Is there a need for USER defs in IDMS security dictionary when all resources are secured externally?

Document ID : KB000077716
Last Modified Date : 01/05/2018
Show Technical Document Details
Question:
  We had all IDMS resources secured internally, but are now converting All IDMS resources to be secured externally.
  Is there any reason to maintain USER definitions in the IDMS security dictionary when all resources are secured externally?
Answer:
If you make use of USER PROFILEs and/or SYSTEM PROFILES to set runtime attributes such as DICTNAME, DBNAME, PRINT DESTINATION, etc the answer is probably Yes.

  USER PROFILEs are processed after a USER has successfully signed on to an IDMS System based on the USER PROFILE associated with the USER definition in the Security User catalog.   (CREATE/ALTER USER username PROFILE usrprofilename;)
   So in this case you need the USER definition and the USER PROFILE definition.

SYSTEM PROFILEs are processed after a USER has successfully signed on to an IDMS System.  System profiles are also associated with a USER, But only for a specific SYSTEM Resource defined in the security dictionary.
  To associate a SYSTEM PROFILE with a user for a specific SYSTEM Resource, even if the Signon resource (RESTYPE=SGON) is secured Externally, you must define the USER, the SYSTEM resource and the SYSTEM PROFILE and then assign the profile via the syntax:

 GRANT SIGNON ON SYSTEM systemid PROFILE sysprofilename TO username;

-------------------------------------------------------------------------------------------------------------------------------------------

  An alternative solution involves specifying that the default USER PROFILE or SYSTEM PROFILE name is the USERid that is being signed on to the IDMS CV.
  On the #SECRTT TYPE=INITIAL macro you can specify that the default profile name to lookup is one that matches the USERid of the USER signing on:

 
    SYSPROF=(USER,ON/OFF),USRPROF=(USER,ON/OFF)

With these defaults, when a USER signs on to the CV, once the signon validation is complete, profile processing  proceeds as follows:
If we look up the USER and do not find a USER definition in the User Catalog, we will look for a USER or SYSTEM profile whose name matches the USERid who has been signed on to the IDMS CV.

With this in place you would not need to retain USER defs in the IDMS User Security Catalog,  BUT it does mean that for every USERid who needs a USER/SYSTEM profile associated, you would have to CREATE a unique Profile name that matches the USERid.  
  This could be more work than associating a few unique USER/SYSTEM PROFILEs to the USER definitions that already exist.