In this section: |
In the past, the only form of security available for the XMI Server was through RACF, CA-Top Secret, or CA-ACF2. You would apply this security to the FOCBMP data set, which denied access to the server by not allowing the user to allocate the data set.
The problem with this type of security was that the user had access to all PCBs within the PSB associated with the XMI Server.
The XMI Server includes a security exit (IMSECHK) that allows a site to secure the environment at the user level. This means that the security administrator for the site can define which PCBs within the PSB associated with the server can be accessed by a given user.
When you issue a TABLE or SQL SELECT against an IMS file, the following things occur:
If the IMSECHK module is not found, a message is posted in the XMI server JES MSG LOG.
If the IMSECHK module is found, it is loaded, called, and passed the User ID and Filename parameters. User ID and Filename (Master File) are eight-byte ALPHA values.
Code the exit to perform the appropriate security check:
IMSECHK CSECT USING *,R15 B ARROUND DC C'** IMS SECURITY EXIT FOR XMI -- ' DC C'&SYSDATE',C' ** ' DS 0H ARROUND EQU * DROP R15 STM R14,R12,12(R13) USING IMSECHK,R12 LR R12,R15 LR R3,R1 GETMAIN R,LV=LUSAREA XC 0(LUSAREA,R1),0(R1) ST R13,4(R1) ST R1,8(R13) LR R13,R1 USING USAREA,R13 LM R4,R5,0(R3) MVC USER(8),0(R4) MVC FILE(8),0(R5) ************** ACTUAL BODY OF THE EXIT **************************** LA R11,=V(TABLE) Link to the list of users LTR R11,R11 Is it linked? BZ GOOD BIF nothing to check L R10,0(R11) Number of elements in the table L R9,4(R11) Number of MFDs in the element LA R11,8(R11) Points to the first one USING ELEMENT,R11 Map it CHECKU EQU * Check the user id CLC USER(8),USERID Does user registered in the table? BE CHECKF BIF found LA R11,LELEMENT(R11) Bump to the next element BCT R10,CHECKU Continue to search B GOOD User can access any file if NOT found CHECKF EQU * Check the MFD LA R8,MFDS Address of the MFD's list COMPMFD EQU * CLC FILE(8),0(R8) Compare names BE GOOD BIF found LA R8,8(R8) Bump to the next MFD BCT R9,COMPMFD LA R5,1 FAILED if not found in the list B EXIT GOOD EQU * LA R5,0 PASSED
************** EXIT FROM THE EXIT ********************************* EXIT EQU * DROP R13
LR R1,R13 L R13,4(R13) FREEMAIN R,LV=LUSAREA,A=(R1) LR R15,R5 RETURN RC TO THE CALLER L R14,12(R13) LM R0,R12,20(R13) BR R14 USAREA DSECT SAVE DS 18A USER DS CL8 FILE DS CL8 LUSAREA EQU *-USAREA ELEMENT DSECT USERID DS CL8 MFDS DS 10CL8 LELEMENT EQU *-ELEMENT REGEQU ***************************************** * Table of users and accessible MFDs * * Separate Control Section * ***************************************** TABLE CSECT ENTRIES DC A(TABLEL/ENTRYL) MFDS# DC A(10) ENTRY EQU * USER1 DC CL8'PGMJVP5' DC CL8'******',9CL8' ' ENTRYL EQU *-ENTRY USER2 DC CL8'PGMBOP5' DC CL8'******',9CL8' ' USER3 DC CL8'PMSMJB5' DC CL8'******',9CL8' ' USER4 DC CL8'PMSHEB' DC CL8'PATINFO',9CL8' ' USER5 DC CL8'EDANTK5' DC CL8'******',9CL8' ' TABLEL EQU *-ENTRY END
To install the exit you must do the following:
The exit will be called each time the user makes a request against the XMI server.
To trace the exit, you can allocate ddname FSTRACE in the XMI server JCL. The trace shows the Userid, Filename, and return code used and returned by the exit. The following messages will appear in the trace output.
IMSRV: Security Check Exit is called. User: %8s; FILE: %8s
IMSRV: Security Check Exit returned %d, rc
The syntax to allocate ddname FSTRACE2 is as follows:
//FSTRACE DD SYSOUT=*,DCB=BLKSIZE=80
Information Builders |