SECURITY FOR DMLO - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

SECURITY FOR DMLO

Description:

CULPRIT ... run CULPRIT reports ... CULPRIT - must specify AUTHORITY for UPDATE ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 47
Provided by: bt484
Category:
Tags: dmlo | for | security | culprit

less

Transcript and Presenter's Notes

Title: SECURITY FOR DMLO


1
SECURITY FOR DMLO IDD
  • By Rose Haigh

2
Rose Haigh
  • Rose works with IDMS DBA and Software Support
    within BTexact

3
SYSTEMS SUPPORTED
  • 15 Production CVs across 10 applications
  • 40 associated Development and test CVs

4
TOPICS
  • DMLO SECURITY
  • IDD SET OPTIONS STATEMENT
  • DICTIONARY SECURITY
  • DCMT SECURITY
  • COMMAND FACILITY OPTIONS STATEMENT

5
FIRST LINE OF DEFENCE
  • IDMS SECURITY Task Security is the prime level
    of security after SIGNON
  • Use IDMS security to secure who can invoke the
    following tasksDMLO IDD SCHEMASSC OLQ DCMT
  • Then use IDD, DMLO DCMT security to restrict
    what different users of these tasks can do

6
DMLO SECURITY

bolt-on to IDD entities
3 levels
Control USAGE modes
7
DMLO SECURITY LEVELS
  • Need to set for EACH dictionary
  • Add PROGRAM DBMSDMLO
  • Version number controls security level
  • 1 (default) No security set2 (recommended)
    User must be defined to IDD3 (too much work)
    User must be on dictionary and registered for
    access to the requested subschema

8
ACTIVATING DMLO SECURITY - Example
  • ADD PROGRAM DBMSDMLO VERSION 2
  • Means any user who invokes DMLO must also have a
    userid that is defined to IDD.
  • At this stage the user can use DMLO with any
    Usage Mode so any valid DMLO user can update the
    database.

9
DMLO USAGE MODES
  • Its a restriction - if it is not defined as
    restricted then users can ready in any usage
    mode.
  • Uses the DESCRIPTION clause on either PROGRAM
    DBMSDMLO and/or USER
  • Recommend Generic of NONE
  • Recommend User SR or SR,SU if update is needed

10
DMLO - Example 1
  • No DESCRIPTION clause on DBMSDMLOmeansany user
    with no restriction set can READY with ANY usage
    mode.
  • So.ADD PROGRAM DBMSDMLO VERSION IS 2
    DESCRIPTION IS NONE
  • to set a generic default of no valid usage
    mode.Now every DMLO user must have an IDD
    DESCRIPTION clause with permitted access modes.

11
DMLO - Example 2
  • ADD PROGRAM DBMSDMLO VERSION IS 2 DESCRIPTION IS
    SR Sets a generic restriction of SHARED
    RETRIEVAL
  • These are not additive so if you have the above
    and need to give a specific user update as well
    then do this MOD USER XXXX DESCRIPTION IS
    SR,SU
  • With just SU the user would not be able to
    ready with shared retrieval.

12
SECURING DMLO SUMMARY
  • IDMS Security - secure TASK DMLO.Only grant
    execute to authorised users/groups.
  • In IDD ADD PROGRAM DBMSDMLO V 2 DESC NONE
  • In IDD ADD USER for each DMLO user
  • In IDD give each DMLO user a DESC SR or SR,SU
    etc. to restrict usage modes.

13
Any QuestionsonDMLO SECURITY?
14
SECURING THE IDD COMPILERS
  • This involves
  • The IDD OPTIONS statementto set up the security
  • The IDD USER definitionto give the authority

15
SET OPTIONS - 1
  • FOR DICTIONARY- Specific to each dictionary-
    Permanent until changed by another SET OPTIONS
    statement- General session options- Establish
    Security
  • FOR SESSION (limited parameters)Use to override
    dictionary options
  • See CA-IDMS IDD DDDL Reference Chapter 2

16
SET OPTIONS - 2
  • SET OPTIONS FOR DICTIONARY..User must have
    AUTHORITY FOR UPDATE IS ALL
  • SET OPTIONS FOR SESSION...temporary default
    override options. Some clauses require user to
    have appropriate authority to issue them.
  • DISPLAY OPTIONS FOR DICTIONARY to see settings
    for current dictionary.

17
SET OPTIONS GENERAL OPTIONS 1
  • Use these to set defaults for each dictionary
    e.g.
  • Establish default version numbers
  • Alternate end of statement character
  • Maintenance conventions

18
SET OPTIONS GENERAL OPTIONS 2
  • DEFAULT VERSION NUMBERS
  • DEFAULT FOR NEW VERSION IS ) version-number
    )1
    ) NEXt )
    HIGhest
    ) LOWest
  • NEXT HIGHEST - can cause problems. Use V1 on
    SYSTEM/TOOLS when loading CA source.
  • DEFAULT FOR EXISTING VERSION IS )
    version-number
    )1
    ) HIGhest
    ) LOWest

19
SET OPTIONS GENERAL OPTIONS 3
  • ALTERNATE END OF STATEMENT CHARACTER
  • SEMICOLON ALTERNATE END OF SENTENCE IS ON Worth
    setting as it does no harm!

20
SET OPTIONS GENERAL OPTIONS 4
  • MAINTENANCE CONVENTIONS
  • DEFault is OFF (recommended option for
    dictionary)Rejects ADD statements that identify
    existing entity occurrences.
  • SET OPTIONS FOR SESSION DEFAULT IS ONUse in DDDL
    Session as an override.Accepts ADD statements
    for existing entity occurrences. DDDL compiler
    interprets as MODIFY statements for the entity
    occurrence and issues the message ADD CHANGED
    TO MODIFY

21
GENERAL IDD OPTIONS - Examples
  • DIS OPTIONS FOR DICTIONARY
  • SET OPTIONS FOR DICTIONARYDEFAULT FOR EXISTING
    VERSION HIGHESTDEFAULT FOR NEW VERSION HIGHEST
    SEMICOLON ALTERNATE END OF SENTENCE IS
    ONDEFAULT IS OFF.
  • SET OPT SESSION DEFAULT ON.

22
SECURITY OPTIONS
  • PASSWORD SECURITY OVERRIDE
  • USER SIGNON OVERRIDE
  • AUTHORISATION
  • SECURITY FOR..

23
SECURITY OPTIONS - Passwords
  • PASSWORD SECURITY OVERRIDE
  • OFF - users cannot modify their own passwords
    unless they are given AUTHORITY FOR UPDATE IS
    PASSWORD(N.B. If the SET OPTIONS statement
    specifies SECURITY FOR IDD IS ON they also need
    AUTHORITY FOR UPDATE IS IDD)
  • ON - (recommended) Specifies that users can
    modify their own IDD passwords.

24
SECURITY OPTIONS - IDD SIGNON USER
  • USER SIGNON OVERRIDEAllows users to specify a
    different user ID in an IDD SIGNON statement
    from the one known to the IDMS environment.
  • Recommend setting NOT ALLOWED
  • If you have ALLOWED - Essential that each USER
    is set up with an IDD password.

25
SECURITY OPTIONS - AUTHORISATION
  • AUTHORISATIONSpecifies guidelines for accepting
    or rejecting programs based on whether they are
    defined in the dictionary.
  • Recommend OFF, as setting program authorisation
    on makes a lot of work for the DBA!

26
SECURITY FOR .. IS ONRecommend security is
ON for all dictionaries for
  • ADS - to control use of CA-ADS compilers
  • IDMS - to control who can register programs with
    subschemas, use SCHEMA/SUBSCHEMA compilers
  • IDMS-DC - to control who can access DESTINATION,
    LINE, LOGICAL TERMINAL, MAP, MESSAGE, PANEL,
    PHYSICAL TERMINAL, QUEUE, TASK entity types

27
SECURITY FOR .. IS ON (continued)
  • CLASS ATTRIBUTE - to control who can access
    ATTRIBUTE, CLASS and user defined entity types
  • IDD - ELEMENT, FILE, MODULE, QFILE, PROCESS,
    PROGRAM, RECORD, SYSTEM, TABLE and USER
  • IDD SIGNON - only users with IDD SIGNON authority
    can sign on to the DDDL compiler.
  • LOAD MODULE - to control who can access load
    modules in the dictionary.

28
SECURITY FOR .. IS OFF
  • Recommend security for these is OFF for all
    application dictionaries
  • CULPRIT
  • OLQ - controls who can define USER clauses that
    pertain to OLQ, enforces subschema and q-file
    restrictions.

29
ADMINISTERING SECURITY - 1
  • Need to add a user to IDD if user needs to
  • use any of the dictionary compilers
  • use OLQ
  • use DMLO (because of DMLO security)
  • run CULPRIT reports
  • If a user does not need any of the above, then
    the user should not be defined to IDD

30
ADMINISTERING SECURITY - 2
  • IDD SIGNON ALLOWED/NOT ALLOWED
  • ALLOWED is the default
  • set this to NOT ALLOWED for userids that do not
    need IDD (e.g. OLQ/DMLO users) when options have
    SECURITY FOR IDD IS ON.

31
IDD USER AUTHORITY - 1
  • INCLUDE AUTHORITY FOR (use EXCLUDE to revoke)
  • UPDATE - default. Gives everything
  • ADD - gives ADD DISPLAY/PUNCH
  • MODIFY - gives MODIFY DISPLAY/PUNCH
  • REPLACE - gives REPLACE DISPLAY/PUNCH
  • DELETE - gives DELETE DISPLAY/PUNCH
  • DISPLAY - gives DISPLAY/PUNCH only

32
IDD USER AUTHORITY - 2
  • Only DBA/IDMS Support should have AUTHORITY FOR
    UPDATE IS ALL

33
IDD USER AUTHORITY - 3
  • PASSWORD - allows user to update OTHER users
    passwords. Restrict this to DBA/IDMS support.
  • CULPRIT - must specify AUTHORITY for UPDATE
  • OLQ - enables update of USER clauses that relate
    to OLQ files etc.
  • ADS - generate ADS dialogs
  • LOAD MODULE - access load modules

34
IDD USER AUTHORITY - 4
  • CLASS ATTRIBUTE - can specify CLASS or
    ATTRIBUTE separately
  • DC - gives all components covered if SECURITY
    for IDMS-DC is ONCan give components
    individually. These are DESTINATION, LINE,
    LOGICAL TERMINAL, MAP, MESSAGE, PANEL,
    PHYSICAL TERMINAL, QUEUE, TASK

35
IDD USER AUTHORITY - 5
  • IDD - gives all components covered if SECURITY
    for IDD is ON Can give components individually.
    These areELEMENT, ENTRY POINT, FILE, MODULE,
    PROCESS, QFILE, TABLE, PROGRAM, RECORD, REPORT,
    TRANSACTION, SYSTEM, USER
  • IDMS - gives all components covered if SECURITY
    for IDMS is ON Can give components individually.
    These are SCHEMA, SUBSCHEMA

36
SECURITY EXAMPLE
  • To Secure teleprocessing entities(DESTINATION,
    LINE, LOGICAL-TERMINAL, PHYSICAL-TERMINAL, MAP,
    MESSAGE, PANEL, QUEUE,TASK)
  • SET OPT DICT SECURITY FOR IDMS-DC IS ON
  • MOD USER A INCLUDE AUTHORITY FOR UPDATE IS DC
  • MOD USER B INCLUDE AUTHORITY FOR UPDATE IS
    MESSAGE

37
Any QuestionsonIDD SECURITY?
38
DCMT SECURITY
  • Allows control of individual DCMT commands
  • Three stages
  • Assemble/link CTABGEN
  • Define RESOURCE ACTIVITY for each secured command
  • GRANT EXECUTE ON RESOURCE ACTIVITY for each one

39

CTABGEN
DCMT command code
Activity Number
IDMS SECURITY
Activity Number
Resource Activity
40
CTABGEN - DCMT command codes
  • See Security manual 10.1.6
  • N001 SHUTDOWN - covers all variations of
    SHUTDOWN
  • N001000 SHUTDOWN
  • N001001 SHUTDOWN IMMEDIATE
  • N002 ABORT - covers all variations of ABORT
  • N002000 ABORT
  • N002001 ABORT DUMP

More Granularity
More Granularity
41
CTABGEN - EXAMPLE
  • Links the command codes to activity-numbers e.g.
  • CTABGEN (N001,1,N002,2,N003,3,N004,4),
    (N005,5,N006,6,N007,7,N009,9),
    .
    .(N096001,96,N096002,96,N096005,96,N096006,96),
    (N096010,253,N096011,253,N096012,253,N096015,253)
    ,(N096016,253,N096017,253,N096020,253,N096021,253
    ) END
  • Gets assembled/linked to form module RHDCMT00

42
DCMT IDMS SECURITY SYNTAX
  • CREATE RESOURCE ACTIVITY
    application-name.activity-name
    NUMBER activity-number
  • Application-name must be DCMT for this to work
  • Activity-name can be anything you want
  • Activity-number links to the activity-number in
    the CTABGEN

43
DCMT - Example 1 RESOURCE ACTIVITIES
  • CREATE RESOURCE ACTIVITY DCMT.SHUTDOWN NUMBER 1
  • CREATE RESOURCE ACTIVITY DCMT.ABORT NUMBER 2
  • CREATE RESOURCE ACTIVITY DCMT.D_DBGROUP NUMBER 96
  • CREATE RESOURCE ACTIVITY DCMT.V_DBGROUP NUMBER
    253

44
DCMT - Example 2Granting authority
  • Task SecurityGRANT EXECUTE ON CATEGORY
    TASK_DCMTTO ROSEGRP
  • Activity securityGRANT EXECUTE ON ACTIVITY
    DCMT.D_DBGROUP TO ROSEGRP
  • Can use wildcardsGRANT EXECUTE ON ACTIVITY
    DCMT. TO IDMSSUP GRANT EXECUTE ON ACTIVITY
    DCMT.D_ TO DEVGRP

45
DCMT Reminder about wildcards
  • GRANT EXECUTE ON ACTIVITY DCMT.D_A TO ROSEGRP
  • DIS GROUP ROSEGRP HOLDS EXECUTE PRIVILEGES
    ON ACTIVITY
    DCMT.D_ACTIVE HOLDS EXECUTE PRIVILEGES ON
    ACTIVITY
    DCMT.D_ALL_PROG_POOL HOLDS EXECUTE PRIVILEGES
    ON ACTIVITY
    DCMT.D_ALL_STOR_POOLS HOLDS EXECUTE
    PRIVILEGES ON
    ACTIVITY DCMT.D_AREAS

46
THE END

?
Write a Comment
User Comments (0)
About PowerShow.com