Default language.

Space announcement This documentation space provides the same content as before, but the organization of the content has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.
Space announcement To view the latest version of the product documentation, select the version from the Product version menu above the navigation pane.

Defined Objects and Methods

This section describes all of the protected Code Pipeline Objects with details of the Methods, usage, default values, and variable usage.

Variable Substitution

Many security checks are dependent upon dynamic information such as the Code Pipeline Application. In the definition of the Security Rules, these are specified as variables. A complete list of available variable names and their meanings is outlined in the following table, and the sections describing each Object specify which of these variables are valid. Variables marked with (*) are available for all Security Rules and are not specified again for each Object/Method.

Variable Substitution

Variable ID

Description

Server (*)

The ServerID as specified in the

BMC Common Mainframe Services Controller (CMSC)

Object (*)

The Object of the Security Rule

Method (*)

The Method of the Security Rule

appl

Code Pipeline Application

subappl

Code Pipeline SubApplication

Stream

Stream Name

level

Code Pipeline Level

slevel

Signout level for a Task

tlevel

Target level for an operation

memenv

Member Environment (for example, OUTS/TEST/HOLD/PROD)

memtype

Component Type as defined in M.AD

memname

Component Name

popt

Code Pipeline Operation (for example, G/P, etc.)

apprname

Approver Name as defined in the Approval Rules

apprcode

“A” for Approve and “D” for Deny

chgtype

Set Change Type as defined in M.CH

owner

Container Owner

agrname

Application Group Name

asgnid

Assignment ID or Assignment Prefix

rlseid

Release ID or Release Prefix

The variables ASGNID and RLSEID are included in PTF IWH181A.

Access Levels

Each Rule defines a level of access to be checked. The following table lists the valid levels.

Access Levels

Access

Meaning

NONE

No access is required. Code Pipeline will not do a security check.

READ

Read access

UPDATE

Update access

ALTER

Alter access

SERVER

The SERVER object (SERVER) protects resources to do with accessing and controlling the Code Pipeline Server.

SERVER

Method

Usage

Default Security Check

Available
Variables

LOGON

Controls access to the server. All Code Pipeline users must be authorized to this function

<Server>.SERVER.LOGON

Access: READ


ADMIN

Determines whether the user is an administrator so that they can see all of the “M” functions

<Server>.SERVER.ADMIN

Access: READ


REFRESH

Administrator function to refresh server information

<Server>.SERVER.REFRESH

Access: UPDATE


TRACEON

Administrator function to turn server tracing on

<Server>.SERVER.TRACE

Access: UPDATE


TRACEOFF

Administrator function to turn server tracing off

<Server>.SERVER.TRACE

Access: UPDATE


TRACESW

Administrator function to send Trace Commands to the Server

<Server>.SERVER.TRACE

Access: ALTER


MAINT

Controls access to the Component Transport Housekeeping operations

<Server>.SERVER.MAINT

Access: ALTER


CTIDENT

Used to identify a Component Transport Address space

<Server>.SERVER.<Srvrnam>.<Srvrtyp>

Access: ALTER

Srvrnam Srvrtyp

RTCONFIG

Secures the use of a Run Time Config.

The SERVER RTCONFIG SECRULE validation, which is performed during logon, will not be performed unless an External References variable, SECRTCFG, is created under Maintenance (M.ER) and set to Y.

Important

If you are using the SERVER RTCONFIG SECRULE, make sure that you provide the necessary security access to the userIDs of the RX, FX, EF, and SX started tasks for successful execution of these started tasks.

<Server>.SERVER.<Rtconfig>

Access: READ

Rtconfig

ASGNMENT

The ASGNMENT object (ASGNMENT) protects actions against Code Pipeline Assignments.

ASGNMENT

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can add an Assignment

<Server>.ASGNMENT.<Appl>

Access: ALTER

Appl Subappl Stream

Owner Agrname, Asgnid

MODIFY

Controls who can modify an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname, Asgnid

CLOSE

Controls who can close an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname, Asgnid

JOIN

Controls who can join users other than themselves to an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname

RELEASE

The RELEASE object (RELEASE) protects actions against Code Pipeline Release.

RELEASE

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can add a Release

<Server>.RELEASE.<Appl>

Access: ALTER

Appl Subappl Stream

Owner Agrname, Rlseid

MODIFY

Controls who can modify a Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname, Rlseid

CLOSE

Controls who can close a Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname, Rlseid 

JOIN

Controls who can join users other than themselves to a Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Subappl Stream

Owner Agrname

ASGNDFLT

Controls who can modify the default release field of assignments.

PTF IWH168A enables this functionality.

<Server>.RELEASE.<Appl>

Access: NONE

Appl Subappl Stream

Owner Agrname, Asgnid, Rlseid

TASKJOIN

Controls who can transfer tasks into a release when M.ER INHARLSE is set to Y.

PTF IWH264A enables this functionality.

<Server>.RELEASE.<Appl>

Access: NONE

Rlseid and (task) Appl Subappl Stream

Level Slevel

Memenv Memtype Memname

TASKRMV

Controls who can transfer tasks from a release when M.ER INHARLSE is set to Y

PTF IWH264A enables this functionality.

<Server>.RELEASE.<Appl>

Access: NONE

Rlseid and (task) Appl Subappl Stream

Level Slevel

Memenv Memtype Memname

SETOWNER

Method

Usage

Default Security Check

Available
Variables

UPDATE

Controls who can update the owner of a Set container to or from a value other than their own user ID. When updating the owner of an existing Set, this check is applied to both the previous and new Owner fields.

PTF IWH235A enables this functionality, but we recommend applying PTF IWH264A for improved performance.

<Server>.SETOWNER.UPDATE Access: NONE

Appl Subappl Stream

Level Slevel

Popt Chgtype Owner

SET

The SET object (SET) protects actions against Code Pipeline Set.

SET

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can create a Set

<Server>.SET.<Appl>.<Level>

Access: ALTER

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

TASKADD

Controls who can add Tasks to a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

LOCK

Controls who can Lock a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

UNLOCK

Controls who can Unlock a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

MODIFY

Controls who can modify Set details

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

CLOSE

Controls who can close a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

JOIN

Controls who can join users other than themselves to a Set

<Server>.SET.<Appl>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

APRVLIST

Controls who can list the Approvers for a Set

<Server>.SET.<Appl>.<Level>

Access: READ

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

STOP

Controls who can issue the STOP command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

RELEASE

Controls access to releasing held sets.

Starting from PTF IWH229A, it also controls access to holding released sets.

<Server>.SET.<Appl>.<Level>
Access: NONE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

RESTART

Controls who can issue the RESTART command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

TERMINAT

Controls who can issue the TERMINATE command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

BUILD

Controls access to usage of the Build action

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

RELEASE

Controls access to release held sets.

<Server>.SET.<Appl>.<Level>
Access: NONE

Appl Subappl Stream Owner Level Slevel Popt Chgtype Agrname

CHGTYPE

The CHGTYPE object (CHGTYPE) protects the assigning of specific Change Types with a Set. This is required because a Set’s Change Type is part of the Approval Rules and can determine what Approvals are required.

CHGTYPE

Method

Usage

Default Security Check

Available
Variables

ASSIGN

Controls the use of Change Types with Set creation

<Server>.CHGTYPE.<Chgtype>

Access: READ

Chgtype

TASK

The TASK object (TASK) protects popts against Tasks.

TASK

Method

Usage

Default Security Check

Available
Variables

ADD

Secures the addition of Tasks to Code Pipeline

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Subappl Stream Level Slevel Memtype Memname Agrname

INSERT

Secures the Insertion of Tasks by the External Call Interface (ECI)

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Subappl Stream Level Slevel Memenv Memtype Memname Agrname

SETPROC

Secures popts against Tasks

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>.<Popt>

Access: UPDATE

Appl Subappl Stream Level Slevel Tlevel Memenv Memtype Memname Popt Agrname

LIST

Secures the Task List

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: READ

Appl Subappl Stream Level Slevel Memenv Memtype Memname Agrname

RVERUPD

Secures the UV Operation which updates the “Can Replace” version number

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Subappl Stream Level Slevel Tlevel Memenv Memtype Memname Popt Agrname

AG

The AG object (AG) protects Approver Groups. When a Set is locked, the Approval Rules determine which Approver Groups are required for approval. This object protects who can approve or deny these groups.

AG

Method

Usage

Default Security Check

Available
Variables

APPROVE

Controls who can signal approval for a specific Approver Group Name

<Server>.AG.<Apprname>.<Appr code>

Access: READ

Note: The value of Apprcode is “A” for Approve.

Apprname
Apprcode

DENY

Controls who can signal denial for a specific Approver Group Name

<Server>.AG.<Apprname>.<Appr code>

Access: READ

Note: The value of Apprcode is “D” for Deny.

Apprname
Apprcode

REFDATA

The REFDATA object (REFDATA) protects Code Pipeline Reference Data. The Reference Data form the basis for how Code Pipeline will work and should be tightly secured.

REFDATA

Method

Usage

Default Security Check

Available
Variables

TECH

Secures the “non- application” reference data (for example, M.ER)

<Server>.REFDATA

Access: UPDATE


APP

Secures the application-specific data (for example, M.AD)

<Server>.REFDATA.<Appl>

Access: UPDATE

Appl Subappl Stream Agrname

GENSUB

The GENSUB object (GENSUB) protects the submission of the Generate. Controlled generates can be submitted either as part of Set Processing or not. This security check protects who can submit the generate jobs not done in a Set. (There are other rules around creating and executing sets.)

GENSUB

Method

Usage

Default Security Check

Available
Variables

START

Secures whether the user can submit “demanded” generate jobs

<Server>.GENSUB

Access: READ


DPLYREF

The DPLYREF object (DPLYREF) protects the Code Pipeline Deploy Reference data.

DPLYREF

Method

Usage

Default Security Check

Available
Variables

SYSTEM

Controls who can maintain Deployment Systems

<Server>.SYSTEM.<Systnam>.<Systtyp>

Access: UPDATE

Systnam
Systtyp

CATEGORY

Controls who can maintain Deployment Categories

<Server>.CATEGORY.<Dpcat>

Access: UPDATE

Dpcat

DOMAIN

Controls who can maintain Deployment Domains

<Server>.DOMAIN.<Dpdmn>

Access: UPDATE

Dpdmn

TYPE

Controls who can maintain Deployment Types

<Server>.TYPE.<Dptype>.<Dpcat>

Access: UPDATE

Dptype
Dpcat

ENV

Controls who can maintain Deployment Environments

<Server>.ENV.<Dpenv>.<Owner>

Access: UPDATE

Dpenv
Owner

DPLYREQ

The DPLYREQ Object (DPLYREQ) protects the Code Pipeline Deploy Deployment Requests.

DPLYREQ

Method

Usage

Default Security Check

Available
Variables

RESTART

Controls who can restart a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

CANCEL

Controls who can cancel a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

TERMINAT

Controls who can terminate a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

MODIFY

Controls who can modify a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

PKGFAIL

Controls who can fail a Package within a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

PKGUPD

Controls who can modify Package dates and times within a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

RELEASE

Controls who can release a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Subappl Dpenv Agrname

CMPNGRP

The CMPNGRP Object (CMPNGRP) protects Components by their Owning Component Groups.

Important

This will prevent all viewing of the component in the 

Workbench for Eclipse

interface. This is not supported in ISPF.

CMPNGRP

Method

Usage

Default Security Check

Available
Variables

OACCESS

Controls who can access a Component protected by an Owning Component Group.

<Server>.CMPNGRP.<Cgrpname>

Access: NONE

Cgrpname

OASSIGN

Controls who can assign a Component to an Owning Component Group.

<Server>.CMPNGRP.<Cgrpname>

Access: ALTER

Cgrpname

Component Group Security

Organizations sometimes have specific Components across Applications that need to be protected separately from the capability of securing by Code Pipeline Application. This separate protection is accomplished by setting the Owning Component Group for a Component to a Component Group that is then protected with an associated SECRULE and security definitions. (A Component Group is defined in the Maintenance function GX, as explained in GX-Component-Groups.)

Components can be linked to that Group using the Repository List function (3270), modifying the Component, and specifying the Component Group against the “Owning Component Group” field.

To enable the security, a SECRULE needs to be defined to the server protecting the Security Object CMPNGRP. See Security for further details.

Once security is enabled—and if a Component has an Owning Component Group specified—a security check will be done whenever a request is made to:

  • browse/edit the Component from the Tasklist
  • browse the Component from any list (for example, version, parts, or impacts)
  • browse a listing where the Component is a reference (and would thus be shown in the listing).

DPLYPPKG

The DPLYPPKG Object (DPLYPPKG) protects the Code Pipeline Deploy Physical Packages.

DPLYPPKG

Method

Usage

Default Security Check

Available
Variables

VIEWLOG

Controls who can view a Deploy Activation Log.

<Server>.DPLYPPKG.<Dpenv>

Access: READ

Dpenv

GPR

The GPR object (GPR) protects General Purpose Requests.

GPR

Method

Usage

Default Security Check

Available
Variables

START

Controls who can start a General Purpose Request.

<Server>.GPR

Access: UPDATE


CMPNDESC

The CMPNDESC object (CMPNDESC) protects the Component Description field.

CMPNDESC

Method

Usage

Default Security Check

Available
Variables

UPDATE

Controls who can update a Component Description.

<Server>.CMPNDESC.UPDATE

Access: NONE

Appl, Subappl, Memtype, Memname, Agrname

Component Description Security

By default, the Component Description field is not protected. You must code a specific SECRULE statement for this Object and Method to protect it. A SECRULE statement with a wildcard in the Object or Method will not affect whether it is protected.

TASKDESC

The TASKDESC object (TASKDESC) protects the Task Description field.

TASKDESC

Method

Usage

Default Security Check

Available
Variables

UPDATE

Controls who can update a Task Description.

<Server>.TASKDESC.UPDATE

Access: NONE

Stream, Appl, Subappl, Memenv, Level, Memtype, Memname, Agrname

Task Description Security

By default, the Task Description field is not protected. You must code a specific SECRULE statement for this Object and Method to protect it. A SECRULE statement with a wildcard in the Object or Method will not affect whether it is protected.

WORKREQ

The WORKREQ object (WORKREQ) protects the WORKREQ field.

WORKREQ

Method

Usage

Default Security Check

Available
Variables

UPDATE

Controls who can update a WORKREQ field.

<Server>.WORKREQ.UPDATE

Access: NONE

Stream, Appl, Subappl, Owner

WORKREQ Security

By default, the WORKREQ field is not protected. You must code a specific SECRULE statement for this Object and Method to protect it. A SECRULE statement with a wildcard in the Object or Method will not affect whether it is protected.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*