Previous Topic: Concepts for the Compliance ReportsNext Topic: JCL and Common Control Parameters

Compliance Information Analysis ReportsConcepts for the Compliance ReportsRoles

Roles

The role is the basic precept of the best-practice security architecture named role-based security. Role‑based security is a way of grouping users for access authorization, which provides for easier administration and a simpler, more-easily understood security policy.

In a role‑based security implementation, access authorization to a resource is not given to the individual users who require access. Instead, roles are identified that have a common set of responsibilities and requirements. For each role, the set of users that share the role is identified. For example, all people in a specific job position may share the same set of responsibilities and have the same authorization requirements. The job position is identified as a role and the people in that job position are identified as sharing the role.

In a role-based security implementation, a security role is defined for a common set of authorization requirements. Access authorization is given once to the role, rather than individually to each user. The users who perform in the role are attached to the role in the security model. By being attached to the role, a user acquires all of the access authorizations given to the role. Users typically have a set of roles that they perform in their job function, and are attached to the corresponding set of roles in the security model.

When a new user is provisioned, instead of being given access authorizations for each resource that they require, they are attached to the roles that correspond to their job requirements. If a user changes job function, they are detached from the role or roles that correspond to their old job function and attached to the role or roles that correspond to their new job function. When a user is de-provisioned, they are detached from all role or roles, which removes all of their access authorizations. They may also be removed from the security database.

In the security model for CA Top Secret, profiles are the implementation of role-based security. Profiles are defined with the CREATE command, and resource access authorizations are permitted to the profiles. Users are attached to a profile with the ADDTO command and detached with the REMOVE command. In this documentation, when a role is referenced, it will be understood as referencing a profile.