How to display and manage userids and groups

Document ID : KB000049474
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

CA IDMS supports both internal and external security, at various levels. Managing user and group definitions can be done in various ways and can be implemented with different levels of authorization.

Background:  

When users are secured, any access to userids is limited by the security held by the user trying to access them. There are no errors issued for a display, but the user will only see what they have authority to see. If a user does not have any authority, the attempts to DIPLAY a user, or DISPLAY ALL USERS, will yield no rows found and with no error message.

Environment:  

Any CA IDMS environment with internal security.

Instructions: 

First, if the goal is to secure access to user and group definitions, then RESTYPE=USER should be secured in your SRTT. This is recommended because you don't want just anyone to go out and mess with your user definitions. SYSADMIN should also be secured, because that controls who will have this important level of access.

When users are secured, any access to userids is limited by the security held by the user trying to access them. There are no errors issued for a display, but the user will only see what they have authority to see. If the issuing user has not been granted access to any userids, or any global level of authority, then they will see nothing; that is the way this is designed to work. There are a few levels of security involved here, so you have a few options, depending on what you want users to be able to do:

  1. If you want someone to be able to display user & group definitions, then you must grant them that authority. That can be done with these commands:

    GRANT DISPLAY ON USER * TO userid/Group;
    GRANT DISPLAY ON GROUP * TO userid/Group;

    In these commands, you see that we've granted DISPLAY-level authority on user * (and group *) which means to all users (or all groups). Also as noted, you can grant this authority to a single user or to a group. If your site goal is to grant this level of security to several users, we would recommend that you include them in a group and grant authorizations at the group level, to ensure that that all effected users have the same authority levels.
  2. If you want users to be able to display (punch), create, and drop users and groups, they will need a DEFINE level of security on users and groups. That can be granted using these commands:

    GRANT DEFINE ON USER * TO userid/Group;
    GRANT DEFINE ON GROUP * TO userid/Group;

    DEFINE allows someone to create, alter, and drop the entity on which they've been granted that level of authority.
  3. The CA IDMS Security Administration Guide, Chapter 16 (titled Syntax for Security Display Statements “) states"To display user information, you must hold SYSADMIN privilege." There is a similar statement regarding groups. These statements mean that if you want someone to see all of the information relevant to a specific user or group, including all of the authorizations granted to that user or group, the user issuing the DISPLAY must have been granted SYSADMIN privilege. So if you want a group of users to be able to grant and revoke access to entities as well as manage the userids, they must be granted SYSADMIN. But this should be done with caution: granting someone SYSADMIN lets them GRANT or REVOKE privileges on any resource within the domain. It also enables the holder to define resources and to delegate administration privileges. If you don't want a user to be able to do all of those functions, then don't grant them SYSADMIN authority.

Additional Information:

 

     Details on Security commands and concepts can be found in the CA IDMS Security Administration guide.