Defined Objects and Methods
This section describes all of the protected ISPW Objects with details of the Methods, usage, default values, and variable usage.
Variable Substitution
Many security checks are dependent upon dynamic information such as the ISPW Application. In the definition of the Security Rules, these are specified as variables. A complete list of available variable names and their meanings is outlined in the following table, and the sections describing each Object specify which of these variables are valid. Variables marked with (*) are available for all Security Rules and are not specified again for each Object/Method.
Variable Substitution
Variable ID | Description |
---|---|
Server (*) | The ServerID as specified in the Compuware Mainframe Services Controller (CMSC) |
Object (*) | The Object of the Security Rule |
Method (*) | The Method of the Security Rule |
appl | ISPW Application |
Stream | Stream Name |
level | ISPW Level |
slevel | Signout level for a Task |
tlevel | Target level for an operation |
memenv | Member Environment (for example, OUTS/TEST/HOLD/PROD) |
memtype | Component Type as defined in M.AD |
memname | Component Name |
popt | ISPW Operation (for example, G/P, etc.) |
apprname | Approver Name as defined in the Approval Rules |
apprcode | “A” for Approve and “D” for Deny |
chgtype | Set Change Type |
owner | Container Owner |
agrname | Application Group Name |
Access Levels
Each Rule defines a level of access to be checked. The following table lists the valid levels.
Access Levels
Access | Meaning |
---|---|
NONE | No access is required. ISPW will not do a security check. |
READ | Read access |
UPDATE | Update access |
ALTER | Alter access |
SERVER
The SERVER object (SERVER) protects resources to do with accessing and controlling the ISPW Server.
SERVER
Method | Usage | Default Security Check | Available |
---|---|---|---|
LOGON | Controls access to the server. All ISPW users must be authorized to this function | <Server>.SERVER.LOGON Access: READ | |
ADMIN | Determines whether the user is an administrator so that they can see all of the “M” functions | <Server>.SERVER.ADMIN Access: READ | |
REFRESH | Administrator function to refresh server information | <Server>.SERVER.REFRESH Access: UPDATE | |
TRACEON | Administrator function to turn server tracing on | <Server>.SERVER.TRACE Access: UPDATE | |
TRACEOFF | Administrator function to turn server tracing off | <Server>.SERVER.TRACE Access: UPDATE | |
TRACESW | Administrator function to send Trace Commands to the Server | <Server>.SERVER.TRACE Access: ALTER | |
MAINT | Controls access to the Component Transport Housekeeping operations | <Server>.SERVER.MAINT Access: ALTER | |
CTIDENT | Used to identify a Component Transport Address space | <Server>.SERVER.<Srvrnam>.<Srvrtyp> Access: ALTER | Srvrnam Srvrtyp |
RTCONFIG | Secures the use of a Run Time Config. The SERVER RTCONFIG SECRULE validation, which is performed during logon, will not be performed unless an External References variable, SECRTCFG, is created under Maintenance (M.ER) and set to Y. | <Server>.SERVER.<Rtconfig> Access: READ | Rtconfig |
ASGNMENT
The ASGNMENT object (ASGNMENT) protects actions against ISPW Assignments.
ASGNMENT
Method | Usage | Default Security Check | Available |
---|---|---|---|
ADD | Controls who can add an Assignment | <Server>.ASGNMENT.<Appl> Access: ALTER | Appl Stream |
MODIFY | Controls who can modify an Assignment | <Server>.ASGNMENT.<Appl> Access: UPDATE | Appl Stream |
CLOSE | Controls who can close an Assignment | <Server>.ASGNMENT.<Appl> Access: UPDATE | Appl Stream |
JOIN | Controls who can join users other than themselves to an Assignment | <Server>.ASGNMENT.<Appl> Access: UPDATE | Appl Stream |
RELEASE
The RELEASE object (RELEASE) protects actions against ISPW Release.
RELEASE
Method | Usage | Default Security Check | Available |
---|---|---|---|
ADD | Controls who can add a Release | <Server>.RELEASE.<Appl> Access: ALTER | Appl Stream |
MODIFY | Controls who can modify a Release | <Server>.RELEASE.<Appl> Access: UPDATE | Appl Stream |
CLOSE | Controls who can close a Release | <Server>.RELEASE.<Appl> Access: UPDATE | Appl Stream |
JOIN | Controls who can join users other than themselves to an Release | <Server>.RELEASE.<Appl> Access: UPDATE | Appl Stream |
SET
The SET object (SET) protects actions against ISPW Set.
SET
Method | Usage | Default Security Check | Available |
---|---|---|---|
ADD | Controls who can create a Set | <Server>.SET.<Appl>.<Level> Access: ALTER | Appl Stream |
TASKADD | Controls who can add Tasks to a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
LOCK | Controls who can Lock a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
UNLOCK | Controls who can Unlock a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
MODIFY | Controls who can modify Set details | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
CLOSE | Controls who can close a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
JOIN | Controls who can join users other than themselves to a Set | <Server>.SET.<Appl> Access: UPDATE | Appl Stream |
APRVLIST | Controls who can list the Approvers for a Set | <Server>.SET.<Appl>.<Level> Access: READ | Appl Stream |
STOP | Controls who can issue the STOP command against a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
RESTART | Controls who can issue the RESTART command against a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
TERMINAT | Controls who can issue the TERMINATE command against a Set | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Stream |
BUILD | Controls access to usage of the Build action | <Server>.SET.<Appl>.<Level> Access: UPDATE | Appl Level |
CHGTYPE
The CHGTYPE object (CHGTYPE) protects the assigning of specific Change Types with a Set. This is required because a Set’s Change Type is part of the Approval Rules and can determine what Approvals are required.
CHGTYPE
Method | Usage | Default Security Check | Available |
---|---|---|---|
ASSIGN | Controls the use of Change Types with Set creation | <Server>.CHGTYPE.<Chgtype> Access: READ | Chgtype |
TASK
The TASK object (TASK) protects popts against Tasks.
TASK
Method | Usage | Default Security Check | Available |
---|---|---|---|
ADD | Secures the addition of Tasks to ISPW | <Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname> Access: ALTER | Appl Stream Level Slevel Memtype Memname Agrname |
INSERT | Secures the Insertion of Tasks by the External Call Interface (ECI) | <Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname> Access: ALTER | Appl Stream |
SETPROC | Secures popts against Tasks | <Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>.<Popt> Access: UPDATE | Appl Stream |
LIST | Secures the Task List | <Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname> Access: READ | Appl Stream |
RVERUPD | Secures the UV Operation which updates the “Can Replace” version number | <Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname> Access: ALTER | Appl Stream Level Slevel Tlevel Memenv Memtype Memname Popt Agrname |
AG
The AG object (AG) protects Approver Groups. When a Set is locked, the Approval Rules determine which Approver Groups are required for approval. This object protects who can approve or deny these groups.
AG
Method | Usage | Default Security Check | Available |
---|---|---|---|
APPROVE | Controls who can signal approval for a specific Approver Group Name | <Server>.AG.<Apprname>.<Appr code> Access: READ Note: The value of Apprcode is “A” for Approve. | Apprname |
DENY | Controls who can signal denial for a specific Approver Group Name | <Server>.AG.<Apprname>.<Appr code> Access: READ Note: The value of Apprcode is “D” for Deny. | Apprname |
REFDATA
The REFDATA object (REFDATA) protects ISPW Reference Data. The Reference Data form the basis for how ISPW will work and should be tightly secured.
REFDATA
Method | Usage | Default Security Check | Available |
---|---|---|---|
TECH | Secures the “non- application” reference data (for example, M.ER) | <Server>.REFDATA Access: UPDATE | |
APP | Secures the application-specific data (for example, M.AD) | <Server>.REFDATA.<Appl> Access: UPDATE | Appl Stream Agrname |
GENSUB
The GENSUB object (GENSUB) protects the submission of the Generate. Controlled generates can be submitted either as part of Set Processing or not. This security check protects who can submit the generate jobs not done in a Set. (There are other rules around creating and executing sets.)
GENSUB
Method | Usage | Default Security Check | Available |
---|---|---|---|
START | Secures whether the user can submit “demanded” generate jobs | <Server>.GENSUB Access: READ |
DPLYREF
The DPLYREF object (DPLYREF) protects the ISPW Deploy Reference data.
DPLYREF
Method | Usage | Default Security Check | Available |
---|---|---|---|
SYSTEM | Controls who can maintain Deployment Systems | <Server>.SYSTEM.<Systnam>.<Systtyp> Access: UPDATE | Systnam |
CATEGORY | Controls who can maintain Deployment Categories | <Server>.CATEGORY.<Dpcat> Access: UPDATE | Dpcat |
DOMAIN | Controls who can maintain Deployment Domains | <Server>.DOMAIN.<Dpdmn> Access: UPDATE | Dpdmn |
TYPE | Controls who can maintain Deployment Types | <Server>.TYPE.<Dptype>.<Dpcat> Access: UPDATE | Dptype |
ENV | Controls who can maintain Deployment Environments | <Server>.ENV.<Dpenv>.<Owner> Access: UPDATE | Dpenv |
DPLYREQ
The DPLYREQ Object (DPLYREQ) protects the ISPW Deploy Deployment Requests.
DPLYREQ
Method | Usage | Default Security Check | Available |
---|---|---|---|
RESTART | Controls who can restart a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
CANCEL | Controls who can cancel a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
TERMINAT | Controls who can terminate a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
MODIFY | Controls who can modify a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
PKGFAIL | Controls who can fail a Package within a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
PKGUPD | Controls who can modify Package dates and times within a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> Access: UPDATE | Appl Dpenv Agrname |
RELEASE | Controls who can release a Deployment Request | <Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl> | Appl Dpenv Agrname |
CMPNGRP
The CMPNGRP Object (CMPNGRP) protects Components by their Owning Component Groups.
CMPNGRP
Method | Usage | Default Security Check | Available |
---|---|---|---|
OACCESS | Controls who can access a Component protected by an Owning Component Group. | <Server>.CMPNGRP.<Cgrpname> Access: NONE | Cgrpname |
OASSIGN | Controls who can assign a Component to an Owning Component Group. | <Server>.CMPNGRP.<Cgrpname> Access: ALTER | Cgrpname |
Component Group Security
Organizations sometimes have specific Components across Applications that need to be protected separately from the capability of securing by ISPW Application. This separate protection is accomplished by setting the Owning Component Group for a Component to a Component Group that is then protected with an associated SECRULE and security definitions. (A Component Group is defined in the Maintenance function GX, as explained in GX-Component-Groups.)
Components can be linked to that Group using the Repository List function (3270), modifying the Component, and specifying the Component Group against the “Owning Component Group” field.
To enable the security, a SECRULE needs to be defined to the server protecting the Security Object CMPNGRP. See Security for further details.
Once security is enabled—and if a Component has an Owning Component Group specified—a security check will be done whenever a request is made to:
- browse/edit the Component from the Tasklist
- browse the Component from any list (for example, version, parts, or impacts)
- browse a listing where the Component is a reference (and would thus be shown in the listing).
DPLYPPKG
The DPLYPPKG Object (DPLYPPKG) protects the ISPW Deploy Physical Packages.
DPLYPPKG
Method | Usage | Default Security Check | Available |
---|---|---|---|
VIEWLOG | Controls who can view a Deploy Activation Log. | <Server>.DPLYPPKG.<Dpenv> Access: READ | Dpenv |
GPR
The GPR object (GPR) protects General Purpose Requests.
GPR
Method | Usage | Default Security Check | Available |
---|---|---|---|
START | Controls who can start a General Purpose Request. | <Server>.GPR Access: UPDATE |