The initialization file contains control statements that define the processing configuration of CA WA CA 7 Edition during startup. The SECURITY control statement determines the security environment for CA WA CA 7 Edition based on user-selected keywords.
This statement has the following format:
SECURITY,NAME=SASSSECI
[,ACF2CARD={JOBFROM|LOGONID}]
[,AGCLASS={FACILITY|xxxxxxxx}]
[,AGUSER=(OWNER,REQ,QJCL,CA7)]
[,APPL=CA7]
[,BYPSEC=(1,2,3)]
[,CCLASS={CALENDAR1|xxxxxxxx}]
[,DFLTUSER=xxxxxxxx]
[,DISPLAY={YES|NO}]
[,EXTERNAL=(AGENT,CALENDAR,COMMAND,DATASET,LOGON,SUBCHECK,SUBOWNER)]
[,HIDEGRP={NO|YES}]
[,HIDEPW={NO|YES}]
[,HIDEUPD={NO|YES}]
[,HIDEUSER={NO|YES}]
[,JCLUID={YES|NO}]
[,LOADSUBC={YES|NO}]
[,LOGOPID={YES|NO|ALL}]
[,MIXPW={NO|YES}]
[,MULTIJOB={IGNORE|FLUSH|REQUEUE}]
[,PCLASS=xxxxxxxx]
[,PROPAGATE={NO|YES}]
[,PSOWNER={YES|NO}]
[,RCLASS=xxxxxxxx]
[,RESLOGON={YES|NO}]
[,RLOGUID={YES|NO}]
[,SCLASS={SUBMIT|xxxxxxxx}]
[,STATSID={YES|NO}]
[,SUBNOID={NO|YES}]
[,SUBUID=(OWNER,REQ,QJCL,DEFAULT,CA7)]
[,UID=xxxxxxxx]
[,USER=xxxxxxxx]
[,XBSCLASS={YES|NO}]
[,XBSUBCHK={YES|NO}]
[,XPSSID={**NONE**|xxxxxxxx}]
1 For CA Top Secret, the default is $CALNDR because CALENDAR is a reserved word in CA Top Secret.
Identifies the SECURITY statement that describes the CA WA CA 7 Edition security environment.
Identifies the load module that contains the security definitions built using the SECURITY macro. This parameter is required for both internal and external security. If you are implementing full external security control for CA WA CA 7 Edition, the default security module SASSSECI can be used. This module is supplied in the CA WA CA 7 Edition load library. If you are using CA WA CA 7 Edition internal security, see the internal security chapter for more information about building and modifying the CA WA CA 7 Edition security module to meet your installation's security requirements.
(Optional) For USERID insertion at CA ACF2 sites, CA WA CA 7 Edition adds a control statement to the JCL immediately following the JOB statement. This option controls what type of CA ACF2 control statement is used. JOBFROM is the default. The only other valid value is LOGONID. For more information, see the JCL USERID Format topic.
(Optional) Specifies the resource class used for security calls that are made from CA WA CA 7 Edition to validate a user's authority to submit agent jobs or execute agent commands. The default resource class is FACILITY. This field can be up to eight characters.
(Optional) Specifies a hierarchy of candidate user ID sources to determine the mainframe user (MFUser) to use for authorizing job submission for agent jobs. This list prioritizes the potential sources for user IDs. The order of specification in the list determines the priority of the user ID to select. If you are validating agent job submissions, authorizations are performed to verify that MFUser is authorized to submit agent jobs to the specific agent name using the agent user ID. The AGCLASS keyword determines the resource class used for the authorization.
If more than one of these subparameters is used, enclose in parentheses and separate them with commas.
Indicates to select the job OWNER ID as the MFUser field.
Indicates the requester ID is a candidate for the MFUser field. The requester ID can be the user ID of a user issuing a DEMAND command to request a job. The requester ID can also be the user ID selected for a job (requester) that then triggers additional jobs. The triggered jobs inherit the user ID. For data set triggers, jobs that create or "post" a data set to CA WA CA 7 Edition have their associated user ID propagated to any later triggered jobs. For the U7SVC and CA WA CA 7 Edition SASSBCLP facilities, the user ID is extracted from the current environment from which the user issues the data set creation or post request.
Indicates that the user ID of any user editing queue PARMLIB data for a job is a candidate for the MFUser field. This value would be the user ID of the last person to edit queue PARMLIB data for a job.
Indicates to select the user ID assigned to CA WA CA 7 Edition for the MFUser field.
(Optional) Identifies the CA WA CA 7 Edition Security Application ID. The application ID, if specified, is used as an additional check during logons. A resource check is performed, using the Security Application ID as the resource name, to validate the authority of the user to access CA WA CA 7 Edition.
(Optional) Specifies functions for which to bypass UID security when accessing jobs in the database or queues.
Important! We do not recommend the use of these options. If selected, serious security exposures sometimes result. Decide to use these options only after careful consideration of the possible consequences of bypassing the CA WA CA 7 Edition security interface.
If using more than one of these subparameters, enclose in parentheses and separate them with commas.
Indicates that security access to predecessor jobs is not validated during job predecessor definition (DB.3.2). Access to the job for which predecessors are defined is still validated.
Indicates that security access to jobs is not validated during forecast processing.
Indicates that security access to requirement successor jobs is not validated during job 'purge' delete processing (job definition panel). That is, assume that a user is deleting job A with the PURGE function and job B has job A listed as a predecessor. Job B is updated to remove the predecessor entry for job A without a security check to determine whether the current user has update access to job B.
(Optional) Specifies the resource class being used for security calls that are made from CA WA CA 7 Edition to validate a user's authority to access its calendars. The default resource class is CALENDAR for CA ACF2 and RACF users and $CALNDR for CA Top Secret users. This field can be up to eight characters.
(Optional) Specifies the default USERID. This USERID is used when it is requested in the SUBUID hierarchy. This field can be up to eight characters.
(Optional) Determines whether the USERID is displayed when it is entered on the Logon panel.
Indicates that the USERID is displayed. This value is the default.
Indicates that the USERID is not displayed.
(Optional) Identifies the security functions (calls) that external security is to control. Required for external security. CA WA CA 7 Edition internal security controls any security functions that are not specified on the external keyword. This control requires the presence of a CA WA CA 7 Edition security module built using the CA WA CA 7 Edition SECURITY macro. For more information, see the SECURITY macro.
If more than one of these subparameters is used, enclose in parentheses and separate them with commas.
Indicates that any attempt to submit an agent job or execute an agent command is validated through external security.
Indicates that any attempt to access a CA WA CA 7 Edition base calendar is validated through external security. The security resource class used for such validation is CALENDAR.
Indicates all command functions are validated through external security. This value includes panel access throughout CA WA CA 7 Edition.
Indicates that any attempt to access a data set while signed on to CA WA CA 7 Edition is validated through external security.
Indicates that logons to CA WA CA 7 Edition are validated through external security. This parameter is the minimum requirement for the EXTERNAL keyword when implementing external security. The security calls to external security during CA WA CA 7 Edition LOGONs establishes the security environment for each CA WA CA 7 Edition user.
Validates the usage of USERIDs under CA WA CA 7 Edition. Requires that SUBUID be coded.
When a user requests a job through a DEMAND, LOAD, or RUN, CA WA CA 7 Edition attempts to determine the USERID with which the job runs. External security is used to validate the authority of the requester to submit for that USERID. Submit checking is also performed during both JCL and QJCL edits. If a user attempts to add a USERID to the JCL, the user's authority to submit for that ID is examined. This verification prevents unauthorized usage of USERIDs.
If this option is used, CA WA CA 7 Edition also validates attempts to add, change, or update the RESPONSE ID associated with an ARFSET.
Performs the same function as Submit checking except that it relates only to the OWNER ID associated with a job. If a job has an OWNER ID defined, validation is performed for attempts to add, change, or delete the OWNER ID.
(Optional) Overlays user security group values coded in JCL with @ characters whenever JCL is listed with one of the inquiry commands.
Displays the values. This value is the default.
Hides the following in inquiry output:
GROUP keyword value in JOB statements
For a list of the affected inquiry commands, see keyword HIDEUSER.
(Optional) Overlays user security password values coded in JCL with @ characters whenever JCL is listed with one of the inquiry commands.
Displays the values. This value is the default.
Hides the following in inquiry output:
PASSWORD keyword value in JOB statements //*PASSWORD statement values
For a list of the affected inquiry commands, see keyword HIDEUSER.
(Optional) Suppresses the last updater on several of the listing commands.
Note: After you enable this keyword, perform an update on the element. When this element is updated, *SECURE* is placed in the updater field.
Displays the values. This value is the default.
Places *SECURE* in the updater field after the next update.
(Optional) Overlays user security ID values coded in JCL statements with @ characters whenever JCL is listed with one of the inquiry commands.
Displays the values. This value is the default.
Hides the following in inquiry output:
USER keyword value in JOB statements //*LOGONID statement values //*JOBFROM statement values
These values are hidden when the following inquiries are used:
LACT,LIST=JCL LPRRN,LIST=JCL
LGVAR LQ,LIST=JCL
LJCK LQUE,LIST=JCL
LJCL LRDY,LIST=JCL
LLIB LREQ,LIST=JCL
LPDS
(Optional) Prevents submission of jobs whose JCL contains a USERID. This parameter is only applicable if a SUBUID hierarchy is also specified.
Indicates that CA WA CA 7 Edition submits the job after validating that CA WA CA 7 Edition has authority to submit for the USERID in the JCL. This value is the default.
Indicates that CA WA CA 7 Edition does not submit a job that has a USERID in the JCL. Instead, the job is requeued to the request queue with the status of R-NOUID at submission time.
(Optional) Suppresses the submit check on the LOAD(H) command. This option only has meaning if the EXTERNAL options include SUBCHECK.
Validates the LOAD(H) commands with SUBCHECK. This value is the default.
Exempts the LOAD(H) commands from the SUBCHECK validation.
(Optional) Specifies whether the transaction log records for /LOGON commands include operator ID. In all cases, password values are not logged.
Indicates that transaction log records for /LOGON commands include operator ID. YES does not write the operator ID to type x‘72’ log records. This value is the default.
Indicates that transaction log records for /LOGON commands do not include operator ID.
Indicates that transaction log records for all commands include operator ID. ALL includes type x‘72’ log records.
(Optional) Specifies whether the logon password can validly contain lowercase characters.
Translates passwords to uppercase. This value is the default.
Does not translate passwords to uppercase, allowing the password to contain lowercase characters. Verify that your security interface (CA ACF2, CA Top Secret, or RACF) supports lowercase passwords.
(Optional) Indicates whether CA WA CA 7 Edition controls the presence of several JOB statements within a JCL member. One exception is the following: JOB statements found within in-stream DD DATA are not controlled and are submitted as is.
Indicates that CA WA CA 7 Edition does not test for the presence of multiple JOB statements within a job member when submitting the cards to the internal reader. This value is the default.
Indicates that CA WA CA 7 Edition submits only the first job within a JCL member and flush the rest of JCL. No special sign of JCL truncation is generated.
Indicates that CA WA CA 7 Edition does not submit but requeues the job that has several JOB statements within a JCL member. The requeued job has R-MJOB status.
Note: The MULTIJOB=IGNORE option is sometimes desirable for sites that transmit jobs between MVS nodes.
(Optional) Specifies the resource class being used for security calls. The calls are made from CA WA CA 7 Edition to validate the authority of the user to access CA WA CA 7 Edition commands and panels. The default resource class is PANEL. This field can be up to eight characters.
Note: If you change this value, examine the RCLASS keyword. The default for the RCLASS keyword is PANEL.
(Optional) Pertains only to RACF (and other SAF environments). This value determines the method that CA WA CA 7 Edition uses to associate a USERID with a job when it is submitted. This parameter is only applicable if a SUBUID hierarchy is also specified.
Indicates that CA WA CA 7 Edition inserts a USER= parameter in the JOB statement when a job is submitted. This value is the default.
Indicates that CA WA CA 7 Edition does not modify the JCL being submitted. Instead, the USERID is propagated to the submitted job because the USERID of the job is used when the internal reader is opened to write the JCL. This process is similar to a job submitted through TSO inheriting the USERID of the person who submitted it.
(Optional) Determines whether a USERID is required to be the same as the OWNER to access a job on the CA WA CA 7 Edition/Personal Scheduling panel.
Indicates that the validation is done. The check requires that the USERID match the OWNER to allow access to the job. This value is the default.
Indicates no validation.
(Optional) Specifies the resource class being used for security calls that are made from CA WA CA 7 Edition to validate a user's authority to access a UID Resource during CA WA CA 7 Edition logon and when issuing the /UID,R= command. The default resource class is PANEL. (The access level is READ.)
(Optional) After an online terminal is logged on, subsequent LOGONs from the command line are not permitted unless RESLOGON=NO.
Any /LOGON command from the top line is treated as an error requiring a logon from the formatted logon panel. This value is the default.
/LOGON command is permitted.
(Optional) Determines whether the LRLOG command (List Run Log) subjects job-related events to CA WA CA 7 Edition UID internal security checks. For more information about the LRLOG command, see the Command Reference Guide.
Performs UID checking for LRLOG. This value causes LRLOG to display only jobs that the LRLOG requestor has access to. This value is the default.
Performs no UID checking for LRLOG.
(Optional) Specifies the resource class being used for security calls that are made from CA WA CA 7 Edition to validate a user's authority to submit CA WA CA 7 Edition jobs under other user IDs. The default resource class is SUBMIT. This field can be up to eight characters.
(Optional) Controls disposition of USERID in PDS directory data when using the CA WA CA 7 Edition editor. Members that are built with CA Endevor in a CA Endevor library do not have the USERID placed in the STATS.
Writes the USERID to the PDS directory. This value is the default.
Does not write the USERID to the PDS directory but writes it out as all @s.
(Optional) Specifies the disposition of jobs that do not have a valid USERID available at job submission time.
Indicates that jobs without a USERID cannot be submitted. Jobs without a valid USERID are moved back to the request queue and are marked with a requirement status of R-NOUID (No USERID). A requirement of R-NOUID can be satisfied in two ways. If the QJCL subparameter was selected on the SUBUID parameter, edit and replace the Queue JCL to set the USERID of the Queue JCL editor. The second method is to insert a USERID manually into the JCL from the Queue JCL Edit panel. CA WA CA 7 Edition identifies the USERID and satisfies the R-NOUID requirement. This value is the default.
Note: For nonexecutable jobs with R-NOUID, a top line QJCL and a REPLACE function can be done. If QJCL is in the hierarchy, the R-NOUID is satisfied. Code SUBUID when SUBNOID=NO is coded.
Indicates that jobs can be submitted without a USERID.
(Optional) Specifies a hierarchy of candidate USERID sources for USERID insertion during job submission. If CA WA CA 7 Edition is inserting USERIDs into JCL during submission, this list prioritizes the potential sources for USERIDs. The order of specification in the list determines the priority of the USERIDs to select.
If the SUBUID keyword is added to the SECURITY statement and CA WA CA 7 Edition is recycled, any jobs already in the request queue are not affected. Cancel them and demand them back in to use the new security data.
If more than one of these subparameters is used, enclose in parentheses and separate them with commas.
Indicates to select the job OWNER ID for insertion into the JCL for a Job during submission.
Indicates the requester's ID is a candidate for USERID insertion. The Requester ID can be the ID of a user issuing a DEMAND, LOAD, or RUN command to request a job. The Requester ID can also be the USERID selected for a job (requester) that then triggers additional jobs. The triggered jobs inherit the USERID. For data set triggers, jobs that create or "post" a data set to CA WA CA 7 Edition have their associated USERID propagated to any later triggered jobs. For the U7SVC and SASSBCLP facilities, the USERID is extracted from the current environment from which the user issues the data set creation or post request.
Indicates that the USERID of any user editing Queue JCL for a job is a candidate for USERID insertion. This value would be the USERID of the last person to edit Queue JCL for a job.
Indicates that the default USERID specified with the DFLTUSER keyword is to be selected for insertion.
Indicates that the USERID assigned to CA WA CA 7 Edition can be selected for USERID insertion. If selected, the CA WA CA 7 Edition USERID is inserted into the job's JCL during job submission. For CA ACF2, if started task checking is activated, this option cannot be used.
(Optional) Specifies a UID Resource Table that was built using the CA7RTBL macro. If this parameter is specified, the UID Resource Table is loaded during CA WA CA 7 Edition initialization.
The CAL2OPTN member AL2UM09 can be used to build a table. A sample table (SASSRTBL) is also supplied in the CAL2LOAD library.
(Optional) Specifies the name of the load module link edited from the USERID macro assembly.
(Optional) Controls whether all CAICCI and TCP/IP terminal sessions use the external security class used for Submit checking by CA WA CA 7 Edition. The SCLASS keyword on the SECURITY statement sometimes overrides this class.
Communicates the CA WA CA 7 Edition Submit security class to the CAICCI and TCP/IP terminal sessions. This value is the default.
Prevents the communication of the Submit security class setting from CA WA CA 7 Edition to the CAICCI and TCP/IP terminal sessions. This value means that the sessions use the default class ‘SUBMIT’. (This method is the way processing occurred before Ver.)
(Optional) Controls whether the Batch Submit Checking option (BSUBCHK) on the LPAR where CA WA CA 7 Edition executes controls the submit checking on all CAICCI and TCP/IP terminal sessions regardless of the LPAR on which they execute.
Communicates the BSUBCHK setting from the LPAR where CA WA CA 7 Edition executes to the CAICCI and TCP terminal sessions. This value is the default.
Prevents the communication of the BSUBCHK setting from CA 7 to the CAICCI and TCP/IP terminal sessions. This value means the BSUBCHK setting on the LPAR where the CAICCI or TCP/IP interface executes is used. (This method is the way processing occurred before Version 12.0.)
(Optional) Defines the one- to eight-character USERID to use in the terminal logon for XPS job submission when no USERID is supplied on the submission request from the XPS CLIENT (typically CA NSM JMO or CA Workload Automation AE). This value is regarded as the requester ID for purposes of USERID insertion and propagation. The default value is **NONE**, which means there is no default USERID. Any XPS submission requests without an explicit USERID are rejected.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|