Previous Topic: File Security

Next Topic: Partner Security

Overview of SecurityCommand Security

Command Security

CA XCOM Data Transport makes standard SAF calls to determine whether a given user ID or console is authorized to issue CA XCOM Data Transport commands. The commands whose access status is verified include z/OS console commands and commands that can be issued through ISPF and CICS menu interfaces.

History Database Security

The user ID defined in the Default Options Table with parameter XCOMHIST_USER must be granted use of the history table defined with parameters XCOMHIST_TBL and XCOMHIST_OWNER.

With VSAM history files, each CA XCOM Data Transport server worked with its own history file. However, using a relational database to store CA XCOM Data Transport history records allows multiple CA XCOM Data Transport servers (including CA XCOM Data Transport systems running on Windows and UNIX) to share the database. So you need to be able to restrict access to rows in the database, so that a user on system A is not allowed to see history for system B unless the user is given explicit permission. To provide this level of security, CA XCOM Data Transport Command Security has been enhanced with an additional ALLHIST command resource.

CA XCOM Data Transport implements command security through the parameters OPERSEC and EXIT13, which are coded in the Default Options Table.

If OPERSEC=SAF is coded in the Default Options Table, CA XCOM Data Transport makes a standard SAF call to a security package (CA ACF2, IBM RACF, or CA Top Secret) to determine whether the user has access to the ALLHIST command resource. This resource, when permitted to a user, allows that user to view history records for any system that is maintaining history in that database. If the user is not permitted to this resource then the user is allowed to see history records for the system of the originating request only.

Command: ALLHIST

Access: READ

Resource Name: XCOM.applsec.ALLHIST

applsec

The identifier for the CA XCOM Data Transport server as defined in the Default Options Table, unless it is NONE, in which case the expression XCOM appears in this position. This component of the security call identifies the CA XCOM Data Transport server.

Note: If OPERSEC=NONE is coded in the Default Options Table, CA XCOM Data Transport runs with no security check, giving the user unrestricted access to view history records for any system that is maintaining history in that database.

This level of security is in addition to the current security provided by CA XCOM Data Transport, as documented in the CA XCOM Data Transport for z/OS Administration Guide.