Protecting Resources › Screen Level Protection (SLP)

Screen Level Protection (SLP)

SLP provides detailed control over the range of values which can be entered in individual fields or in combinations of fields by application end‑users.

SLP is implemented through additional operands MAPREC and SELECT with OTRAN or PPT resources in CICS. SLP should only be used with applications that use only one screen format.

The MAPREC and SELECT keywords reference map field definitions and selection logic which you define in the CA Top Secret Static Data Table. To implement these definitions assure that a sufficient number of SDTBLOCKS are allocated in the security file using the TSSMAINT utility. If a new security file needs to be formatted with additional SDTBLOCKS copy your current security file using TSSXTEND into the larger allocation.

SLP may be supplemented by Record Level Protection. Before you can implement SLP initialize the SDT using the TSSMAINT SDTBLOCKS parameter.

The SDT record elements used to implement SLP are:

MAPREC

Defines the layout of a CICS map, including field name, row, column, and length.

SELECT

Defines the logic, using Boolean expressions, that specifies who can view and/or change the screen's fields.

Gather SLP Information

Gathering this information helps the implementation run smoothly:

• Determine which of your applications would benefit from SLP. Become familiar with the SDT MAPREC and SELECT functions to see the capabilities of CA Top Secret to define fields on your screen, and to select combinations of range values for those fields to allow proper access. Consider the following when making your decision:
  • SLP can be implemented without program changes.
  • SLP can be altered as the application changes.
  • SLP can prevent individual users or groups of users from entering ranges of data in screen fields which you define.
  • SLP must be altered whenever the application screen format changes.
  • SLP does not prevent an application from displaying data before input takes place. In particular, when a transaction is initiated from a CICS EXEC START command, with input data from the CICS communication area or from CICS temporary storage, SLP provides no protection from unauthorized data being presented to the application end‑user.
  • SLP does not alter the field attributes to make a screen field invisible or inaccessible.
• Gather information about the application (like field names, data types, length of field, and selection criteria).
• Become familiar with the application.
• Plan the details needed to implement SLP for this application. For example, you may decide on selection criteria that limit who can view salary information.
• Determine who is the administrator for implementing SLP and give them MISC3(SDT) authority.

Enter SDT Definitions

All definitions are entered using the TSS ADDTO(SDT) command.

To enter SDT definitions

1. Define the MAPREC definitions to the SDT. For example:

   TSS ADDTO(SDT) MAPREC(MSDEPT)
                  MAPDATA(MDEPT,10,8,4)
   

2. (Optional) If you are protecting multiple field maps within one screen, do a separate ADD for each field you want to protect.
3. Define the SELECT expressions to the SDT you are using on the PERMIT command. For example:

   TSS ADDTO(SDT) SELECT(DP1000)
                  SELDATA('IF dept EQ ““ OR dept GE “1000” AND dept LE “1099”)
   

4. Check if the field is null so that Screen Level Protection will allow the transaction to continue, if it finds no data (null) within the terminal screen.
5. Enter the command:

   TSS LIST(SDT) RECORD(ALL)
   

   All the records are listed.

6. Check the list for the SDT records you just created.
7. (Optional) Correct any errors with the command:

   TSS REPLACE(SDT) 
   

8. Enter the command:

   TSS MODIFY(SDTTABLE)
   

   The SDT in‑core tables are refreshed.

Permit Access to the Defined Maps

You can permit access to defined maps.

To permit access to the defined maps

1. Revoke any existing PERMITs that a user may have for this OTRAN or PPT resource.
2. Re‑PERMIT the resources using the SELECT and MAPREC clauses. For example:

   TSS PERMIT(jane) OTRAN(PAYR) 
                    ACCESS(ALL) 
                    SELECT(dp1000) 
                    MAPREC(ENG1)
   

Enable SLP Protection

Enable SLP for the facility.

Example: Enable SLP protection

This example enables SLP in the CICS region:

TSS MODIFY FACILITY(cicsprod=SLP=YES)