SECURITY FOR DMLO

1
SECURITY FOR DMLO IDD

• By Rose Haigh

2
Rose Haigh

• Rose works with IDMS DBA and Software Support
  within BTexact

3
SYSTEMS SUPPORTED

• 15 Production CVs across 10 applications
• 40 associated Development and test CVs

4
TOPICS

• DMLO SECURITY
• IDD SET OPTIONS STATEMENT
• DICTIONARY SECURITY
• DCMT SECURITY
• COMMAND FACILITY OPTIONS STATEMENT

5
FIRST LINE OF DEFENCE

• IDMS SECURITY Task Security is the prime level
  of security after SIGNON
• Use IDMS security to secure who can invoke the
  following tasksDMLO IDD SCHEMASSC OLQ DCMT
  
• Then use IDD, DMLO DCMT security to restrict
  what different users of these tasks can do

6
DMLO SECURITY

bolt-on to IDD entities
3 levels
Control USAGE modes
7
DMLO SECURITY LEVELS

• Need to set for EACH dictionary
• Add PROGRAM DBMSDMLO
• Version number controls security level
• 1 (default) No security set2 (recommended)
  User must be defined to IDD3 (too much work)
  User must be on dictionary and registered for
  access to the requested subschema

8
ACTIVATING DMLO SECURITY - Example

• ADD PROGRAM DBMSDMLO VERSION 2
• Means any user who invokes DMLO must also have a
  userid that is defined to IDD.
• At this stage the user can use DMLO with any
  Usage Mode so any valid DMLO user can update the
  database.

9
DMLO USAGE MODES

• Its a restriction - if it is not defined as
  restricted then users can ready in any usage
  mode.
• Uses the DESCRIPTION clause on either PROGRAM
  DBMSDMLO and/or USER
• Recommend Generic of NONE
• Recommend User SR or SR,SU if update is needed

10
DMLO - Example 1

• No DESCRIPTION clause on DBMSDMLOmeansany user
  with no restriction set can READY with ANY usage
  mode.
• So.ADD PROGRAM DBMSDMLO VERSION IS 2
  DESCRIPTION IS NONE
• to set a generic default of no valid usage
  mode.Now every DMLO user must have an IDD
  DESCRIPTION clause with permitted access modes.

11
DMLO - Example 2

• ADD PROGRAM DBMSDMLO VERSION IS 2 DESCRIPTION IS
  SR Sets a generic restriction of SHARED
  RETRIEVAL
• These are not additive so if you have the above
  and need to give a specific user update as well
  then do this MOD USER XXXX DESCRIPTION IS
  SR,SU
• With just SU the user would not be able to
  ready with shared retrieval.

12
SECURING DMLO SUMMARY

• IDMS Security - secure TASK DMLO.Only grant
  execute to authorised users/groups.
• In IDD ADD PROGRAM DBMSDMLO V 2 DESC NONE
• In IDD ADD USER for each DMLO user
• In IDD give each DMLO user a DESC SR or SR,SU
  etc. to restrict usage modes.

13
Any QuestionsonDMLO SECURITY?
14
SECURING THE IDD COMPILERS

• This involves
• The IDD OPTIONS statementto set up the security
• The IDD USER definitionto give the authority

15
SET OPTIONS - 1

• FOR DICTIONARY- Specific to each dictionary-
  Permanent until changed by another SET OPTIONS
  statement- General session options- Establish
  Security
• FOR SESSION (limited parameters)Use to override
  dictionary options
• See CA-IDMS IDD DDDL Reference Chapter 2

16
SET OPTIONS - 2

• SET OPTIONS FOR DICTIONARY..User must have
  AUTHORITY FOR UPDATE IS ALL
• SET OPTIONS FOR SESSION...temporary default
  override options. Some clauses require user to
  have appropriate authority to issue them.
• DISPLAY OPTIONS FOR DICTIONARY to see settings
  for current dictionary.

17
SET OPTIONS GENERAL OPTIONS 1

• Use these to set defaults for each dictionary
  e.g.
• Establish default version numbers
• Alternate end of statement character
• Maintenance conventions

18
SET OPTIONS GENERAL OPTIONS 2

• DEFAULT VERSION NUMBERS
• DEFAULT FOR NEW VERSION IS ) version-number
  )1
  ) NEXt )
  HIGhest
  ) LOWest
• NEXT HIGHEST - can cause problems. Use V1 on
  SYSTEM/TOOLS when loading CA source.
• DEFAULT FOR EXISTING VERSION IS )
  version-number
  )1
  ) HIGhest
  ) LOWest

19
SET OPTIONS GENERAL OPTIONS 3

• ALTERNATE END OF STATEMENT CHARACTER
• SEMICOLON ALTERNATE END OF SENTENCE IS ON Worth
  setting as it does no harm!

20
SET OPTIONS GENERAL OPTIONS 4

• MAINTENANCE CONVENTIONS
• DEFault is OFF (recommended option for
  dictionary)Rejects ADD statements that identify
  existing entity occurrences.
• SET OPTIONS FOR SESSION DEFAULT IS ONUse in DDDL
  Session as an override.Accepts ADD statements
  for existing entity occurrences. DDDL compiler
  interprets as MODIFY statements for the entity
  occurrence and issues the message ADD CHANGED
  TO MODIFY

21
GENERAL IDD OPTIONS - Examples

• DIS OPTIONS FOR DICTIONARY
• SET OPTIONS FOR DICTIONARYDEFAULT FOR EXISTING
  VERSION HIGHESTDEFAULT FOR NEW VERSION HIGHEST
  SEMICOLON ALTERNATE END OF SENTENCE IS
  ONDEFAULT IS OFF.
• SET OPT SESSION DEFAULT ON.

22
SECURITY OPTIONS

• PASSWORD SECURITY OVERRIDE
• USER SIGNON OVERRIDE
• AUTHORISATION
• SECURITY FOR..

23
SECURITY OPTIONS - Passwords

• PASSWORD SECURITY OVERRIDE
• OFF - users cannot modify their own passwords
  unless they are given AUTHORITY FOR UPDATE IS
  PASSWORD(N.B. If the SET OPTIONS statement
  specifies SECURITY FOR IDD IS ON they also need
  AUTHORITY FOR UPDATE IS IDD)
• ON - (recommended) Specifies that users can
  modify their own IDD passwords.

24
SECURITY OPTIONS - IDD SIGNON USER

• USER SIGNON OVERRIDEAllows users to specify a
  different user ID in an IDD SIGNON statement
  from the one known to the IDMS environment.
• Recommend setting NOT ALLOWED
• If you have ALLOWED - Essential that each USER
  is set up with an IDD password.

25
SECURITY OPTIONS - AUTHORISATION

• AUTHORISATIONSpecifies guidelines for accepting
  or rejecting programs based on whether they are
  defined in the dictionary.
• Recommend OFF, as setting program authorisation
  on makes a lot of work for the DBA!

26
SECURITY FOR .. IS ONRecommend security is
ON for all dictionaries for

• ADS - to control use of CA-ADS compilers
• IDMS - to control who can register programs with
  subschemas, use SCHEMA/SUBSCHEMA compilers
• IDMS-DC - to control who can access DESTINATION,
  LINE, LOGICAL TERMINAL, MAP, MESSAGE, PANEL,
  PHYSICAL TERMINAL, QUEUE, TASK entity types

27
SECURITY FOR .. IS ON (continued)

• CLASS ATTRIBUTE - to control who can access
  ATTRIBUTE, CLASS and user defined entity types
• IDD - ELEMENT, FILE, MODULE, QFILE, PROCESS,
  PROGRAM, RECORD, SYSTEM, TABLE and USER
• IDD SIGNON - only users with IDD SIGNON authority
  can sign on to the DDDL compiler.
• LOAD MODULE - to control who can access load
  modules in the dictionary.

28
SECURITY FOR .. IS OFF

• Recommend security for these is OFF for all
  application dictionaries
• CULPRIT
• OLQ - controls who can define USER clauses that
  pertain to OLQ, enforces subschema and q-file
  restrictions.

29
ADMINISTERING SECURITY - 1

• Need to add a user to IDD if user needs to
• use any of the dictionary compilers
• use OLQ
• use DMLO (because of DMLO security)
• run CULPRIT reports
• If a user does not need any of the above, then
  the user should not be defined to IDD

30
ADMINISTERING SECURITY - 2

• IDD SIGNON ALLOWED/NOT ALLOWED
• ALLOWED is the default
• set this to NOT ALLOWED for userids that do not
  need IDD (e.g. OLQ/DMLO users) when options have
  SECURITY FOR IDD IS ON.

31
IDD USER AUTHORITY - 1

• INCLUDE AUTHORITY FOR (use EXCLUDE to revoke)
• UPDATE - default. Gives everything
• ADD - gives ADD DISPLAY/PUNCH
• MODIFY - gives MODIFY DISPLAY/PUNCH
• REPLACE - gives REPLACE DISPLAY/PUNCH
• DELETE - gives DELETE DISPLAY/PUNCH
• DISPLAY - gives DISPLAY/PUNCH only

32
IDD USER AUTHORITY - 2

• Only DBA/IDMS Support should have AUTHORITY FOR
  UPDATE IS ALL

33
IDD USER AUTHORITY - 3

• PASSWORD - allows user to update OTHER users
  passwords. Restrict this to DBA/IDMS support.
• CULPRIT - must specify AUTHORITY for UPDATE
• OLQ - enables update of USER clauses that relate
  to OLQ files etc.
• ADS - generate ADS dialogs
• LOAD MODULE - access load modules

34
IDD USER AUTHORITY - 4

• CLASS ATTRIBUTE - can specify CLASS or
  ATTRIBUTE separately
• DC - gives all components covered if SECURITY
  for IDMS-DC is ONCan give components
  individually. These are DESTINATION, LINE,
  LOGICAL TERMINAL, MAP, MESSAGE, PANEL,
  PHYSICAL TERMINAL, QUEUE, TASK

35
IDD USER AUTHORITY - 5

• IDD - gives all components covered if SECURITY
  for IDD is ON Can give components individually.
  These areELEMENT, ENTRY POINT, FILE, MODULE,
  PROCESS, QFILE, TABLE, PROGRAM, RECORD, REPORT,
  TRANSACTION, SYSTEM, USER
• IDMS - gives all components covered if SECURITY
  for IDMS is ON Can give components individually.
  These are SCHEMA, SUBSCHEMA

36
SECURITY EXAMPLE

• To Secure teleprocessing entities(DESTINATION,
  LINE, LOGICAL-TERMINAL, PHYSICAL-TERMINAL, MAP,
  MESSAGE, PANEL, QUEUE,TASK)
• SET OPT DICT SECURITY FOR IDMS-DC IS ON
• MOD USER A INCLUDE AUTHORITY FOR UPDATE IS DC
• MOD USER B INCLUDE AUTHORITY FOR UPDATE IS
  MESSAGE

37
Any QuestionsonIDD SECURITY?
38
DCMT SECURITY

• Allows control of individual DCMT commands
• Three stages
• Assemble/link CTABGEN
• Define RESOURCE ACTIVITY for each secured command
• GRANT EXECUTE ON RESOURCE ACTIVITY for each one

39

CTABGEN
DCMT command code
Activity Number
IDMS SECURITY
Activity Number
Resource Activity
40
CTABGEN - DCMT command codes

• See Security manual 10.1.6
• N001 SHUTDOWN - covers all variations of
  SHUTDOWN
  
• N001000 SHUTDOWN
  
• N001001 SHUTDOWN IMMEDIATE
  
• N002 ABORT - covers all variations of ABORT
  
• N002000 ABORT
  
• N002001 ABORT DUMP

More Granularity
More Granularity
41
CTABGEN - EXAMPLE

• Links the command codes to activity-numbers e.g.
• CTABGEN (N001,1,N002,2,N003,3,N004,4),
  (N005,5,N006,6,N007,7,N009,9),
  .
  .(N096001,96,N096002,96,N096005,96,N096006,96),
  (N096010,253,N096011,253,N096012,253,N096015,253)
  ,(N096016,253,N096017,253,N096020,253,N096021,253
  ) END
• Gets assembled/linked to form module RHDCMT00

42
DCMT IDMS SECURITY SYNTAX

• CREATE RESOURCE ACTIVITY
  application-name.activity-name
  NUMBER activity-number
• Application-name must be DCMT for this to work
• Activity-name can be anything you want
• Activity-number links to the activity-number in
  the CTABGEN

43
DCMT - Example 1 RESOURCE ACTIVITIES

• CREATE RESOURCE ACTIVITY DCMT.SHUTDOWN NUMBER 1
• CREATE RESOURCE ACTIVITY DCMT.ABORT NUMBER 2
• CREATE RESOURCE ACTIVITY DCMT.D_DBGROUP NUMBER 96
  
• CREATE RESOURCE ACTIVITY DCMT.V_DBGROUP NUMBER
  253

44
DCMT - Example 2Granting authority

• Task SecurityGRANT EXECUTE ON CATEGORY
  TASK_DCMTTO ROSEGRP
• Activity securityGRANT EXECUTE ON ACTIVITY
  DCMT.D_DBGROUP TO ROSEGRP
• Can use wildcardsGRANT EXECUTE ON ACTIVITY
  DCMT. TO IDMSSUP GRANT EXECUTE ON ACTIVITY
  DCMT.D_ TO DEVGRP

45
DCMT Reminder about wildcards

• GRANT EXECUTE ON ACTIVITY DCMT.D_A TO ROSEGRP
• DIS GROUP ROSEGRP HOLDS EXECUTE PRIVILEGES
  ON ACTIVITY
  DCMT.D_ACTIVE HOLDS EXECUTE PRIVILEGES ON
  ACTIVITY
  DCMT.D_ALL_PROG_POOL HOLDS EXECUTE PRIVILEGES
  ON ACTIVITY
  DCMT.D_ALL_STOR_POOLS HOLDS EXECUTE
  PRIVILEGES ON
  ACTIVITY DCMT.D_AREAS

46
THE END

?