Previous Topic: Access LevelsNext Topic: Resource Security for the IMS /LOCK and /UNLOCK Commands (IMS r9.1 and above)

Implementing Security for IMSDBD Security

DBD Security

A Data Base Descriptor (DBD) is an assembled IMS control block that describes the physical characteristics of a database (including format, contents, and fields of each segment type). The DBD also defines the method of access and the way segment types are physically related.

CA Top Secret provides several options that control the IMS security validation for DBDs. Global control option IMS(IMSDBDVL) enables DBD security in all IMS environments. Control option DL1B(YES) enables DBD security for batch IMS environments.

Note: For DBD security in IMS batch, DL1B(YES) and IMS(IMSDBDVL) must be set. Specifying IMS(NOIMSDBDVL) disables DBD protection in all IMS environments. For more information about using options to control IMS security processing, see the CA Top Secret Control Options Guide.

DBD security is provided for both logical and physical databases.

Ownership of a DBD immediately protects the resource across all defined IMS regions. The PERMIT function of the TSS command grants access to the DBD. DBDs have access levels associated with them; the access level is derived from the function code on the DL/I call. Specifying the PRIVPGM (Privileged Program) keyword limits DBD access to a particular PSB or group of PSBs. Specifying the FACILITY keyword as part of the DBD definition limits DBD use to specific regions. Time of day, day of week, access expiration, and action controls are also available.

The ADD function establishes ownership of the DBD:

TSS ADDTO(DEPT02) DBD(TSTPDA)

The PERMIT function allows update access to the DBD:

TSS PERMIT(USER13) DBD(TSTPDA)
                   ACCESS(UPDATE)

Note: You can also specify ACCESS(INQUIRE) and ACCESS(SET) to use the CEMT transaction in CICS to perform INQUIRE and SET for DBDs.

Example: Apply Limitations to a DBD

This example shows a PERMIT function that includes keywords to apply limitations regarding the DBD:

TSS PERMIT(acid) DBD(TSTPDA) FACILITY(IMSPROD) PRIVPGM(TSTPAA45)
                             TIME(09,18)
                             DAYS(MONDAY,WEDNESDAY,FRIDAY)
                             UNTIL(11/24/99) ACTION(FAIL)
FACILITY(IMSPROD)

Specifies that the DBD is accessible only through the IMSPROD facility. Omission of FACILITY implies access through any defined IMS facility.

PRIVPGM(TSTPAA45)

Specifies that the DBD is accessible only through program TSTPAA45. In the online environment, an associated transaction would have to specify PSB TSTPAA45 to satisfy the permission. In BMP and DL/I batch environments, MEMBER=TSTPAA45 would have been specified for IMSBATCH or DLIBATCH, respectively.

TIME and DAYS

Limits DBD access to a time between 9:00 a.m. and 6:59:59 p.m. on Monday, Wednesday, and Friday.

UNTIL(11/24/99)

Allows DBD access until November 24, 2099, at which point access is no longer allowed. (You can also use the FOR keyword to specify a duration. FOR and UNTIL are mutually exclusive.)

ACTION(FAIL)

Forces the authorization, if used, to be processed in FAIL mode (regardless of the mode in which CA Top Secret is running globally). In FAIL mode, CA Top Secret requires that all users be defined to CA Top Secret. This mode generates violation messages.

Note: The ACTION keyword is compatible with all other PERMIT keywords.