|
|
|
|
|
This chapter describes the procedure used to implement the Control‑D and Control‑V security interface. Review the explanations below on the elements that are protected in Control‑D and Control‑V, and then proceed to the step-by-step instructions.
For more information about the Control-D security (CTDSExx) modules discussed in this chapter, see also the descriptions of the corresponding IOA security exits from the IOA SAMPEXIT library, as discussed in the INCONTROL for z/OS Administrator Guide. For example, for more information about the CTDSE01 security module, see also the description of the CTDX001 security exit.
Protecting Control‑D and Control‑V Elements:
The Control‑D and Control‑V security interface protects the following Control‑D and Control‑V elements.
Ordering Missions
Each Control‑D mission is defined with an OWNER parameter. OWNER is the user ID to which this mission belongs. If a user requests to order a mission, the user must have the authorization to access the owner of the mission. The CTDSE01 Control‑D security module verifies that the current user has the authorization to order the mission, using the owner field of the mission.
Accessing Sysouts that Are Decollated
When a report decollating mission is ordered, the CTDSE01 Control‑D security module verifies that the user who ordered the mission is authorized to access the sysouts of the jobs that are decollated by this mission.
Accessing and Using of the Mission Status Screen (Screen A)
The Mission Status screen lists the active missions currently handled by Control‑D and their status. The user can issue inquiries about a mission within the list or change its status. the CTDSE08 Control‑D security module verifies the user’s authorization to perform actions (delete, rerun, zoom, and so on) on missions displayed in the Mission Status screen.
Updating Mission Status in Batch Mode
A user’s authority is verified when the user requests to run missions in batch mode. The CTDSE08 Control‑D security module verifies the user’s authority to change the mission status (RESTORE or BACKUP) in the Active Mission file.
Filtering the List of Reports in the User Screen (Screen U)
The User screen (Screen U) of Control‑D enables the user to view reports online. When the user enters Screen U, only the reports for which the user has access are listed.
The CTDSE04 Control‑D security module controls access to User Report List screens. When a user specifies selection criteria for reports, the list of reports that the user is allowed to see is displayed. The list can contain reports that belong to the user and reports of other users that this user is allowed to see. A user can view only the decollated portion of any report that the user is authorized to view.
For information about setting up security definitions, see the description of Exit CTDX004 in the INCONTROL for z/OS Administrator Guide.
Using Recipient Tree Definitions
The Recipient Tree is a major security mechanism in Control‑D that defines how reports are distributed to users. The tree is defined in one or more library members, and allocated by DD statement DATREE. The current user’s authority is checked to determine if the user is allowed to use the tree definition. If a user defines a tree with multiple members, the security module checks that each member is authorized for use. The tree is protected by IOASE32 and the user must have authorization to it to update it.
Accessing Reports
The CTDSE04 Control‑D security module verifies that the user is authorized to perform an operation on a report, such as viewing the report, masking the report, printing the report, and so on. Although online users can only access reports for which they are authorized, access to a specific report is also verified by checking the user’s authority to print the report, change the ruler, delete the report, and so on.
Limiting the Number of Pages Sent to Spool on Immediate Print Requests
Immediate printing requests can be restricted such that users are authorized to print reports with a specified number of pages. A check is performed to control the size of the report that a user is authorized to print using the immediate print request. There are three ranges of page numbers (defined as MIN, MID and MAX) that verify a user’s authority to print a report. All users are authorized to print a report if the number of pages to be printed is less the MIN value. Users can be authorized to print according to a page range between MIN and MID, MID and MAX, or above MAX.
Accessing CDAM Files
When a CDAM file is accessed by a user in Screen U, the user’s authority to access the CDAM file is checked by the CTDSE04 security module. This check is performed only if the DCDAMCHK installation parameter is set to YES during the implementation of Control‑D security.
Accessing Reports by Control‑D/Page On Demand
The CTDSE24 Security module is called to control access to the Control‑D Active User Report file and the Control‑V Migrated User Report file from Control‑D/Page On Demand. The mainframe logon user ID specified in the Control‑D/WebAccess Server Communication Setup menu is passed to this module. The associated user exit is CTDX024.
Using Control‑D Delivery
If Control‑D Delivery is installed, the CTDSE26 Control‑D security module verifies if the user is authorized to it as well as its various functions.