Step 1. Implement Control-D Security

Perform the following steps to implement Control‑D security.

Step 1.1. Grant Access Permissions

Collect the data you need to define the INCONTROL entities and user authorizations to the security product.
In ICE run the steps "Control‑D Security Definitions" and "Functions Security Definitions" to create two sample jobs.
Enter the above security definitions into the sample jobs just created and save the jobs in the INSTWORK library.
Submit the jobs to define security to IOA and Control‑D.

Step 1.2. Customize Security Parameters

Perform the steps in ICE for all the required parameters, as follows:

Table 44 ICE Parameters

Parameter	Description
DEFMCHKD	When choosing a definition mode as COND to any of the Control‑D security modules, use qname together with the value given to this parameter as the high-level qualifier, to determine the real definition mode to be used.
SECTOLD	Determine the action to perform if your security product is inactive or a specific resource is not defined in the security product. Valid values are: YES — Perform the action. NO — Do not perform the action.
DCDAMCHK	Specify CDAM CHECK option. Valid values are: YES — Check online users for authorization access to CDAM datasets. NO — Do not check online users for authorization to CDAM datasets. Default.
DGLBRULR	Specify Global Ruler option. Valid values are: YES — For ruler operations check authority to Global Ruler name instead of owner. NO — For ruler operations, use Global Ruler owner (that is fixed as "MASTER" for authority checks). Default.
SYSDCHK	Specify SYSDATA viewing option. Valid values are: YES — Enable SYSDATA viewing by adding the jobname to the entity name. NO — Do not enable SYSTDATA viewing.

The following parameters determine the number of pages a user is authorized to print using the immediate print request:

Table 45 Page Authorization Parameters

Parameter	Quantity

DPAGMIN	10	>0
DPAGMID	100	>min
DPAGMAX	200	>mid

Table 46 ICE Definition Parameters

Parameter	Description
RACULIST	RACF USERLIST options. Valid values are: STD — Authorize a user to view a report if the recipient authorized the user with the AUTHORIZE statement. Default. ALL — Authorize a user to view a report if the recipient used the AUTHORIZE statement to authorize any of the RACF groups to which the user is connected. MIXED — Combines STD and ALL. GRP — Authorize a user to view all the reports if the recipient authorized the user's default group with the AUTHORIZE statement. NO — Do not check authorization through the Recipient Tree.
TSSULIST	TopSecret USERLIST option. Valid values are: STD — Authorize a user to view a report if the recipient authorized the user with the AUTHORIZE statement. Default. NO — Do not check authorization through the Recipient Tree.
SAFULIST	ACF2 USERLIST option. Valid values are: STD — Authorize a user to view a report if the recipient authorized the user with the AUTHORIZE statement. Default. NO — Do not check authorization through the Recipient Tree. UID — Authorize a user to view reports based on the first 19 characters of the user's UID string instead of the logon ID, using the SYNONYM statement. The UID string in the SYNONYM statement must have a leading "-" character followed by the 19 characters of the UID string.
DREPLST	Determine if the current userid must be authorized to entity $$REPLST.qname.recname to access reports of recipient recname. Valid values are: YES – Current userid must be authorized to entity $$REPLST.qname.recname. If the value NO is specified for the RACULIST, TSSULIST and SAFULIST parameters, it is not necessary to maintain AUTHORIZE fields in the Recipient Tree. This enables report decollation without using the Recipient Tree, but will degrade performance when accessing User Report List files that have a large number of recipients. For information how to avoid performance degradation, see "Decollation Without the Recipient Tree" in the implementation hints chapter in the Control‑D and Control‑V User Guide. NO – Current userid need not be authorized to entity $$REPLST.qname.recname.
REPNCHK	Whether to switch on Security by report name, which enables you to control reports based on the report names in Control-D/Page On Demand or the Control-D User Screen (Screen U). Valid values are Y (YES) and N (NO). The default is N. Security by report name works only under Control-D extended security mode. To give permissions for end users to see reports in the report list, the following entity must be defined in the SAF (System Access Facility): $$RPNASR.qname.report name For more information, see Extended Definition Mode of Module CTDSE24 and Extended Definition Mode of Module CTDSE04.
REPSPACE	Character to replace blanks in report names in SAF entities. The default character is the underscore (_). Valid values include any character except for the space character and the comma.

Table 47 Mode Definition Parameter

Mode	Description
Mode Definition	Specify one of the following values to determine the Definition mode for the Control‑D security modules: COND – Conditional Definition mode. Default. BASIC – Basic Definition mode. EXTEND – Extended Definition mode.
DFMD01	Definition mode for the CTDSE01 Control‑D security module.
DFMD04	Definition mode for the CTDSE04 Control‑D security module.
DFMD08	Definition mode for the CTDSE08 Control‑D security module.
DFMD24	Definition mode for the CTDSE24 Control‑D security module.
DFMD26	Definition mode for the CTDSE26 Control‑D security module.
DFMD27a	Definition mode for the CTDSE27 Control‑D security module.

Step 1.3. Save Security Parameters into Product

This step saves all the security parameters specified for Control‑D. When this step completes, the Status column is automatically updated to COMPLETE.

Parent Topic

Implementing Control-D and Control-V Security