Implementing user access profiles and UPF security—BMC AMI Change Manager for IMS TM and BMC AMI Change Manager Virtual Terminal for IMS Customization

By default, user access profiles determine which product features a user is authorized to use on a specific IMS system. The UPF data set is used to maintain user access profiles. A user access profile is the user ID’s authorization for an IMSID. All product functions that reference an IMS control region require specification of the control region’s IMSID. Before a user may designate an IMSID, a user access profile must exist for the user ID and IMSID combination.

Administrator authority is required to create and maintain user access profiles. Unless you establish administrator authority for appropriate users, access to product features is effectively unlimited: all users are authorized to create user access profiles, so all users can authorize themselves to use all product features. BMC recommends that you establish administrator authority for appropriate personnel and restrict the use of product features, as appropriate, by creating user access profiles.

You can establish administrator authority for users with either of the following methods:

• User ID list

  You can create a list of user IDs that have administrator authority for creating and modifying user access profiles. Member DLPYUID0 of the DLPSAMP library contains a sample user ID list that you can modify for your facility.

  The following guidelines apply to creating the user ID list:

  • The user ID list allows generic parameters. That is, only the specified characters in the user ID are matched. The DLPSAMP library member provides information about using generic parameters.
  • Specify the most specific user IDs toward the beginning of the table because the first match, rather than the best match, determines administrator authority. BMC recommends that the last entry in the list contain all asterisks for the user ID and deny administrator authority. This ensures that only the users that you specifically identify in the user ID list have authority to create and modify user access profiles.

• RACF or an equivalent security product

  You can use RACF or equivalent commands to define the resource and permit users to access it. Member DLPYRCN0 of the DLPSAMP library contains sample statements that you can use.

  Note

  The products issue RACHECK or equivalent macro instructions before permitting a change to the user profile data set. This macro tests for the appropriate attribute for class APPL and resource DELTAIMS. The class and resource names are specified in the CSECT DLPYRCN0, which is distributed in source form in the DLPSAMP library. You can change the CSECT if necessary.

For detailed instructions for establishing administrator authority and creating user access profiles, see To establish administrator authority and To create user access profiles.

To establish administrator authority

1. Determine how you want to establish administrator authority for user access profiles:

   
   

   If you want to establish administrator authority through	Go to
   A user ID list	Step 2
   RACF or an equivalent security product	Step 3

2. Establish administrator authority through a list of user IDs.

   1. Specify the user ID and administrator authority.Use the $DLPUID macro instruction in member DLPYUID0 of the DLPSAMP library. Use the following format:

      $prdUID userid,update-flag,control-flag

      The following values are valid for update-flag: Y indicates that the user ID should have basic and DELTA List creation authority, and N indicates that the user ID should have only basic access.

      The following values are valid forcontrol-flag: Y indicates that the user ID should have administrator authority, and N indicates that the user ID should not have administrator authority. Unlike RACF, control authority in a user ID list does not imply update authority.

   2. Repeat as needed to establish the required authority for the appropriate user IDs.

      Note

      To ensure that only the users that you identify in the user ID list have authority to specify global options and create user access profiles, BMC recommends that the last entry in the list contain all asterisks for the user ID and deny administrator authority.

   3. To implement the user ID list, use JCL similar to that in member DLP#UIDL of the DLPCNTL library to assemble and relink the panel processor module.If you do not use the JCL that is provided with the product to perform this step, ensure that the DLPSAMP library is included in the SYSLIB concatenation for the JCL that you use.
3. Establish administrator authority through RACF or an equivalent security product.

   1. Perform one of the following actions:

      If your facility uses	Then
      RACF (any currently-supported version)	No special statements or maintenance are required. Go to Step 3.b.
      ACF2	Add the following SAFDEF entry to your ACF2 parameters: FUNCRET(4) FUNCRSN(0) ID(DLP) MODE(IGNORE) RACROUTE(REQUEST=AUTH CLASS=DLP#) RETCODE(4) This ensures the use of internal security (any of the available approaches). To use the SAF security interface, you must delete this SAFDEF entry.

   2.  Use the RACF RDEFINE command (or, for other security products, its equivalent) to define the product to class APPL. You can use RDEFINE to specify as many parameters as required.Following is an example of the RDEFINE command:

      RDEFINE APPL DELTAIMS UACC(READ)

   3.  Use the RACF PERMIT command or equivalent to grant administrator authority to user IDs, as necessary.Following is an example of the PERMIT command:

      PERMIT DELTAIMS CLASS(APPL) ID(userid) ACCESS(CONTROL)

      In this example, the userid is also granted authority to create DELTA Lists since RACF control authority implies update authority.

   4.  Optionally, issue the RACF PERMIT command or equivalent to grant update authority for creation of DELTA Lists. For example:

      PERMIT DELTAIMS CLASS(APPL) ID(userid) ACCESS(CONTROL)
   5. Repeat steps Step 3.b, Step 3.c, and Step 3.d as needed to establish the required authority for the appropriate user IDs.

   6. To implement the new RACF or equivalent security information, use JCL similar to that in member DLP#RSCL of the DLPCNTL library to relink the panel processor module.

      Note

      This job assembles and links DLPSAMP library member DLPYRCN0, which specifies class APPL and resource DELTAIMS. The latter name was chosen for ease of migrating DELTA IMS installations to BMC AMI Change Manager for IMS TM and BMC AMI Change Manager Virtual Terminal for IMS.

To create user access profiles

1. Invoke the online interface through the modified ISPF/PDF Primary Option Menu that you created in Accessing-the-products-from-an-ISPF-options-menu or through the CLIST that you created in Accessing-the-products-from-a-CLIST.

   The Main Menu is displayed.

2. Type 4 in the selection field and press Enter.

   The Administration Menu is displayed.

3. Type 9 in the selection field and press Enter.

   The User Access Profiles panel is displayed.

    File Edit Sort Options Help
   .------------------------------------------------------------------------------.
   DELTA PLUS                   User Access Profiles (UPF)         Row 1 to 5 of 5
    Command ===> ________________________________________________ Scroll ===> PAGE
   
    Data set name: 'WXC.ETA.UPF'
    Type one or more action codes or overtype the values.
    Enter the INSERT command to add a new profile.
     D=DELETE
   
                                                            Sorted by: USERID
                                       DELTA   Exec  Upd     IMS     View
              IMSID/                   List    IMS   IMS   Storage  Profile
   A Userid   Group  Last Modification Exc/Chk Cmds Parms Dsply/Zap Suffix
   - -------- -----  ----------------- --- --- ---- ----- ----- --- -------
   _ DLAID     IMSA  07/06/04 12:00:42  N   N   N     N     N    N    __
   _ DLPID     IMSB  07/06/04 12:01:13  M   N   N     N     N    N    __

   Note

   If you use SAF security, you will only need to update the view profile suffix information in the UPF data set.

   The following fields are available on this panel:

   Field name	Action
   Data set name	The name of the partitioned data set that contains all user access profiles. Each time you access this panel, the data set name defaults to the user profile data set name that is contained in DLP$GBL0.
   A	Type D in the action field to delete an entry.
   Userid	Displays a specific user ID or masking pattern that defines a user or group of users for which access to the product is desired. To change this field, you must delete the entire entry using the D line command, and then reinsert it using the INSERT command. The Userid and IMSID/Group fields are used together to determine system access and are searched in the order listed. Specific IDs will be matched before generic IDs.
   IMSID/Group	Displays a specific IMSID or a masking pattern that can allow the user to access one or more IMSIDs. To change this field, you must delete the entire entry using the D line command, and then reinsert it using the INSERT command. The Userid and IMSID/Group fields are used together to determine system access and are searched in the order listed. Specific IDs will be matched before generic IDs.
   DELTA List Exc	Type Y or N to indicate whether the user can execute a DELTA List.
   DELTA List Chk	Type Y or N to indicate whether the user can check a DELTA List.
   Exec IMS Cmds	Type Y or N to indicate whether the user can issue IMS operator commands. This variable limits IMS commands that are issued from the Execute IMS Command panel only.
   Upd IMS Parms	Type Y or N to indicate whether the user can update the virtual terminal options. Update Parms authority is required to perform the following actions: Edit and refresh IMSID and Group options Add an IMSID to a group log Run the Log and History File SYSGEN Date Change utility Obtain the status of, purge, recover, or format the Log and History files Refresh CPU ID and TSS look-aside buffers
   IMS Storage Dsply	Type Y or N to indicate whether the user can display IMS control region storage.
   IMS Storage Zap	Type Y or N to indicate whether the user can apply zaps to IMS control region storage. Warning Enabling the Storage Dsply and Storage Zap options permits the product to display storage contents within the IMS address space at the TSO terminal. If misused, the Storage Dsply option can compromise data confidentiality. Users who can display IMS storage can also, if authorized, use the product to alter (or zap) storage. The product imposes no restrictions over the z/OS operating system or the data or addresses zapped. If misused, a loss of system integrity could result.
   View Profile Suffix	Under UPF security, DELTA List edit, check, and execute operations and DELTA Log reports are always secured by a view profile with a name of the form DLAKWTxx (for BMC AMI Change Manager for IMS TM and BMC AMI Change Manager Virtual Terminal for IMS) or DDCKWTnn (for BMC AMI Change Manager for DBCTL). Type the correct suffix in this field. See the relevant topics in this documentation for more information about view profiles, DELTA List editing, checking, and execution, and conversion of DELTA IMS keyword tables to view profiles.

4. To insert a new entry, type INSERT on the Command line and press Enter. The following figure shows the INSERT command syntax.

   

   The useridptrn operand specifies a user ID or pattern, and the imsidorgroupptrn operand specifies an IMSID or group or a pattern.

   Patterns use an asterisk (*) as the wildcard character. Generally, each wildcard character matches exactly one character.

   Note

   The DELTA IMS and BMC AMI Change Manager for IMS TM (and BMC AMI Change Manager Virtual Terminal for IMS) UPF editors handle patterns that are destined for the IMSID/Group field differently. If an inserted pattern ends with a wildcard character, then that character will be extended to the length of the field under DELTA IMS.

   If an IMSID or group matches the leading characters of a shorter length pattern that ends with a wildcard, then a match will occur. Thus, new records inserted under BMC AMI Change Manager for IMS TM or BMC AMI Change Manager Virtual Terminal for IMS could match earlier in the collating sequence than records inserted under DELTA IMS.

   When falling back from BMC AMI Change Manager for IMS TM or BMC AMI Change Manager Virtual Terminal for IMS to DELTA IMS, records with short IMSID/Group values may continue to exist. DELTA IMS will not match an IMSID or group to a shorter pattern, but will match an equal length or longer pattern whose excess characters are wildcards. Thus, records inserted by BMC AMI Change Manager for IMS TM and BMC AMI Change Manager Virtual Terminal for IMS could be ignored by DELTA IMS.

   If one or both INSERT command operands were not specified, the Insert User Access Profile pop-up window is displayed.

                       Insert User Access Profile
    Command ===> ________________________________________________
   
    Specify the userid and IMSID/Group for the new profile.
      Userid or mask . . . . . ________
      IMSID/Group or mask . .  ____

   The following fields are available on this panel:

   • Userid or mask

   Type a specific user ID or masking pattern to define a user or group of users. This field will be populated from the corresponding INSERT command operand.

   • IMSID/Group or mask

   Type a specific IMSID or group name, or a pattern.