Resources and Authorizations

Security › External Security › Resources and Authorizations

Resources and Authorizations

The product manages security with a single security class (CHA1VIEW) and fourteen resource types. Each resource type corresponds to data within the database or a database function as shown in the following table.

Resource Type	Resources Protected
BANR	Banner page members
DBAS	SARDBASE functions
DEV	Device definition (DEF DEV command)
DIST	Distribution definition (DEF DIST command and user definition distribution identifier)
FILT	Filter definitions (DEF FILTER command)
IDXN	Index name
IDXV	Index value
JOB	Job records
NOTE	Annotations and bookmarks
PANL	Online panel members
REPT	SYSOUTs/Reports
RAPS	All pages of a SYSOUTt/Report
SYS	SYSOUT definition (DEF SYS command)
USER	User IDs (DEF USER command)
VIEW	Logical Views

Internal security is mapped into four levels of access to be compatible with the external security managers. The levels are inclusive, a higher access level implies all lower levels. All lower levels are implied even when using CA ACF2, because of the nature of the product's SAF calls.

RACF	CA Top Secret	CA ACF2	Description
READ	READ	READ	Read access to resource data.
UPDATE	UPDATE	UPDATE	Update access to resource data
CONTROL	CONTROL	DELETE	Special update access
ALTER	ALL	ADD	Delete or rename resource data

For reference purposes, the RACF access levels are used.

The resource name is formatted with information that pertains to the resource type. The following table identifies the structure of the resource name.

Resource Type	Data Type	Resource Name
BANR	Banner page members	secid.BANR.member
DBAS	Database	DBAS.dbhlq
DEV	Device	secid.DEV.devicename
DIST	Distribution definition (DEF DISTID command) and user definition distribution id	secid.DIST.distid
FILT	Filter	secid.FILT.filtername
IDXN	Index name	secid.IDXN.indexname Note: Blanks, asterisks ("*"), and ampersands ("&") within the index name are translated to underscores ("_"), plus signs ("+"), and exclamation points ("!") respectively. This translation allows resource validation with all security products.
IDXV	Index value	secid.IDXV.indexname.indexvalue Note: Blanks, asterisks ("*"), and ampersands ("&") with in the index name and value are translated to underscores ("_"), plus signs ("+"), and exclamation points ("!") respectively. This translation allows resource validation with all security products.
JOB	Job	secid.JOB.jobname.owner owner indicates the user ID that submitted the job.
NOTE	Annotation and bookmarks	secid.NOTE.type.access.creator.notename type indicates the type of note "A" for annotation or "B" for bookmark access indicates the visibility of the note "U" for private or "P" for public creator indicates the user ID that created the annotation or bookmark.
PANL	Online panel member	secid.PANL.member
REPT	SYSOUT/Report	secid.REPT.reportid
RAPS	SYSOUT/Report	secid.RAPS.reportid
SYS	SYSOUT definition (DEF SYS command)	secid.SYS.sysoutid Note: An asterisk ("*") that ends a generic sysout identifier is translated to a plus sign ("+"). This translation allows resource validation with all security products.
USER	User ID (DEF USER command)	secid.USER.userid
VIEW	Logical view	secid.VIEW.num.type.viewid num – three digit numeric logical view number from 000 to 255 type – type of logical view. "G" for global view, "P" for public view, or "U" for private view. Note: An asterisk ("*") that ends a generic view identifier is translated to a plus sign ("+") to allow resource validation with all security products.

The DBAS resource type is the only resource type that does not contain the security identifier.

Certain SARDBASE utility functions can be performed before the initialization parameters for a database are set; therefore:

The SARDBASE utility cannot necessarily determine the security identifier for a database.
The SARDBASE utility omits the security identifier from the resource name.
Security calls for the DBAS resource class are deactivated in the base product.

To implement DBAS security calls, you must use CVDEJCL member BRMSATHX to install the SARATHU1 exit in the CVDEOPTN library.

There is a special case for resource types BANR, DEV, DIST, FILT, NOTE, PANL, SYS, USER, and VIEW that determines whether the function can be performed.

To perform a given function at all, the user must at least have READ access to a resource named "secid.resourcetype." for each function.
A user, for example, who does not have READ access to "secid.VIEW." is not able to issue the DEF VIEW command or issue the VIEW command from browse.

You can define "secid.VIEW" as a generic resource works but, of course, gives read access to every resource of that type.

To avoid giving this type of access, grant READ access to a non-generic resource: "secid.resourcetype." instead of "secid.resourcetype.*" or "secid.resourcetype.(G)".

Resource Type	Data Type	Resource Name
BANR	Banner page members	secid.BANR.member
DBAS	Database	DBAS.dbhlq
DEV	Device	secid.DEV.devicename
DIST	Distribution definition (DEF DISTID command) and user definition distribution id	secid.DIST.distid