SAF security

The System Authorization Facility (SAF) security interface is an optional security interface which allows you to protect every function within DELTA IMS. SAF allows you to restrict any TSS table-level function by the TSS table name. If used, SAF eliminates UPF and Update/Control authority established through RACF (or equivalent) or through DLAXUID and a user ID list. However, if you have created modified keyword tables for use by specific userids, (identified with a user profile), the keyword table suffix must continue to be maintained via UPF. All other information in the profile will be ignored.

To implement SAF security checking:

  1. Add a new SAF class.The SAF class is used to define the functions that are to be protected. The default name of this class is DLA#. However, if you want to change the name of this class, you may do so by editing member DLAXSAF1 of the DLASAMP library and making the necessary changes (as documented in the member) and then running job DLA#SAF1 from the DLACNTL library. The class name supplied in member DLAXSAF1 of the DLASAMP library will be the class name used for DELTA IMS SAF security checking.

  2. Define the class in the RACF or equivalent class descriptor table (ICHERCDE macro). Specify the following parameters:MAXLNTH=100

    FIRST=ANY

    OTHER=ANY

  3. Define the class in the RACF or equivalent router table (ICHRFRTB macro).

  4. Determine which functions within DELTA IMS are to be restricted.To protect a specific function, the associated resource name must be defined within the DELTA IMS class. A user must have read access to a resource to have access to the function. If the user requesting the function does not have read access to the resource, the request will be rejected.

    Any function that is not protected (the associated resource name is not defined within the DELTA IMS class) can be accessed by any user requesting the function.

    For those functions that provide EDIT and BROWSE capability, if a user has EDIT authority, BROWSE authority is also assumed. For example, a user that has READ access to the TSS.EDIT resource also has BROWSE authority to TSS.

    The following table shows a list of DELTA IMS functions and associated SAF resource names that can be defined to protect that function.

    Note

    In this table, the variable iiii represents the IMSID, and cmd represents the three-character IMS command abbreviation.

    DELTA IMS Function

    SAF Resource

    Global Options Browse

    GLOBAL.BROWSE

    Global Options Edit

    GLOBAL.EDIT

    User Profile Browse

    UPF.BROWSE

    User Profile Edit

    UPF.EDIT

    Keyword Table Browse

    KWT.BROWSE

    Keyword Table Edit

    KWT.EDIT

    CPU-ID Password Maintenance

    PASSWORD.EDIT

    Convert Delta List to STAGE1

    DLALIST.CONVERT

    Delta List - Delete Member

    DLALIST.DELETE

    Delta List - Edit/Create Member

    DLALIST.EDIT

    Delta List - Browse Member

    DLALIST.BROWSE

    IMSID Options Browse

    iiii.IMSID.BROWSE

    IMSID Options Edit

    iiii.IMSID.EDIT

    IMSID Options Refresh

    iiii.IMSID.REFRESH

    IMSID CPU-ID Refresh

    iiii.PASSWORD.REFRESH

    IMS Command Interface

    iiii.IMSCMD. cmd

    Delta Log Generate

    iiii.DLALOG.GENERATE

    Storage Display

    iiii.STORAGE.DISPLAY

    Storage Zap

    iiii.STORAGE.ZAP

    Delta Log List

    iiii.DLALOG.LIST

    Delta Log Status

    iiii.DLALOG.STATUS

    Delta Log Purge

    iiii.DLALOG.PURGE

    Delta Log Recover

    iiii.DLALOG.RECOVER

    Delta Log Format

    iiii.DLALOG.FORMAT

    Delta List - Check

    iiii.DLALIST.CHECK

    Delta List - Execute

    iiii.DLALIST.EXECUTE

    The following table shows a list of DELTA IMS VIRTUAL TERMINAL functions and associated SAF resource names that can be defined to protect each function.

    Note

    In this table, the variable iiii represents the IMSID, cmd represents the three-character IMS command abbreviation, and tablename represents resource names qualified by a table name or masking pattern. For example, TSS.BROWSE. LOGNOD.

    DELTA IMS VIRTUAL TERMINAL Function

    SAF Resource

    TSS Table Browse

    TSS.BROWSE.tablename

    TSS Table Edit

    TSS.EDIT.tablename

    TSS Table Test

    TSS.BROWSE.tablename

    TSS Table Search/Modify

    TSS.EDIT. tablename

    TSS Table Define

    TSS.DEFINE.tablename

    TSS Table Remove

    TSS.REMOVE.tablename

    TSS Table Load

    TSS.LOAD.tablename

    TSS Table Unload

    TSS.UNLOAD.tablename

    TSS Data Set Format

    TSS.FORMAT

    TSS Data Set Backup

    TSS.BACKUP

    TSS Data Set Reorganize

    TSS.REORG

    TSS Data Set Status

    TSS.STATUS

    TSS Table Refresh

    iiii.TSS.REFRESH

    Virtual Terminal Stats

    iiii.VTSTATS

  5. Define the ACTIVATE resource within the class.The ACTIVATE resource must be defined before the SAF security interface will activate. This feature provides a method to quickly activate and deactivate the interface. Users must have READ access to the ACTIVATE resource to access the DELTA IMS primary option menu. The ACTIVATE resource should not be defined until all other resources have been defined.

Related topic

Internal-security




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*