How to Implement External Security for Datacom - Defining Table, Administration, and DBUTLTY Resources.

Document ID : KB000051501
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This article briefly describes the remaining types of Resource Classes you can define to implement external security for the Datacom features or data to the table or view level.

Solution:

There are four types of Resource Classes you can define to protect your Datacom products, features or data to the table or view level. These are:

System Resource Classes (described in a specific Knowledge Document)

Administrator Resource Classes
Table Resource Classes
Utility Resource Classes

Administrator Resource Classes

Define the Administrator Resource Class, DTADMIN. This resource class consists of the CXXname plus a two-character product code (DB or DD). It is used to define product administrator authority.

When you associate the CXXname.DB administrator resource class with a user accessor (ACID), that user will be able to create a schema for SQL access, issue GRANT or REVOKE SQL statements, or DROP any SQL table.

A user with CXXname.DD is a Datadictionary Security Administrator and will be able to run 4099 Field transactions, add and maintain relationship definitions.

Table Resource Classes

Beginning with CA Datacom release 11.0, you can now define up to ten Table Resource Classes:

DCTABLE
DFTABLE
DGTABLE
DHTABLE
DPTABLE
DQTABLE
DRTABLE
DSTABLE
DTTABLE
DXTABLE

To define Table Resource Classes, add the following to the commands to the appropriate external security product:

DnTABLE cxxname.DB0nnnn.table

     Where:
 
          DnTABLE      Table Resource Name - substituting n by C, F, G, H, P, Q, R, S, T, or X
 
                       These Table Resource Names are arbitrary, in other words they don't have significance other
                       than assisting you in categorizing or associating the table to the path from which the requests are made.
                       See "Defining Multi-User Startup Security Options and Path Security" below.
          cxxname      Name of the CXX associated with the Datacom Multi-User Facility whose data is being secured.
          DB0nnnn      DBID of the database.
          table        3-character Datacom name of the table. 

You can identify Datacom tables and multiple access levels for each table. The access levels correspond to:

ADD
DELETE
READ
UPDATE

Defining Security Startup Option and Path Security

Release 11.0 and forward is delivered with ten separate security paths.

Defining Multi-User Startup SECURITY Option

The SECURITY Multi-User startup option allows you to code class-and-path options as follows:

SECURITY class-and-path1,class-and-path2,...class-and-path10

The class and path options can be coded in any order. They are keyword driven and up to one class-and-path option per table resource class may be coded.

Path Security

The format of an individual class-and-path parameter is as follows:

               DBaabbb 
 
               Where:  DB      Constant
                       aa        Valid class codes:  DC, DF, DG, DH, DP, DQ, DR, DS, DT, DX,  and NO
                                 These class codes correspond to the table classes defined in the external security system,
                                 NO refers to no path security.
 
                       bbb     Valid path codes:  
 
                               SCI       CICS SQL
                               SCQ       CICS SQL for CA-Dataquery
                               RCI       CICS non-SQL
                               RCQ       CICS non-SQL for CA-Dataquery
                               RAQ       non-CICS, non-SQL for CA-Dataquery 
                               SSR       Server SQL 
                               RSR       Server non-SQL
                               SQL       All other paths SQL
                               SQQ       SQL non-CICS for CA-Dataquery
                               RAT       All other paths non-SQL

An example of a startup option with all ten possible classes specified for six different paths is:

               SECURITY DBDTRAT,DBDCSCI,DBDRSSR,DBDFRCI,DBDSSQL,DBDXRSR,DBDPSCQ, 
                                   DBDHRCQ,DBDGRAQ,DBDQSQQ

Utility Resource Classes

Define Utility Resource Classes with DTUTIL. This is required if any non-SQL access path is defined. Each resource in the DTUTIL resource class represents one Datacom DBUTLTY function, and the users allowed to execute them. The format of this resource class varies with each of the three products it supports ? DB, DD and DQ. It can also be used to secure SQL plans.

The following is an example of securing the DBUTLTY BACKUP function:

          DTUTIL cxxname.DBUTLTY.BACKUP.DATA
 
          Where:
 
               DTUTIL            Constant - Resource Class
               cxxname           Name of the Directory (CXX) for the Datacom Multi-User Facility being secured
               DBUTLTY           Constant - Name of the utility
               BACKUP            Name of the DBUTLTY function 
               DATA              Indicates backup of a data area

NOTE: Some DBUTLTY functions also require that certain table and/or DTUTIL resources be defined. See Using External Security in the CA Datacom Security Guide for details.

Set up User or Group Permissions

Define specific user or group permissions to the resources defined. Define all information for user/group permissions and resource table classes before defining access path permissions or securing the CXX (Directory) with the DTSYSTEM resource.