The object of the security feature is to ensure that users access only those PSBs for which they have authorization. The MSO server can query standard security systems through the standard SAF interface before allowing a user to access a PSB.
The DBCTL function is tested and verified with the RACF product. Other SAF products using the identical calls should perform properly when installed and verified by your site security administrator.
RACF comes with several predefined security classes. Customer sites can use an existing class (such as PCICSPSB) or define a resource class specifically for DBCTL use.
The following example illustrates how to define a PSB resource through a PCICSPSB profile to RACF and how to grant users permission to access the resource.
RDEFINE PCICSPSB (psbname) UACC(NONE) NOTIFY(sys_admin_userid) PERMIT psbname CLASS(PCICSPSB) ID(user_or_group [user_or_group ...]) ACCESS(READ)
where:
Is the PSB name to be protected by RACF.
Is the userid of the system administrator.
Authorizes the userids and/or user groups listed in the PERMIT command to read the specified PSB. Separate items in the list with blanks.
To implement DBCTL security, include the IMSSEC=ON and IMSCLASS attributes in the MSO configuration file during installation (see Installation Instructions).
The syntax is
IMSSEC = {ON|OFF}
IMSCLASS = classname
where:
Activates DBCTL security. This setting requires the MSO server in authorized mode.
Does not implement DBCTL security. This value is the default.
Is a valid class that contains the security rule. The system administrator can define any class name required by the site's security implementation.
At run time, after the PSB is selected but prior to scheduling it, the MSO server issues a call to the security system and verifies that the user is authorized to read the PSB.
Note: The ON setting for IMSSEC requires the MSO server to be in authorized mode.
Information Builders |