Implementing user access profiles and UPF security—EXTENDED TERMINAL ASSIST PLUS customization

By default, user access profiles determine which product features a user is authorized to use on a specific IMS system.

The UPF data set is used to maintain user access profiles. A user access profile is the user ID’s authorization for an IMSID. All product functions that reference an IMS control region require specification of the control region’s IMSID. Before a user may designate an IMSID, a user access profile must exist for the user ID and IMSID combination.

Administrator authority is required to create and maintain user access profiles. Unless you establish administrator authority for appropriate users, access to product features is effectively unlimited: all users are authorized to create user access profiles, so all users can authorize themselves to use all product features. BMC recommends that you establish administrator authority for appropriate personnel and restrict the use of product features, as appropriate, by creating user access profiles.

You can establish administrator authority for users with either of the following methods:

  • User ID list

    You can create a list of user IDs that have administrator authority for creating and modifying user access profiles. Member ETMXUID0 of the ETASAMP library contains a sample user ID list that you can modify for your facility.

    The following guidelines apply to creating the user ID list:

    • The user ID list allows generic parameters. That is, only the specified characters in the user ID are matched. The SAMP library member provides information about using generic parameters.
    • Specify the most specific user IDs toward the beginning of the table because the first match, rather than the best match, determines administrator authority. BMC recommends that the last entry in the list contain all asterisks for the user ID and deny administrator authority. This ensures that only the users that you specifically identify in the user ID list have authority to create and modify user access profiles.

  • RACF or an equivalent security product

    You can use RACF or equivalent commands to define the resource and permit users to access it. Member ETAXRCN0 of the ETASAMP library contains sample statements that you can use.

    For detailed instructions for establishing administrator authority and creating user access profiles, see To establish administrator authority and To create user access profiles.

To establish administrator authority

  1. Determine how you want to establish administrator authority for user access profiles:

    If you want to establish administrator authority through

    Go to

    A user ID list

    Step 2

    RACF or an equivalent security product

    Step 3

  2. Establish administrator authority through a list of user IDs.

    1. Specify the user ID and administrator authority.Use the $ETAUID macro instruction in member ETMXUID0 of the ETASAMP library. Use the following format:

       $ETAUID userid,control-flag

      The following values are valid forcontrol-flag : Y indicates that the user ID should have administrator authority, and N indicates that the user ID should not have administrator authority.

    2. Repeat as needed to establish the required authority for the appropriate user IDs.

      Note

      To ensure that only the users that you identify in the user ID list have authority to specify global options and create user access profiles, BMC recommends that the last entry in the list contain all asterisks for the user ID and deny administrator authority.

    3. To implement the user ID list, use JCL similar to that in member ETA#UIDL of the ETACNTL library to assemble and relink the panel processor module.If you do not use the JCL that is provided with the product to perform this step, ensure that the ETASAMP library is included in the SYSLIB concatenation for the JCL that you use.
  3. Establish administrator authority through RACF or an equivalent security product.

    1. Perform one of the following actions:

      If your facility uses

      Then

      RACF (any currently-supported version)

      No special statements or maintenance are required. Go to Step 3.b.

      ACF2 Version 1.6.0 or higher

      Add the following SAFDEF entry to your ACF2 parameters:

      FUNCRET(4) FUNCRSN(0) ID(prd)
      MODE(IGNORE)
      RACROUTE(REQUEST=AUTH CLASS=prd#)
      RETCODE(4)

      This ensures the use of internal security (any of the available approaches). To use the SAF security interface, you must delete this SAFDEF entry.

    2.  Use the RACF RDEFINE command (or, for other security products, its equivalent) to define the product to class APPL. You can use RDEFINE to specify as many parameters as required.Following is an example of the RDEFINE command:

      RDEFINE APPL ETA UACC(READ)

    3.  Use the RACF PERMIT command or equivalent to grant administrator authority to user IDs, as necessary.Following is an example of the PERMIT command:

      PERMIT ETA CLASS(APPL) ID(userid) ACCESS(CONTROL)
    4. Repeat steps Step 3.b and Step 3.c as needed to establish the required authority for the appropriate user IDs.
    5. To implement the new RACF or equivalent security information, use JCL similar to that in member ETA#RSCL of the ETACNTL library to relink the panel processor module.

To create user access profiles

  1. Invoke the online interface through the modified ISPF/PDF Primary Option Menu that you created in Accessing-ETA-from-an-ISPF-options-menu or through the CLIST that you created in Accessing-ETA-from-a-CLIST.The Main Menu is displayed.
  2. Type 7 in the selection field and press Enter.The Administration Menu is displayed.
  3. Type 2 in the selection field and press Enter.The User Access Profiles panel is displayed.

  4. Add a new user access profile:

    1. Type INSERT on the Command line and press Enter.The Insert User Access Profile pop-up window is displayed.
    2. Type a user ID or masking pattern in the Userid or mask field.A masking pattern will allow a group of users to make the same types of changes for the IMSID that you specify in the following step.
    3. Type an IMSID or masking pattern in the IMSID/Group or mask field.

    A masking pattern will allow a user or group of users to use the same ETA features on multiple IMS systems.

    Press Enter.

    The User Access Profiles panel is displayed.

  5. Specify which ETA features the user or users will be allowed to use. Type Y as appropriate in the feature fields that are displayed for the inserted user ID or for other user IDs. The default value for each field is N.The Descriptor Edit and TSS table Edit security options are not associated with an IMSID for validation purposes. ETA selects all access profiles matching the user ID requesting access while ignoring the IMSID/Group field. If any of the selected profiles specifies Y, then access will be granted.

    The CPUID Refresh security option controls access to the ETA Product Authorization Primary Menu in the same way. However, access to the CPU-id option on the Refresh Menu requires an IMSID or Group match. Thus, access to these menus may be dictated by different access profiles. Similar logic applies to editing and refreshing the message customization and command security tables associated with Exit/Msg/CS.

    Note

    To install ETA, you must have authority to specify IMSID options and perform CPUID functions. BMC recommends that you create only user access profiles for ETA administrators now.

  6. To delete a user access profile, type D in the A field next to the applicable user ID and press Enter.
  7. Press F3 to save changes to the user access profile.

Related topic

Limiting-access-to-ETA

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*