LIB04 Member Protection Check When Attempting to Access Another User's Roscoe Library Member

Document ID : KB000009420
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

LIB04 Member Protection Check When Attempting to Access Another User's Roscoe Library Member.

 

Background:

How to understand, setup and modify Group Security for Roscoe Library Members with ups.groups.  When a user saves a member in their own library, they can specify an access attribute of SHARED, EXECONLY or RESTRICTED for that individual member. If no group security is in place, then other Roscoe users can access the SHARED members, but not update them. If group security is in place, then those definitions govern access. If no group security is in place, then other Roscoe users can by default, access another users SHARED members, but not update them. 

 

Instructions:

Important: Type SET PRIV ON before trying to access another users library members.  This only has to be done once during each logged on session. This command can also be placed in your signon proc.

Setting up Security Groups For Roscoe Library Members

Security Group definitions govern how users may access one another's library members. The Security group a user belongs to is specified in their UPS profile. 

Security Group definitions are stored in the member GROUPS under the UPS prefix. If the GROUPS member is not defined, all users have READ access to other members' library members. This allows any user to fetch SHARED library members but only the owner to change or update them.

A security group defines the read and write access permitted to:

  • Users who are a member of the group

  • Users from other groups

The member GROUPS may contain two types of definitions:

  1. A global default access definition

    • If no individual group definitions exist, this definition controls the access for all users to other user's library members.

    • If a user does not belong to a security group, this definition controls the access other users have to that user's library members.
  2. Individual group definitions.
    There can be a maximum of 255 different security groups. Once the groups are defined, each user's profile should be updated to show the group to which he is assigned. Note that a user can be assigned to only one group.

Defining Groups

  1. Set up group definitions. Save them in the member UPS.GROUPS . See complete information in the System Reference Guide, Security Groups 4.8

    1. The global access definition must be specified first.
      GBLACC=XXXX         :  Default Access
      This may be set to:
      NONE Only the owner has access to his library members.
      EXEC Anyone can execute a library member containing an RPF program.
      READ Anyone can execute or fetch a library member.
      ALTER Anyone can execute, fetch or change the attributes of a library member.
      UPDATE Anyone can execute, fetch, alter and change a library member. (UPDATE also permits anyone to save a member in anyone's library.)
      DELETE

    2. Specify all the group definitions

      Each group definition starts with the name of the group: GROUP xxxx
      And ends with ENDGROUP (optional )

      The following parameters (optional) may be specified for each group: (One of the values specified under the global access definition above must be specified.)

      GRPACC= Specifies the type of access permitted to everyone else to the library members owned by the users in this group.

      INTACC= Overrides the global access and, if specified, group access for users in this group.

      XNONE= Name of one or more groups that are not allowed any type of access to library members owned by members of this group.

      XEXEC= Name of one or more groups that are only allowed to execute RPF's contained in library members that are owned by members of this group.

      XREAD= Name of one or more groups that are allowed to execute and fetch library members associated with this group.

      XALTER= Name of one or more groups that are allowed to execute, fetch and alter the attributes of library members associated with this group.

      XUPDATE= Name of one or more groups that are allowed to execute, fetch, alter and update library members associated with this group.

      XDELETE= Name of one or more groups that are allowed to execute, fetch, alter, update and delete library members owned by members of this group.

      ENDGROUP This keyword is used to mark the end of a group definition. If omitted, the next GROUP keyword or the end of the member terminates the     current GROUP definition.

      Here is an example:

         GBLACC=EXEC             :  Default Access       GROUP SYSTEM         :  Definitions for the SYSTEM group.      GRPACC=NONE          :  General: No one can access any members.      INTACC=DELETE        :  Within Group: Anyone can delete.   ENDGROUP               GROUP APPLIC            :  Definitions for the APPLIC group.      GRPACC=READ          :  General: Anyone can fetch members.      INTACC=UPDATE        :  Within Group: Anyone can update.      XDELETE=SYSTEM       :  Exception: SYSTEM group has full  access.   ENDGROUP               GROUP ACCTING           :  Definitions for the ACCTING group.      INTACC=UPDATE        :  General: Default Access.   ENDGROUP                :  Within Group: Anyone can update.     GROUP  WORDPROC          :  Definitions for the WORDPROC group.   ENDGROUP                :  General & Within Group: Default access.
  2. Use the privileged command UPSVER to verify the syntax in the GROUPS member. The command syntax is:

    UPSVER mem

    where mem is the name of the library member containing the group definitions.

  3. Set the LIBACCES Roscoe startup parameter to LIBACCES=GROUP

  4. Update the LIBRARY SECURITY GROUP of each user profile to add the security group for each user.

  5. Recycle Roscoe. The new definitions will be available the next time CA Roscoe is brought up.

  6. If there is an error in the definitions, all users will be restricted to READ acces