Implementing Security for IMS › Resource Access Security › RAS Transaction Security

RAS Transaction Security

When RAS security is enabled transaction validations occur:

• In message processing regions and Java message regions. Before a transaction is scheduled to execute in the region, IMS performs a security validation to see if the ACID of the region is allowed to execute the transaction. If not, the transaction is not be scheduled in that region.
• In BMPs. If a transaction is read from the IMS message queue, IMS performs a security validation to see if the ACID of the region is allowed to read the transaction.
• In BMPs and Java batch regions. If a transaction is specified in the OUT= parameter in the JCL for the region, IMS performs a security validation to see if the ACID of the region is allowed to generate the transaction.

IMS uses a SAF call to invoke CA Top Secret transaction security. The resource class for these transaction security calls is formed from the prefix "T" and the value established for the RCLASS parameter (which defaults to "IMS"). This is the same resource class that IMS uses for normal transaction validation.

Note: Turn the OPTIONS(27) control option on to translate IMS SAF based TIMS resource class checks to LCF and OTRAN as needed (rather than using TIMS).

CA Top Secret provides a system-supplied resource class TIMS.

Non-default RCLASS Value Use

Rather than use RCLASS to distinguish security permissions for different regions, use separate facilities for distinguished regions and distinguish region-specific permissions by FACILITY.

If the administrator chooses to use a non-default RCLASS value:

• Create an RDT entry for the resulting transaction resource class, concatenating "T" with the RCLASS value. Attributes of the new class should be identical with TIMS
• Inform support of the non-standard usage if problems are encountered

Example: Non-default RCLASS value use

The following instructions assume the use of the TIMS facility for transaction security. Substitute the non‑standard transaction resource class, if one is in use.

This example uses the ADDTO command function to add TIMS as a general resource and establish ownership:

TSS ADDTO(acid) TIMS(transaction)

This example allows the dependent region ACID access to the transaction:

TSS PERMIT(acid) TIMS(transaction)
                 FACILITY(IMSPROD)
TSS PERMIT(acid) TIMS(transaction)

The first permission allows the dependent region access to the transaction only in regions using the IMSPROD facility. The second permission allows the user to execute the transaction unrestricted by facility.

GIMS Resource Class

The GIMS resource class documented in the IMS product documentation for transaction grouping has no meaning in CA Top Secret. Use profiles for transaction grouping or permit individual transactions in the TIMS resource class.