How to restrict CA IDMS Visual DBA access to specific entity types and occurrences

Document ID : KB000046432
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

The CA IDMS Visual DBA (VDBA) feature "Enhanced Object Security" allows sites to create tailored views which limit the types of entities that the end user can access on the mainframe, as well as the verbs which VDBA will allow the user to submit. This level of security prevents the user from accessing or submitting commands that are not explicitly granted them. Because Enhanced Object Security is defined on the IDMS CV, a client using VDBA can access a mix of IDMS CVs and each one can have a unique configuration either with or without Enhanced Object Security.

VDBA provides a GUI front-end interface through which end users can access mainframe IDMS systems. All tasks initiated through VDBA are run as external run-units through the CV, associated with the userid that was used when signing on to that mainframe to initiate the VDBA session. In addition to the limitations imposed by the VDBA Enhanced Object Security, all security that is in place on the mainframe is enforced for tasks originating from a VDBA front-end.

 

Instructions

Here are the steps to accomplish this: 

1- Turn on enhanced object security for Visual DBA by ensuring that the table procedure definition SYSCA.VDBA_VERSION5 does NOT contain the column NO_SERVER_ROLE. If it does contain that column, drop and re-add the table procedure without that column, using the following commands: 
drop table procedure SYSCA.VDBA_VERSION5; 
create table procedure SYSCA.VDBA_VERSION5 ( 
CA_IDMS_VDBA_V_5_0 char(5) 
, VDBA_EXE_BUILD_1 int 
, VDBA_DLL_BUILD_1 int 
, VDBA_VIEW_BUILD_1 int 
) EXTERNAL NAME VDBAVER; 

2- Create an IDD module that specifies the access you want your users to have. The sample I created looks like this: 
ADD 
MODULE NAME IS VIDMS_SUBS_PROFILE VERSION IS 1 
PUBLIC ACCESS IS ALLOWED FOR ALL 
MODULE SOURCE FOLLOWS 
SQL SCHEMA[SYSDICT]/DEMO* 
NON SQL SCHEMA[SYSDICT]/EMP* 
SUBSCHEMA[SYSDICT][EMPSCHM]/EMPSS01 (F) 
IDD CLASS & RECORD & MODULE[SYSDICT](F) 
MSEND. 
Note that this example gives the user access to specific SQL schemas (ones that are in DBname SYSDICT & begine with 'DEMO'); specific non-SQL schemas (ones in DBname SYSDICT that being with 'EMP'), one specific subschema named EMPSS01 within DBname SYSDICT and associated with nonSQL schema EMPSCHM V100; plus IDD definitions in SYSDICT. If all you want to grant is access to the subschema, then remove all the lines except the one beginning with SUBSCHEMA; then substitute your own DBname and your own schema name (with version). 

3- Create a user profile with an attribute of VIDMSR17 which points to this module you just created. Here is sample syntax I used to do that; note that the module name must be qualified by the DBname in which you created it: 
CREATE USER PROFILE VDBA_SUBSC_PROF 
ATTRIBUTE 
VIDMSR17 = 'SYSTEM.VIDMS_SUBS_PROFILE' OVERRIDE NO ; 
If you prefer, you can do this in a system profile. 

4- Associate your userid(s) or groups with this profile. 
ALTER USER "DOMCA04" 
PROFILE VDBA_SUBSC_PROF ; 

That's it! Now when the user(s) sign on to VDBA, their tree structure will show ONLY the items listed in the IDD module.

 

Additional Information:

 

 

Full documentation regarding syntax and options in creating profiles can be found in the CA IDMS Visual DBA Users Guide, in the chapter entitled "Enhanced Object Security".

An additional example of how to create a profile that supports read-only access through Visual DBA can be found in Knowledge Document TEC1256185.