External Security Feature Customization

Document ID : KB000055338
Last Modified Date : 14/02/2018
Show Technical Document Details

External security was designed to reduce the redundancy of data stored on both the security and Unicenter CA-Teleview databases. CA recommends that Unicenter CA-Teleview be set up to make a security call to your security product (ACF2, Top Secret, or similar) at the time of logon to determine if the user is allowed access to Unicenter CA-Teleview, and if so, which applications. After the logon is accepted, the user is presented a main menu of applications which he/she can establish sessions. This list is determined by one of three methods.

  • The userid defined in the Unicenter CA-Teleview database, along with the applications the user can access.

  • The userid not defined in the Unicenter CA-Teleview database receives the $DEFAULT profile in Unicenter CA-Teleview database that contains a list of applications.

  • Unicenter CA-Teleview uses external security to validate userid and password with security system and the external security exit (VSSX) allows a profile name to be changed from $DEFAULT or the userid profile (only when userid defined in the Unicenter CA-Teleview database). Note: The exit presented with the address of security control block, ACEE to make determinations. The substituted profile name must be in the Unicenter CA-Teleview database.

The first two methods require Unicenter CA-Teleview administrators to add userids and profiles, which already reside in the security database, to the Unicenter CA-Teleview database. The third method allows Unicenter CA-Teleview administrators to utilize the security definitions, which are already in place, and only update the active applications and the base profile(s) used for external security.

Unicenter CA-Teleview uses external security to validate application assigned from the resultant profile. See features, "SECURITY-APPL-CHECK-BYMENUNAME" and "USE-VTAMAPPL-FOR-SECUTIY-CLASS".

Benefits

Maintenance to Unicenter CA-Teleview is reduced to:

  • Adding new applications and deleting obsolete applications from the Teleview database as necessary.

  • Updating of $DEFAULT or other profiles in the Unicenter CA-Teleview database as needed.

    The definitions of userids, passwords, and list of accessible applications remain with the security administrator that most likely is already in place.

  • Utilization of Unicenter CA-Teleview External Security by Application eliminates the need for any sign on user exit or the use of any other Unicenter CA-Teleview profile, other than $DEFAULT.

  • Utilization of Unicenter CA-Teleview External Security by Profile provides for the use of different Unicenter CA-Teleview profiles, containing variations of application mixes, established in Unicenter CA-Teleview, and using the VSSX user exit to build the user's Unicenter CA-Teleview main menu.

  • It should noted the Use-Global-Sign-on-Exit Feature must be inactive in the feature member as well. The last feature (Use - External-Security or Use-Global - Sign-on-Exit) in the member is honored, if both are active.

Implementation of Unicenter CA-Teleview External Security by application assignment

  • Enable (uncomment) the USE-EXTERNAL-SECURITY feature in the FEATURES member of the VOPTIONS dataset.

  • Define profile $DEFAULT in Unicenter CA-Teleview, containing all applications, including Unicenter CA-Teleview internal applications. There is a maximum of 255 applications that may be defined to any profile.

  • At user sign on, Unicenter CA-Teleview will present each application in the $DEFAULT profile to the security system for authorization. The resulting Unicenter CA-Teleview main menu will only reflect the applications that are authorized by security for that user.

Implementation of Unicenter CA-Teleview External Security by profile assignment via VSSX user exit

  • Enable (uncomment) both USE-EXTERNAL-SECURITY and USE-EXTERNAL-SECURITY-EXIT features in the FEATURES member of VOPTIONS dataset.

  • Establish profiles, each containing one or more applications in Unicenter CA-Teleview. The $DEFAULT profile containing all internal and external applications can also be used with the VSSX.

  • The VSSX user exit is called when both features noted above are activated. The exit allows for association of a user to a Unicenter CA-Teleview profile other than $DEFAULT. The VSSX exit has the option of overriding the $DEFAULT profile with another profile before the checking of each application against the security system occurs. Again, the Unicenter CA-Teleview main menu will only contain the list of authorized applications. An example of the VSSX user exit is provided in library SAMPJCL - member VSSXINST for TOP SECRET and RACF or VSSXACF2 for ACF2 (as part of the Teleview install process).