Implementing user access profiles and UPF security
Note
If you are converting from DELTA IMS to DELTA PLUS and DELTA PLUS VIRTUAL TERMINAL, you can use your existing DELTA IMS UPF data set by specifying the name of the data set in the User Profiles data set field in the Global Options. If you currently use customized keyword tables, you can convert them to view profiles. For more information about keyword table conversion, see the product user guide.
By default, user access profiles determine which product features a user is authorized to use on a specific IMS system. The UPF data set is used to maintain user access profiles. A user access profile is the user ID’s authorization for an IMSID. All product functions that reference an IMS control region require specification of the control region’s IMSID. Before a user may designate an IMSID, a user access profile must exist for the user ID and IMSID combination.
Note
The user access profile specifies that the user may access an IMSID during DELTA List processing, IMS command execution, and IMS control region storage display and update. A user access profile also specifies the view profile suffix to be used for DELTA List processing and History File reporting.
Administrator authority is required to create and maintain user access profiles. Unless you establish administrator authority for appropriate users, access to product features is effectively unlimited: all users are authorized to create user access profiles, so all users can authorize themselves to use all product features. BMC recommends that you establish administrator authority for appropriate personnel and restrict the use of product features, as appropriate, by creating user access profiles.
You can establish administrator authority for users with either of the following methods:
User ID list
You can create a list of user IDs that have administrator authority for creating and modifying user access profiles. Member DLPYUID0 of the DLPSAMP library contains a sample user ID list that you can modify for your facility.
The following guidelines apply to creating the user ID list:
The user ID list allows generic parameters. That is, only the specified characters in the user ID are matched. The DLPSAMP library member provides information about using generic parameters.
Specify the most specific user IDs toward the beginning of the table because the first match, rather than the best match, determines administrator authority. BMC recommends that the last entry in the list contain all asterisks for the user ID and deny administrator authority. This ensures that only the users that you specifically identify in the user ID list have authority to create and modify user access profiles.
RACF or an equivalent security product
You can use RACF or equivalent commands to define the resource and permit users to access it. Member DLPYRCN0 of the DLPSAMP library contains sample statements that you can use.
Note
The products issue RACHECK or equivalent macro instructions before permitting a change to the user profile data set. This macro tests for the appropriate attribute for class APPL and resource DELTAIMS. The class and resource names are specified in the CSECT DLPYRCN0, which is distributed in source form in the DLPSAMP library. You can change the CSECT if necessary.
For detailed instructions for establishing administrator authority and creating user access profiles, see To establish administrator authority and To create user access profiles.
To establish administrator authority
To create user access profiles
Comments