In the past the only form of security available for the XMI Server was through RACF, CA-Top Secret, or CA-ACF2. You would apply this security to the FOCBMP dataset, which denied access to the server by not allowing the user to allocate the dataset.
The problem with this type of security was that the user had access to all PCBs within the PSB associated with the XMI Server.
The XMI Server has been enhanced to include a security exit (IMSECHK) that allows a site to secure the environment at the user level. This means that the site's security administrator can define which PCBs within the PSB associated with the server can be accessed by a given user.
When you issue a TABLE or SQL SELECT against an IMS file, the following things occur:
If the IMSECHK module is not found, a message is posted in the XMI server JES MSG LOG.
If the IMSECHK module is found, it is loaded, called, and passed the Userid and Filename parameters. Userid and Filename (Master File) are eight-byte ALPHA values.
Code the exit to perform the appropriate security check:
IMSECHK CSECT
USING *,R15
B ARROUND
DC C'** IMS SECURITY EXIT FOR XMI -- '
DC C'&SYSDATE',C' ** '
DS 0H
ARROUND EQU *
DROP R15
STM R14,R12,12(R13)
USING IMSECHK,R12
LR R12,R15
LR R3,R1
GETMAIN R,LV=LUSAREA
XC 0(LUSAREA,R1),0(R1)
ST R13,4(R1)
ST R1,8(R13)
LR R13,R1
USING USAREA,R13
LM R4,R5,0(R3)
MVC USER(8),0(R4)
MVC FILE(8),0(R5)
************** ACTUAL BODY OF THE EXIT ****************************
LA R11,=V(TABLE) Link to the list of users
LTR R11,R11 Is it linked?
BZ GOOD BIF nothing to check
L R10,0(R11) Number of elements in the table
L R9,4(R11) Number of MFDs in the element
LA R11,8(R11) Points to the first one
USING ELEMENT,R11 Map it
CHECKU EQU * Check the user id
CLC USER(8),USERID Does user registered in the table?
BE CHECKF BIF found
LA R11,LELEMENT(R11) Bump to the next element
BCT R10,CHECKU Continue to search
B GOOD User can access any file if NOT found
CHECKF EQU * Check the MFD
LA R8,MFDS Address of the MFD's list
COMPMFD EQU *
CLC FILE(8),0(R8) Compare names
BE GOOD BIF found
LA R8,8(R8) Bump to the next MFD
BCT R9,COMPMFD
LA R5,1 FAILED if not found in the list
B EXIT
GOOD EQU *
LA R5,0 PASSED
************** EXIT FROM THE EXIT *********************************
EXIT EQU *
DROP R13
LR R1,R13
L R13,4(R13)
FREEMAIN R,LV=LUSAREA,A=(R1)
LR R15,R5 RETURN RC TO THE CALLER
L R14,12(R13)
LM R0,R12,20(R13)
BR R14
USAREA DSECT
SAVE DS 18A
USER DS CL8
FILE DS CL8
LUSAREA EQU *-USAREA
ELEMENT DSECT
USERID DS CL8
MFDS DS 10CL8
LELEMENT EQU *-ELEMENT
REGEQU
*****************************************
* Table of users and accessible MFDs *
* Separate Control Section *
*****************************************
TABLE CSECT
ENTRIES DC A(TABLEL/ENTRYL)
MFDS# DC A(10)
ENTRY EQU *
USER1 DC CL8'PGMJVP5'
DC CL8'******',9CL8' '
ENTRYL EQU *-ENTRY
USER2 DC CL8'PGMBOP5'
DC CL8'******',9CL8' '
USER3 DC CL8'PMSMJB5'
DC CL8'******',9CL8' '
USER4 DC CL8'PMSHEB'
DC CL8'PATINFO',9CL8' '
USER5 DC CL8'EDANTK5'
DC CL8'******',9CL8' '
TABLEL EQU *-ENTRY
END
To install the exit you must do the following:
The exit will be called each time the user makes a request against the XMI server.
To trace the exit, you can allocate ddname FSTRACE2 in the XMI server JCL. The trace shows the Userid, Filename and return code used and returned by the exit. The following messages will appear in the trace output.
IMSRV: Security Check Exit is called. User: %8s; FILE: %8s
IMSRV: Security Check Exit returned %d, rc
The syntax to allocate ddname FSTRACE2 is as follows:
//FSTRACE2 DD SYSOUT=*,DCB=BLKSIZE=80
| Information Builders |