How do you IDMS security externally via RACF?

Document ID : KB000025174
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

This knowledge document presents an overview on how to implement the security interface between IDMS and RACF.

Instructions:

External Resource Names in CA IDMS equate to resource profiles in RACF. To implement external security on a resource, and to implement that using RACF, there are three parameters that must be specified in CA IDMS on the #SECRTT macro for that resource. Those are:

  1. SECBY=EXTERNAL,
  2. EXTCLS=<'name'>,
  3. EXTNAME=('<res_name>')

This is an example of how you could code the CA IDMS #SECRTT macro to secure SIGNON externally using RACF.

  1. In the #SECRTT, code the following:
    #SECRTT TYPE=ENTRY,
    RESTYPE=SGON,
    SECBY=EXTERNAL,
    EXTCLS='SYSTEM',
    EXTNAME=(RESNAME)
    1. SECBY=EXTERNAL indicates that the security for this resource will be verified at run-time using an external resource.
    2. EXTCLS - Maps the IDMS resource type specified in the RESTYPE parameter to the resource class defined for this type in RACF or any other external security system. This example says that RESTYPE=SGON is assigned to a RACF class named SYSTEM defined in RACF.
    3. EXTNAME - Using a set of predefined keywords, specifies the fields to be included in the external resource name. The order in which you specify the keywords is the order in which the fields will be included in the external resource name. Since EXTNAME defines the format of the resource name for external security requests, the format you specify here must match the naming conventions for the corresponding resource class in the external security system.
  2. When the external security manager is RACF, the EXTNAME in IDMS corresponds to the RACF PROFILE, and the EXTCLS corresponds to the RACF CLASS.
  3. According to the IBM RACF documentation, the suggested syntax to use in RACF for creating a CLASS and PROFIL to correspond to this CA IDMS EXTNAME and EXTCLS is as outlined below.
    1. Create a general resource profile, using the RDEFINE command to create a profile in a general resource class: RDEFINE class profile UACC(NONE)
      where:
      • class is the name of the general resource class
      • profile is the name of the new profile
    2. Specify UACC(NONE) to ensure that there is no default access to the profile.
    3. Permit access to this general resource, using the PERMIT command to create an access list for the general resource profile:
      PERMIT profile CLASS(class)
      ID(user) ACCESS(authority)
      where:
      • profile is the name of the new profile
      • class is the name of the general resource class
      • user is the user (or group of users) that is being given access authority to the resource
      • authority is the level of authority that is being granted to the user
    4. In the above RACF syntax, the value specified for the <profile> parameter must match the resource name in CA IDMS.
  4. Following these guidelines, the RACF command to create the general resource profile that would correspond to the above example for CA IDMS SIGNON would be:
    RDEFINE SYSTEM SYST1600 UACC(NONE)
  5. Similarly, the command to grant access to this general resource for CA IDMS SIGNON in RACF would be:
    PERMIT SYST1600 CLASS(SYSTEM)
    ID(user01) ACCESS(READ)

Note that in the above examples, the value used for the 'profile' parameter in the RACF commands is SYST1600. In CA IDMS the resource name for SIGNON is the system-identifier, which is the value specified in the SYSTEM ID parameter of the system generation on the SYSTEM statement. In this example, that is SYST1600.

To secure other IDMS resources in RACF, you must map the IDMS resource (EXTNAME parameter) to the RACF PROFILE. The PROFILEs seen in the RACF syntax can be associated with a RACF CLASS. The RACF CLASS and PROFILE values would by specified on the #SECRTT macro statement via the EXTCLS and EXTNAME respectively. The value coded for EXTCLS should have a corresponding CLASS in RACF. The naming convention of the PROFILEs associated with that CLASS in RACF must match the format of the EXTNAME coded on #SECRTT.

 

Additional Information:

Since the value specified for the #SECRTT EXTNAME field must correspond exactly to the name used in RACF as the PROFILE parameter, care must be used in choosing this value. For more detail about this, refer to the Advantage CA-IDMS Security Administration manual, section 3.2: Constructing an External Resource Name; and to the appropriate IBM RACF manual.