Internal Security › Define Security Levels › Command/Function Panel Security

Command/Function Panel Security

In a broad application area, such as Database Maintenance (SDM0), a single authorization level as defined in the SASSTRAN module is not enough to control database access and update. Therefore, a security method was devised to control access based on panel, function and terminal.

The security table is defined in SASSDSCR. The source for SASSDSCR is distributed in library CAL2SRC. It is composed of SEC macros, which are described here:

SEC SCR=nnn,PAN=nnnnnnnn
   [,ADD={0|nn}]
   [,DEL={0|nn}]
   [,READ={0|nn}]
   [,SUBM={0|nn}]
   [,UPD={0|nn}]
   [,TERMLVL=nn]
   [,TERM=(termn,...)]

SCR=nnn

Identifies the panel. Required. Do not change this value.

PAN=nnnnnnnn

Identifies the panel ID. Required. Do not change this value.

ADD=nn

(Optional) Identifies the authorization level (from 0 to 15) that is required for add type functions such as ADD or SAVE. The default value is 0.

DEL=nn

(Optional) Identifies the authorization level (from 0 to 15) that is required for delete type functions such as DELETE or DD. The default value is 0.

READ=nn

(Optional) Identifies the authorization level (from 0 to 15) that is required for read-only functions such as LIST, FETCH, and so forth. The default value is 0.

SUBM=nn

(Optional) Identifies the authorization level (from 0 to 15) that is required for job submission functions such as RUN or SUBMIT. The default value is 0.

UPD=nn

(Optional) Identifies the authorization level (from 0 to 15) that is required for update type functions such as UPD or REPL. The default value is 0.

The TERMLVL and TERM values are optional but can be used to restrict access by physical terminal.

TERMLVL=nn

(Optional) Identifies the authorization level (from 0 to 15) at which the terminal list is examined for access qualification. This setting lets you restrict certain panel functions like UPD or DELETE to specific terminals but permit functions like LIST without terminal restrictions.

TERM=(term1,...,termn)

(Optional) Identifies one or more terminals to validate when examining function access. The maximum number of characters that can be within the parentheses is 255. If this limit is encountered, specify as many terminal names as can fit. Then code another SEC macro immediately after this one, with the terminals listed in the TERM parameter. For this secondary SEC macro, only the TERM parameter can be coded.

The following logic is employed to control access:

• If the function does not access the database (such as CLEAR, EDIT or FORMAT), no security checking is done.
• If the user has an authorization level of 15 defined in the Security module, the user is allowed to execute all functions.
• In all other cases, the authorization level as defined in the Security module is compared against the following:
  • The security level required for the appropriate panel.
  • The function (READ, ADD, and so forth).

  If the authorization level is less, the command is rejected.

• The TERM list is now examined for terminal restrictions. If no restrictions are found, the command is accepted. If the security level required is less than the TERMLVL value, the command is accepted. Otherwise, the TERM list is examined. If the terminal of the user is not found in this list, the command is rejected.

If EXTERNAL=COMMAND was specified on the SECURITY statement in the CA WA CA 7 Edition initialization file, do not modify SASSDSCR. If CA WA CA 7 Edition native security controls command access, you can modify SASSDSCR to reflect the needs of your installation.

For a sample SMP/E USERMOD to modify the SASSDSCR security table, see member AL2UM04 in the CA WA CA 7 Edition Options library CAL2OPTN.