Security Considerations › Command Security › Command Security User Exit (XCOMEX13)

Command Security User Exit (XCOMEX13)

In addition to coding OPERSEC=SAF, you may also code EXIT13=YES or EXIT13=load-module-name in the CONFIG Member to enable User Exit13. This exit allows you to write your own command security routines and thereby fine tune the control of command security.

IF OPERSEC=SAF and EXIT13 is enabled, command security is handled through Exit 13. The security check by Exit 13 can have one of three outcomes (return codes):

• The command issuer may use the desired command (RC=0). This decision is made by Exit13 without consulting the security package.
• The command issuer may not use the desired command (RC=8). This decision is made by Exit13 without consulting the security package.
• The decision as to the user's right to issue a particular command is referred to the security package (RC=4).

OPERSEC=SAF must be coded for EXIT13 to be invoked.

If OPERSEC=SAF and EXIT13=NO, the user's authority to use operator commands is decided by the security package.

If SECURITY=NONE, CA XCOM Data Transport does not check the EXIT13 parameter.

For more information about User Exit13, see the appendix “User Exits” in the CA XCOM Data Transport for z/OS User Guide.

A sample Exit13 is provided in CAI.CBXGSAMP(XCOMEX13).

History Database Security

The user ID defined in the Default Options Table with parameter XCOMHIST_USER must be granted use of the history table defined with parameters XCOMHIST_TBL and XCOMHIST_OWNER.

With VSAM history files, each CA XCOM Data Transport server worked with its own history file. However, using a relational database to store CA XCOM Data Transport history records allows multiple CA XCOM Data Transport servers (including CA XCOM Data Transport systems running on Windows and UNIX) to share the database. So you need to be able to restrict access to rows in the database, so that a user on system A is not allowed to see history for system B unless the user is given explicit permission. To provide this level of security, CA XCOM Data Transport Command Security has been enhanced with an additional ALLHIST command resource.

CA XCOM Data Transport implements command security through the parameters OPERSEC and EXIT13, which are coded in the Default Options Table.

If OPERSEC=SAF is coded in the Default Options Table, CA XCOM Data Transport makes a standard SAF call to a security package (CA ACF2, IBM RACF, or CA Top Secret) to determine whether the user has access to the ALLHIST command resource. This resource, when permitted to a user, allows that user to view history records for any system that is maintaining history in that database. If the user is not permitted to this resource then the user is allowed to see history records for the system of the originating request only.

Command: ALLHIST

Access: READ

Resource Name: XCOM.applsec.ALLHIST

applsec

The identifier for the CA XCOM Data Transport server as defined in the Default Options Table, unless it is NONE, in which case the expression XCOM appears in this position. This component of the security call identifies the CA XCOM Data Transport server.

Note: If OPERSEC=NONE is coded in the Default Options Table, CA XCOM Data Transport runs with no security check, giving the user unrestricted access to view history records for any system that is maintaining history in that database.

This level of security is in addition to the current security provided by CA XCOM Data Transport.