Authorization at the CAS, PAS, and user levels
Access authorization requests are made to the ESM at the CAS, PAS, and user levels, as described here:
The coordinating address space (CAS) provides all communication between a user terminal session, the product address space (PAS) where a product runs, and other CASs running on local and remote systems. Plex Manager, which is shipped with all MainView products, runs in the CAS. Other products, such as MainView VistaPoint and MainView Alarm Management, might also run in a CAS.
Each MainView product runs in a product address space (PAS). The address space where the product is running requires ESM authorization to common resources and product resources that are managed by MainView windows-mode security. After successful CAS initialization, authorization requests are made when a product attempts to connect to the CAS and the product identifies itself as a service point to Plex Manager.
Users who request views and attempt to perform actions in a MainView product require ESM authorization to protected resources. This authorization occurs after the CAS initializes, a product identifies itself to the CAS, and the product initializes (whether it is in a separate PAS or not).
When a PAS connects to a CAS, the PAS is identified by a one- to eight-character product ID, for example, MVDB2 for MainView for DB2. The product ID is displayed in the Plex Manager views such as PLEXOVER.
The product ID is also used during the creation of security environments within each PAS. Security environments are created by a PAS for each user, as well as other PASs (on the same system or on other systems in the plex) that communicate with it. During the creation of each security environment, the product ID is passed to the ESM to indicate which z/OS application (the PAS) will subsequently own and manage the security environment, and which z/OS application the user or PAS is attempting to sign on to and use. The ESM determines whether the user or PAS is allowed to sign on to and use that z/OS application by authorizing access to a resource in SAF class APPL with an entity name of productID. The table in Resource naming convention lists the product names and the z/OS ESM SAF resource class APPL entity names (product IDs) used for each product.