How to secure Application Responses in IDMS

Document ID : KB000025870
Last Modified Date : 28/02/2018
Show Technical Document Details
Question:

Question:

How to secure Application Responses in an IDMS central version.

 

Answer:

Answer:

Securing IDMS Resources is implemented by assembling and linking a series of #SECRTT macros to produce the security table load module RHDCSRTT (See Security Administration 10.5 #SECRTT for complete parameter descriptions).

Application (Activity) security is implemented by including a #SECRTT macro for RESTYPE=ACTI.

In the following example of assembling the RHDCSRTT we have secured only the SIGNON, TASK and ACTIVITY resource types. The default value is SECBY=OFF for all resource types.

In this example the ACTIVITY resource type is secured internally.

  //ASMSTEP EXEC PGM=ASMA90,
  //             REGION=512K   
  //SYSLIB    DD DSN=your.IDMS.DISTMAC,DISP=SHR  
  //             DD DSN=SYS1.MACLIB,DISP=SHR  
  //SYSUT1    DD DSN=&&SYSUT1,UNIT=SYSDA,SPACE=(CYL,(15,10)) 
  //SYSUT2    DD DSN=&&SYSUT2,UNIT=SYSDA,SPACE=(CYL,(15,10)) 
  //SYSUT3    DD DSN=&&SYSUT3,UNIT=SYSDA,SPACE=(CYL,(15,10))  
  //SYSPRINT  DD SYSOUT=*  
  //SYSLIN    DD DSN=&&OBJECT,DISP=(NEW,PASS),UNIT=SYSDA, 
  //             SPACE=(CYL,(15,10))  
  //SYSIN     DD * 
           #SECRTT TYPE=INITIAL,SVCNUM=176,SYSPROF=(DEFAULT,ON) 
           #SECRTT TYPE=ENTRY,RESTYPE=SGON,SECBY=INT 
           #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=INT
           #SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=INT
           #SECRTT TYPE=FINAL
           END 
  //LKED     EXEC PGM=IEWL, 
  //            PARM=(XREF,LET,LIST,NCAL)  
  //SYSPRINT DD SYSOUT=*  
  //SYSUT1   DD UNIT=SYSDA,SPACE=(1700,(500,100)) 
  //SYSLMOD DD DSN=your.IDMS.DBA.LOADLIB,DISP=SHR  
  //SYSLIN   DD DSN=&&OBJECT,DISP=(OLD,DELETE)  
  //         DD * 
    ENTRY SRTTEP1 
    MODE  AMODE(31),RMODE(ANY) 
    NAME  RHDCSRTT(R)   

The next step is defining specific application activities and granting the EXECUTE
privilege to specific users or Groups of users.

The ACTIVITY resource name must start with the application name, followed by a dot
and an activity name.

It is important to note that the activity name is for descriptive purposes only.

It is never used in the actual security checking. When an ACTIVITY security check is
done, the application name and the Number of the secured response are the two values passed.

        OCF 16.0 IDMS  PAGE 1 LINE 1       DICT=SYSTEM  
   CREATE RESOURCE ACTIVITY PAYROLL.UPDATE NUMBER 19     ;  
   CREATE RESOURCE ACTIVITY BCF.FIXPAGE NUMBER 9     ;   
   CREATE RESOURCE ACTIVITY BCF.TUNEINDEX NUMBER 7     ;  
   CREATE RESOURCE ACTIVITY DCMT.DBASTUFF NUMBER 9     ;   
   CREATE RESOURCE ACTIVITY DCMT.VARY_AREA NUMBER 1     ;  
   CREATE RESOURCE ACTIVITY OCF.TUNEINDEX NUMBER 7     ;   

         OCF 16.0 IDMS  PAGE 1 LINE 1       DICT=SYSTEM       
   GRANT EXECUTE ON ACTIVITY DCMT.VARY_AREA TO USER123   ; 
   GRANT EXECUTE ON ACTIVITY DCMT.DBASTUFF TO DBAGROUP   ; 
   GRANT EXECUTE ON ACTIVITY PAYROOL.UPDATE TO PAYADMIN  ;  

So how does the DBA or security administrator determine what Number to assign to a specific Activity definition?

Application security checks are issued by ADS runtime when an ADSA application is being executed and also by RHDCMT00 if you have secured DCMT commands using the #CTABGEN macro, by OCF and IDMSBCF if you have secured utility execution using the
#UTABGEN macro and by the online Debugger if you have secured debugger commands using the #DGTBGEN macro (See SECURITY ADMINISTRATION Chapter 10 for detailed information on the #CTABGEN, #UTABGEN and #DGTBGEN macros).

For example in this ADSA application, this particular response has been assigned security class 8.

Response Definition

  Application name:   PAYROLL      Version:    1  
  Response name:      EMPADD                                  Drop response (/) _   
  Function invoked:   PAYAFUNC   
  Description . . . . ADD AN EMPLOYEE                        Security class:   8   

This corresponds to activity number 8 in the PAYROLL Application, so that is the number that must be associated with the Resource Activity when it is defined.

      OCF 16.0 IDMS  PAGE 1 LINE 1       DICT=SYSTEM       
  CREATE RESOURCE ACTIVITY PAYROLL.EMPADD NUMBER 8        ; 

If the response had been assigned a Security class of 0 in the ADSA definition the response would be Unsecured.

At runtime when a user selects an ADSA application response, ADS checks the Application Definition Block (ADB) to see if the requested response has been assigned a non-zero security class (activity number).
If so it will issue a security check passing application name and the activity number.

One more example using DCMT.
In this case the number 9 has been assigned to what are considered some of the more dangerous DCMT commands such as SHUTDOWN, ABORT and VARY MEMORY.

    #CTABGEN LOGIN=YES,                                                                 X    
            (A,1,B,2,C,9),                                                              X                         
            (N033,C,N001,C,N002,C,N028,A,N009,A,N030,A,N059002,B)  END 

Therefore an activity resource has been defined for application DCMT that is assigned number 9.

         OCF 16.0 IDMS  PAGE 1 LINE 1      DICT=SYSTEM      
       CREATE RESOURCE ACTIVITY DCMT.DANGEROUS NUMBER 9; 

Once you have created the Activity definitions for all secured application responses you need to Grant the Execute privilege to the relevant users or groups.

         OCF 16.0 IDMS  PAGE 1 LINE 1      DICT=SYSTEM    
   GRANT EXECUTE ON ACTIVITY DCMT.DANGEROUS TO DBA_GROUP; 

This GRANT creates or updates a record in the security dictionary containing a 256-bit bitmap in which the relevant bit numbers are turned on for each activity number in that application that has been granted to the indicated User or Group.

It should also be mentioned that when IDMS does the lookup for the application name, if it does not find a match, it will look for an application called DEFAULT and do the check for that application.

         OCF 16.0 IDMS  PAGE 1 LINE 1         DICT=SYSTEM    
  CREATE RESOURCE ACTIVITY DEFAULT.ACT_001 NUMBER 1       ;  
  CREATE RESOURCE ACTIVITY DEFAULT.ACT_002 NUMBER 2       ;   
  CREATE RESOURCE ACTIVITY DEFAULT.ACT_009 NUMBER 9       ; 
      

If all of your applications assign activity numbers in the same way you could conceivably just define and grant the DEFAULT activities, but for more precise documentation and reporting I recommend defining activity resources that match the actual application names.

SECURING APPLICATIONS USING AN EXTERNAL SECURITY MANAGER
To secure tasks externally, the #SECRTT macro needs 2 extra parameters, EXTCLS and EXTNAME.

#SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=EXT,
EXTCLS='IDMST',EXTNAME=(SYST,ACTIVITY)

EXTCLS is a literal that must match the Class high-level qualifier defined to the external security system. For instance, in TOP SECRET this is RESCLASS. In ACF2 it is TYPE. For RACF it is CLASS.
EXTNAME is one or more keywords to tell IDMS how to construct the actual resource name that will be passed to the external security manager.
For RESTYPE=ACTI clients typically use keyword ACTIVITY, often including a high-level qualifier of the SYSTEM name or Environment name since the same application names may be executed on multiple IDMS CVs
Keyword ACTIVITY causes IDMS to construct the resource name as a combination of the application name and the activity number. Max length is 8 bytes. The name begins with the application name or the first 5 bytes of the application name, followed by a 3-digit activity number.

So if the application name is BENEFITS and the response selected has been assigned number 15, we would pass BENEF015 as the resource name to the external security manager, or in the case of the DCMT.DANGEROUS activity, we would pass DCMT009.