to the current release.

By default, the security file conversion marks command authorization for new commands as allowed.

Note: In previous releases, the default action was to fail new commands.

You can modify the default behavior by coding the SYSIN data set for the GSVXCNVS utility. The following example fails new commands for all groups except ADMIN:

//SYSIN  DD  *
  FAILNEWCMDS=YES,GROUP=*ALL*
  FAILNEWCMDS=NO,GROUP=ADMIN
/*

The input processes in the order that it is read and uses the last setting that applies to the user group.

The SPOOL resource has also been expanded to accommodate JES3:

• JES2 now includes the full 6-byte volume name
• JES3 includes the 8-byte DDname

Note: In prior releases of CA SYSVIEW, the SPOOL resource was a 2-byte suffix of the JES2 spool volume. Therefore, modify the resource name of your existing internal security rules for JES2 SPOOL to be the full spool volume name.

External Security Considerations

Commands have been added to CA SYSVIEW in this release. More external security rules could be required.

• Modify any existing rules and profiles for the JES2 SPOOL resource if they were not generic enough to allow access to all spool volumes.

  The entity:

  SV.RESN.<system>.SPOOL.<JES2_ssid>.<2-byte_spool_volume_suffix>
  

  Changed to:

  SV.RESN.<system>.SPOOL.<JES2_ssid>.<6-byte_spool_volume>
  

• The sample SAF exits SAFSECX and JSPLSECX are no longer supported. The SAF entity checking is now internal to CA SYSVIEW. You enable the SAF entity checking by defining a SAF entity class. You can define this class in the External Security Section of the internal security group for the user, or in the GLOBAL group.

  You can call the pre-SAF notification exit before calling SAF. CA SYSVIEW passes the class name and entity name to the exit.

  Note: For more information, see the Security Guide.

• SAF resource calls can now be suspended for a specific resource type. Previously, the ability to suspend all resource calls could be done by granting a user read access to the entity SV.SUSP.<system>.RESN. Now, a specific resource type can be suspended by granting a user read access to the entity SV.SUSP.<system>.RESN.<resource>.

  Code the following suspend rule to suspend all resource checking for the output class a job on the spool is in:

  SV.SUSP.<system>.RESN.OUTCLASS
  

• A new SAF Generator Utility can be used to generate template profiles, or rule definitions that are based on your external security manager.

  Sample JCL to execute the utility is located in:

  SYSVIEW.DEV.BASE.SAMPLIB(GSVUSAFE)
  

  For more information, see the following help topic Implementing External Security (SAF).

Commands Enhanced

The following enhancements have been made to existing commands.

SECURITY

• Security Miscellaneous section

  The Miscellaneous Section of a CA SYSVIEW security user group controls user access to commands that have been defined in multiple command groups.

  • Option: Timeout value (Minutes)

    The amount of time a CICS or VTAM session can be idle before the session is automatically terminated.

    The value is in minutes. A value of 0 (zero) specifies there is no time limit.

    For example, suppose the timeout value is 5. If a user in this group logs in and the user does not enter any input for 5 minutes, then the session is terminated.

    Default: 240

    In previous releases, the default was 0.

• Security Administration - The external security section.

  The External Security Section of a CA SYSVIEW security user group contains the following new option to control external security requests:

  • Option: Bypass internal security call

    Specify a value of YES if you want only the external security determining access. The Internal security is not called before the external security. Access that internal security failed, the external security does not override and allow. This option allows you to use the external security exclusively without having to allow all access in the DEFAULT internal security group.

    Note: When you set this option, Command Groups you defined in the internal security do not participate in determining command and subcommand access.

    Default: No

Security Resources Added

The security resources have been enhanced to include the following new resource:

JESGROUP

JES job class groups.