Previous Topic: Character Translation in Resource NamesNext Topic: Implementing External Security for CA Top Secret

SecurityExternal SecurityResources and AuthorizationsAccess Levels

Access Levels

The internal security of CA Deliver allows six different access levels. To be compatible with the external security managers, compress these into four levels of access. They are inclusive in that a higher access level implies all lower levels.

Note: Because of the nature of CA Deliver's SAF calls, this is true even when using CA ACF2.

RMOATHTB Access

RACF

TSS

ACF2

Description

BROWSE

READ

READ

READ

Browses the database

UPDATE

UPDATE

UPDATE

UPDATE

Browses and updates the database

OPERATOR
and UPDATE

CONTROL

CONTROL

DELETE

Provides operator functions such as activation and immediate bundle printing

DELETE

ALTER

ALL

ADD

Deletes members from the database

RENAME

ALTER

ALL

ADD

Renames members on the database

ADMIN

ALTER

ALL

ADD

Provides all of the above

As mentioned previously, resource names are prefixed with either "RMO." or "RMO#." What follows the prefix depends on the type of resource.

Resource Type

Data Type

Resource Name

Function

DLV@ACT

Report

RMO(#).reportid

A – Active Display

DLV@BACT

Bundle

RMO(#).bundle

A – Active Display

DLV@BANR

Banner

RMO(#).banner

N/A

DLV@BNDL

Bundle

RMO(#).bundle

B – Bundle Data

DLV@DBAS

Database

RMO(#).dbhlq

N/A

DLV@DIST

Distribution ID

RMO(#).distid

D – Distribution Data

DLV@JOB

Job

RMO(#).job

J – Job Data

DLV@PANL

Panel

RMO(#).panel

N/A

DLV@REPT

Report

RMO(#).reportid

R – Report Data

You can use generics. For example, "RMO.*" covers every entity of a given type.

There is a special case for each resource type except DLV@BANR, DLV@DBAS and DLV@PANL. To perform a given function at all, the user must have at least READ access to a resource named "RMO." or "RMO#." for each function. The most visible effect of this is on the CA Deliver Primary Selection panel. A user who, for example, does not have READ access to "RMO." in type DLV@REPT, do not even have the R (Report Data) option available. Defining this as a generic resource works but, gives read access to every resource of that type. To prevent this, grant READ access to a non-generic resource: "RMO." instead of "RMO.*" or "RMO.(G)".

The following sections detail the steps necessary to implement support of external security with CA Deliver. There are descriptions and sample jobs for CA Top Secret, CA ACF2, and IBM's RACF.