How to Implement External Security for Datacom - Defining the System Resource Class?

Document ID : KB000051404
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This article briefly discusses what you need to define to turn on external security, when to do it, and how to code the level of security used for each Datacom system at your site.

Solution:

You will have to set up the System Resource Class, DTSYSTEM (or DT@YSTEM in RACF) in either CA ACF2, CA TopSecret, or IBM's RACF. This resource class is the key to turning on external security for Datacom products, features and data. It is identified by the internal CXX name. To determine the internal CXX name, review the Datacom started task JESLOG message - DB00201I MULTI-USER ENABLED CXX=cxxname. DTSYSTEM is used for level checking and identifies the product, feature, table or view being protected. This resource class should be the LAST resource class you define.

To activate external security you must ALLOW access to the one of the access levels .PASS definitions described below and DENY access to the equivalent level .FAIL definition for the userID that brings up the Datacom started task. To deactivate external security, reverse this by DENYing access to the .PASS definition and ALLOWing access to the .FAIL definition.

When Datacom is brought up (or Multi-User is enabled), there is an internal call made to the external security product to determine:

  1. Whether external security is in effect.

  2. The security access level which is defined in the external security product.

    Currently there are 5 levels of security definitions available. Use one of the following resource definitions with the DTSYSTEM resource class: To activate one of these levels, allow access to the PASS definition to the userID that brings up Datacom, and deny access to the FAIL definition. To deactivate, deny access to the PASS definition and allow access to the FAIL definition.

    CA recommends that you define the highest level available which allows the most flexibility. Table Resource Classes are described in the next series of Knowledge Documents. For CA Datacom r11 and forward, there are 10 Table Resource Classes available.

    ACTIVATE.LEVEL05.PASS        10 Table Resource Classes and DataQuery security.ACTIVATE.LEVEL05.FAIL 
    ACTIVATE.LEVEL04.PASS 10 Table Resource Classes and view security. ACTIVATE.LEVEL04.FAIL
    ACTIVATE.LEVEL03.PASS 10 Table Resource Classes and expanded path security. ACTIVATE.LEVEL03.FAIL
    ACTIVATE.LEVEL02.PASS DTTABLE and DXTABLE Table Resource Classes for record-at-a-time and SQL access. ACTIVATE.LEVEL02.FAIL
    ACTIVATE.LEVEL01.PASS DTTABLE Table Resource Class only for record-at-a-time access. ACTIVATE.LEVEL01.FAIL

Because this level of security turns on external security, ensure that all the access definitions are defined before you turn on external security.

After all resources have been defined and all permissions have either been allowed or denied to these resources, you can confirm that external security is activated by looking for the following Datacom message in your Datacom JESLOG or LISTLOG: DB00220I External Security is active...