Defined Objects and Methods


This section describes all of the protected ISPW Objects with details of the Methods, usage, default values, and variable usage.

Variable Substitution

Many security checks are dependent upon dynamic information such as the ISPW Application. In the definition of the Security Rules, these are specified as variables. A complete list of available variable names and their meanings is outlined in the following table, and the sections describing each Object specify which of these variables are valid. Variables marked with (*) are available for all Security Rules and are not specified again for each Object/Method.

Variable Substitution

Variable ID

Description

Server (*)

The ServerID as specified in the Compuware Mainframe Services Controller (CMSC)

Object (*)

The Object of the Security Rule

Method (*)

The Method of the Security Rule

appl

ISPW Application

Stream

Stream Name

level

ISPW Level

slevel

Signout level for a Task

tlevel

Target level for an operation

memenv

Member Environment (for example, OUTS/TEST/HOLD/PROD)

memtype

Component Type as defined in M.AD

memname

Component Name

popt

ISPW Operation (for example, G/P, etc.)

apprname

Approver Name as defined in the Approval Rules

apprcode

“A” for Approve and “D” for Deny

chgtype

Set Change Type

owner

Container Owner

agrname

Application Group Name

Access Levels

Each Rule defines a level of access to be checked. The following table lists the valid levels.

Access Levels

Access

Meaning

NONE

No access is required. ISPW will not do a security check.

READ

Read access

UPDATE

Update access

ALTER

Alter access

SERVER

The SERVER object (SERVER) protects resources to do with accessing and controlling the ISPW Server.

SERVER

Method

Usage

Default Security Check

Available
Variables

LOGON

Controls access to the server. All ISPW users must be authorized to this function

<Server>.SERVER.LOGON

Access: READ


ADMIN

Determines whether the user is an administrator so that they can see all of the “M” functions

<Server>.SERVER.ADMIN

Access: READ


REFRESH

Administrator function to refresh server information

<Server>.SERVER.REFRESH

Access: UPDATE


TRACEON

Administrator function to turn server tracing on

<Server>.SERVER.TRACE

Access: UPDATE


TRACEOFF

Administrator function to turn server tracing off

<Server>.SERVER.TRACE

Access: UPDATE


TRACESW

Administrator function to send Trace Commands to the Server

<Server>.SERVER.TRACE

Access: ALTER


MAINT

Controls access to the Component Transport Housekeeping operations

<Server>.SERVER.MAINT

Access: ALTER


CTIDENT

Used to identify a Component Transport Address space

<Server>.SERVER.<Srvrnam>.<Srvrtyp>

Access: ALTER

Srvrnam Srvrtyp

RTCONFIG

Secures the use of a Run Time Config.

The SERVER RTCONFIG SECRULE validation, which is performed during logon, will not be performed unless an External References variable, SECRTCFG, is created under Maintenance (M.ER) and set to Y.

Important

If you are using the SERVER RTCONFIG SECRULE, make sure that you provide the necessary security access to the userIDs of the RX, FX, EF, and SX started tasks for successful execution of these started tasks.

<Server>.SERVER.<Rtconfig>

Access: READ

Rtconfig

ASGNMENT

The ASGNMENT object (ASGNMENT) protects actions against ISPW Assignments.

ASGNMENT

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can add an Assignment

<Server>.ASGNMENT.<Appl>

Access: ALTER

Appl Stream
Owner Agrname

MODIFY

Controls who can modify an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

CLOSE

Controls who can close an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

JOIN

Controls who can join users other than themselves to an Assignment

<Server>.ASGNMENT.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

RELEASE

The RELEASE object (RELEASE) protects actions against ISPW Release.

RELEASE

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can add a Release

<Server>.RELEASE.<Appl>

Access: ALTER

Appl Stream
Owner Agrname

MODIFY

Controls who can modify a Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

CLOSE

Controls who can close a Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

JOIN

Controls who can join users other than themselves to an Release

<Server>.RELEASE.<Appl>

Access: UPDATE

Appl Stream
Owner Agrname

SET

The SET object (SET) protects actions against ISPW Set.

SET

Method

Usage

Default Security Check

Available
Variables

ADD

Controls who can create a Set

<Server>.SET.<Appl>.<Level>

Access: ALTER

Appl Stream
Level Owner
Popt Agrname

TASKADD

Controls who can add Tasks to a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

LOCK

Controls who can Lock a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

UNLOCK

Controls who can Unlock a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

MODIFY

Controls who can modify Set details

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

CLOSE

Controls who can close a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

JOIN

Controls who can join users other than themselves to a Set

<Server>.SET.<Appl>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

APRVLIST

Controls who can list the Approvers for a Set

<Server>.SET.<Appl>.<Level>

Access: READ

Appl Stream
Level Owner
Popt Agrname

STOP

Controls who can issue the STOP command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

RESTART

Controls who can issue the RESTART command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

TERMINAT

Controls who can issue the TERMINATE command against a Set

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Stream
Level Owner
Popt Agrname

BUILD

Controls access to usage of the Build action

<Server>.SET.<Appl>.<Level>

Access: UPDATE

Appl Level

CHGTYPE

The CHGTYPE object (CHGTYPE) protects the assigning of specific Change Types with a Set. This is required because a Set’s Change Type is part of the Approval Rules and can determine what Approvals are required.

CHGTYPE

Method

Usage

Default Security Check

Available
Variables

ASSIGN

Controls the use of Change Types with Set creation

<Server>.CHGTYPE.<Chgtype>

Access: READ

Chgtype

TASK

The TASK object (TASK) protects popts against Tasks.

TASK

Method

Usage

Default Security Check

Available
Variables

ADD

Secures the addition of Tasks to ISPW

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Stream Level Slevel Memtype Memname Agrname

INSERT

Secures the Insertion of Tasks by the External Call Interface (ECI)

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Stream
Level Slevel
Memenv Memtype
Memname Agrname

SETPROC

Secures popts against Tasks

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>.<Popt>

Access: UPDATE

Appl Stream
Level Slevel
Memenv Memtype
Memname Popt
Tlevel Agrname

LIST

Secures the Task List

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: READ

Appl Stream
Level Slevel
Memenv Memtype
Memname Agrname

RVERUPD

Secures the UV Operation which updates the “Can Replace” version number

<Server>.TASK.<Appl>.<Level>.<Memtype>.<Memname>

Access: ALTER

Appl Stream Level Slevel Tlevel Memenv Memtype Memname Popt Agrname

AG

The AG object (AG) protects Approver Groups. When a Set is locked, the Approval Rules determine which Approver Groups are required for approval. This object protects who can approve or deny these groups.

AG

Method

Usage

Default Security Check

Available
Variables

APPROVE

Controls who can signal approval for a specific Approver Group Name

<Server>.AG.<Apprname>.<Appr code>

Access: READ

Note: The value of Apprcode is “A” for Approve.

Apprname
Apprcode

DENY

Controls who can signal denial for a specific Approver Group Name

<Server>.AG.<Apprname>.<Appr code>

Access: READ

Note: The value of Apprcode is “D” for Deny.

Apprname
Apprcode

REFDATA

The REFDATA object (REFDATA) protects ISPW Reference Data. The Reference Data form the basis for how ISPW will work and should be tightly secured.

REFDATA

Method

Usage

Default Security Check

Available
Variables

TECH

Secures the “non- application” reference data (for example, M.ER)

<Server>.REFDATA

Access: UPDATE


APP

Secures the application-specific data (for example, M.AD)

<Server>.REFDATA.<Appl>

Access: UPDATE

Appl Stream Agrname

GENSUB

The GENSUB object (GENSUB) protects the submission of the Generate. Controlled generates can be submitted either as part of Set Processing or not. This security check protects who can submit the generate jobs not done in a Set. (There are other rules around creating and executing sets.)

GENSUB

Method

Usage

Default Security Check

Available
Variables

START

Secures whether the user can submit “demanded” generate jobs

<Server>.GENSUB

Access: READ


DPLYREF

The DPLYREF object (DPLYREF) protects the ISPW Deploy Reference data.

DPLYREF

Method

Usage

Default Security Check

Available
Variables

SYSTEM

Controls who can maintain Deployment Systems

<Server>.SYSTEM.<Systnam>.<Systtyp>

Access: UPDATE

Systnam
Systtyp

CATEGORY

Controls who can maintain Deployment Categories

<Server>.CATEGORY.<Dpcat>

Access: UPDATE

Dpcat

DOMAIN

Controls who can maintain Deployment Domains

<Server>.DOMAIN.<Dpdmn>

Access: UPDATE

Dpdmn

TYPE

Controls who can maintain Deployment Types

<Server>.TYPE.<Dptype>.<Dpcat>

Access: UPDATE

Dptype
Dpcat

ENV

Controls who can maintain Deployment Environments

<Server>.ENV.<Dpenv>.<Owner>

Access: UPDATE

Dpenv
Owner

DPLYREQ

The DPLYREQ Object (DPLYREQ) protects the ISPW Deploy Deployment Requests.

DPLYREQ

Method

Usage

Default Security Check

Available
Variables

RESTART

Controls who can restart a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

CANCEL

Controls who can cancel a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

TERMINAT

Controls who can terminate a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

MODIFY

Controls who can modify a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

PKGFAIL

Controls who can fail a Package within a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

PKGUPD

Controls who can modify Package dates and times within a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>

Access: UPDATE

Appl Dpenv Agrname

RELEASE

Controls who can release a Deployment Request

<Server>.DPLYREQ.<Dpenv>.<Agrname>.<Appl>
Access: UPDATE

Appl Dpenv Agrname

CMPNGRP

The CMPNGRP Object (CMPNGRP) protects Components by their Owning Component Groups.

Important

This will prevent all viewing of the component in the Topaz interface. This is not supported in ISPF.

CMPNGRP

Method

Usage

Default Security Check

Available
Variables

OACCESS

Controls who can access a Component protected by an Owning Component Group.

<Server>.CMPNGRP.<Cgrpname>

Access: NONE

Cgrpname

OASSIGN

Controls who can assign a Component to an Owning Component Group.

<Server>.CMPNGRP.<Cgrpname>

Access: ALTER

Cgrpname

Component Group Security

Organizations sometimes have specific Components across Applications that need to be protected separately from the capability of securing by ISPW Application. This separate protection is accomplished by setting the Owning Component Group for a Component to a Component Group that is then protected with an associated SECRULE and security definitions. (A Component Group is defined in the Maintenance function GX, as explained in GX-Component-Groups.)

Components can be linked to that Group using the Repository List function (3270), modifying the Component, and specifying the Component Group against the “Owning Component Group” field.

To enable the security, a SECRULE needs to be defined to the server protecting the Security Object CMPNGRP. See Security for further details.

Once security is enabled—and if a Component has an Owning Component Group specified—a security check will be done whenever a request is made to:

  • browse/edit the Component from the Tasklist
  • browse the Component from any list (for example, version, parts, or impacts)
  • browse a listing where the Component is a reference (and would thus be shown in the listing).

DPLYPPKG

The DPLYPPKG Object (DPLYPPKG) protects the ISPW Deploy Physical Packages.

DPLYPPKG

Method

Usage

Default Security Check

Available
Variables

VIEWLOG

Controls who can view a Deploy Activation Log.

<Server>.DPLYPPKG.<Dpenv>

Access: READ

Dpenv

GPR

The GPR object (GPR) protects General Purpose Requests.

GPR

Method

Usage

Default Security Check

Available
Variables

START

Controls who can start a General Purpose Request.

<Server>.GPR

Access: UPDATE   


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*