Security definitions for TASK Codes in IDMS Central Version.

Document ID : KB000025506
Last Modified Date : 28/02/2018
Show Technical Document Details
Question:

Question:

How to implement security for TASK Codes in IDMS Central Version.

 

Answer:
Answer:
Securing IDMS Resources is implemented by assembling and linking a series of #SECRTT macros to produce the security table load module RHDCSRTT (See Security Administration 10.5 #SECRTT for complete parameter descriptions).
TASK security is implemented by including a #SECRTT macro for RESTYPE=TASK.
In the following example of assembling the RHDCSRTT we have secured only the SIGNON and TASK resource types. The default value is SECBY=OFF for all resource types.
In this example the TASK resource type is secured internally.
  //ASMSTEP EXEC PGM=ASMA90,
  //             REGION=512K
  //SYSLIB    DD DSN=your.IDMS.DISTMAC,DISP=SHR
  //             DD DSN=SYS1.MACLIB,DISP=SHR
  //SYSUT1    DD DSN=&&SYSUT1,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSUT2    DD DSN=&&SYSUT2,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSUT3    DD DSN=&&SYSUT3,UNIT=SYSDA,SPACE=(CYL,(15,10))
  //SYSPRINT  DD SYSOUT=*
  //SYSLIN    DD DSN=&&OBJECT,DISP=(NEW,PASS),UNIT=SYSDA,
  //             SPACE=(CYL,(15,10))
  //SYSIN     DD *
  #SECRTT TYPE=INITIAL,SVCNUM=176,SYSPROF=(DEFAULT,ON)
   #SECRTT TYPE=ENTRY,RESTYPE=SGON,SECBY=INT
   #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=INT
   #SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=INT
   #SECRTT TYPE=FINAL
   END
  //LKED     EXEC PGM=IEWL,
  //            PARM=(XREF,LET,LIST,NCAL)
  //SYSPRINT DD SYSOUT=*
  //SYSUT1   DD UNIT=SYSDA,SPACE=(1700,(500,100))
  //SYSLMOD DD DSN=your.IDMS.DBA.LOADLIB,DISP=SHR
  //SYSLIN   DD DSN=&&OBJECT,DISP=(OLD,DELETE)
  //         DD *
  ENTRY SRTTEP1
  MODE  AMODE(31),RMODE(ANY)
  NAME  RHDCSRTT(R)

The next step is defining specific task codes or wild-carded task code names in a Resource Category and granting the EXECUTE privilege to specific users or Groups of users.
You must create one or more resource categories to contain the task definitions and grant to the appropriate users or groups.
    OCF 16.0 IDMS  PAGE 1 LINE 1  DICT=SYSTEM   
 
  CREATE RESOURCE CATEGORY DBATASKS 
   ADD TASK IDD 
   ADD TASK SCHEMA 
   ADD TASK SSC  
   ADD TASK DCMT  
   ADD TASK P*   
   ADD TASK OPER  
   ADD TASK SYSGEN   
   ADD TASK *     ;    
 
    OCF 16.0 IDMS  PAGE 1 LINE 1  DICT=SYSTEM 
 
  GRANT EXECUTE ON CATEGORY DBATASKS     TO DBAGROUP     ;
Be careful using wildcarded names. Be certain that you do not have tasks codes in more than one category that could match to the same task code.
    OCF 16.0 IDMS  PAGE 1 LINE 1  DICT=SYSTEM 
 
  CREATE RESOURCE CATEGORY CAT_001  
    ADD TASK PAYROLL    ; 
 
  CREATE RESOURCE CATEGORY CAT_002  
    ADD TASK PAY*    ;
When a user attempts to execute a task code for the first time since startup we do a dictionary lookup for the full task code and will find the most fully qualified match, then check to see if the user holds the EXECUTE privilege on the relevant category. The search stops there.
In this example we would find the PAYROLL task code in CAT_001. If a user had been granted execute on CAT_002 and not CAT_001 they would get a security violation trying to execute the PAYROLL task code.

Another thing to keep in mind is that once we do the lookup for any categorizable resource, we cache the resource name and the category in which it was found in memory for efficiency. Therefore if you ever delete a task code from one category and add to another you will need to refresh security by either recycling CV or by marking nucleus module RHDCSRTT for new copy and doing a nucleus reload.
SECURING TASKS USING AN EXTERNAL SECURITY MANAGER
To secure tasks externally, the #SECRTT macro needs 2 extra parameters, EXTCLS and EXTNAME.
#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=EXT,
EXTCLS='IDMST',EXTNAME=(SYST,RESNAME)

EXTCLS is a literal that must match the Class high-level qualifier defined to the external security system. For instance, in TOP SECRET this is RESCLASS. In ACF2 it is TYPE. For RACF it is CLASS.
EXTNAME is one or more keywords to tell IDMS how to construct the actual resource name that will be passed to the external security manager.
For TASK clients sometimes just pass RESNAME, which for the TASK resource means we pass the actual task code.

Since clients often have multiple IDMS CVs that execute the same task codes, many clients further qualify the resource name by adding system id as we have shown in the above example.
You can also qualify with an environment name that can be defined in the #SECRTT TYPE=INITIAL macro.

#SECRTT TYPE=INITIAL,SVCNUM=176,ENVNAME=PROD100

#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=EXT,
EXTCLS='IDMST',EXTNAME=(ENVIR,RESNAME)