Use of Recipient Tree Definition: The entity $$TREE.dsn.member is used to verify that the user is authorized to use a dataset referenced by DD statement DATREE.
where
The security module is called once for each dataset concatenated in DD statement DATREE and checks each one with the above entity.
If the library name is longer than 23 characters, it is truncated to 23 characters. To permit USERA to use a member DSN set to library‑name(member) referenced in DD statement DATREE, use the following commands:
For RACF:
RDEFINE FACILITY $$TREE.library.member UACC(NONE)
PERMIT $$TREE.library.member ACCESS(READ) ID(USERA) CLASS(FACILITY)
For TopSecret:
TSS PERMIT(USERA) IBMFAC($$TREE.library.member-name) ACC(READ)
For ACF2/SAF:
SET RESOURCE(CMF)
COMP
$KEY($$TREE.dsn.member-name) TYPE(CMF)
UID(USERA) ALLOW
Security by report name: Reports appearing in the report list can be controlled based on the report names in the User Screen (Screen U). Security by report name works only under Control-D extended security mode. To switch on, set the REPNCHK parameter to Y, as discussed in Step 1. Implement Control-D Security.
To give permissions for end users to see reports in the report list, the following entity must be defined in the SAF (System Access Facility):
$$RPNASR.qname.report name
The maximum length of the report name is 50 characters. Such entities must be defined under class that accept entities which are 68 characters long. The name of this class must by specified in the IOAXCLAS parameter of IOASECP section in the SECPARM.
$$RPNASR entities must be defined in SAF in uppercase.
IOAX037 exit is used to convert these entities to uppercase.
By default, IOAX037 contains tables for the English language.
Report names in SAF entities must not contain blank characters. By default, blank characters are replaced by underscore characters. You can use the REPSPACE parameter to choose a different character, as discussed in Step 1. Implement Control-D Security.
Access a Report Under Screen U
The user’s authority to issue an action (update, delete, and so on) on a certain report is checked with the following entity:
Table 50 Report Access
Action |
Entity |
---|---|
Update a record |
$$RECUPD.qname.userida |
Insert a record |
$$RECINS.qname.userida |
Delete a record |
$$RECDEL.qname.userida |
Reprint a report |
$$RECRPR.qname.userida |
Restore a record |
$$RECRPR.qname.userida |
Use GIVETO option |
$$GIVETO.qname.userid |
Define a ruler |
$$EXTENT.qname.userid |
Suppress or activate a ruler |
$$RULONF.qname.userid |
Save a ruler definition |
$$RULSAV.qname.userid |
Use Global ruler |
$$RULONF.qname.$globalrulname |
Define a mask ruler Suppress or activate a mask ruler Save a mask ruler definition |
$$MSKRUL.qname.rulname. |
Use Global mask ruler |
$$MSKRUL.qname.$globalrulname. |
Immediate print for a report |
$$RECIPR.qname.userid |
View (browse) a report |
$$VIEWCO.qname.userid |
Permit report access without Recipient Tree |
$$REPLST.qname.userid |
Browse NOTES of a report |
$$VIEWNO.qname.userid |
Add/Update NOTES of a report |
$$EDITNO.qname.userid |
Add NOTES to a report |
$$ADDNOT.qname.userid |
Update NOTES to a report |
$$UPDNOT.qname.userid |
Delete NOTES |
$$DELNOT.qname.userid |
Update Report View Indicator |
$$VEWUPD.qname.userid |
Cancel Restore for History Report |
$$UNRSTR.qname.userid |
Perform a recall of a migrated CDAM file |
$$CHKRCL.qname.userid |
Submit a job to perform recall of a migrated CDAM file |
$$RECALL.qname.userid |
View the report in hexadecimal format |
$$RECHEX.qname.userid |
Use parameter DREPLST, set to YES |
$$REPLST.qname.recipient-name |
Control‑V:
Table 51 Control‑V Features
Action |
Entity |
---|---|
Use Control‑V Quick Access features |
$$CTVQAC.qname.userid |
Use Control‑V Indexing features |
$$CTVINX.qname.userid |
In the above entities, userid is the user ID to whom the report belongs.
To permit USERA to view (browse) a report that belongs to USERB, use the following commands:
For RACF:
RDEFINE FACILITY $$VIEWCO.qname.USERB UACC(NONE)
PERMIT $$VIEWCO.qname.USERB ACCESS(READ) ID(USERA) CLASS(FACILITY)
For TopSecret:
TSS ADD(system-dept) IBMFAC($$VIEWCO.qname.USERB)
TSS PERMIT(USERA) IBMFAC($$VIEWCO.qname.USERB) ACC(READ)
For ACF2/SAF:
SET RESOURCE(CMF)
COMP
$KEY($$VIEWCO.qname.USERB) TYPE(CMF)
UID(USERA) ALLOW
Limit Immediate Print of Reports
When user requests an immediate print for a report, and the number of pages for the report is more than DPAGMIN, an additional entity is checked. The entity structure is as follows:
Table 52 Report Limits
Entity |
Description |
---|---|
$$PAGIII |
If the number of pages is greater than DPAGMIN but less than or equal to parameter DPAGMID. |
$$PAGII |
If the number of pages is greater than DPAGMID but less than or equal to parameter DPAGMAX. |
$$PAGI |
If the number of pages is greater than DPAGMAX. |
For RACF:
To allow USERA to immediately print a report of any size, use the following commands:
RDEFINE FACILITY $$PAGI* UACC(NONE)
PERMIT $$PAGI* CLASS(FACILITY) ID(USERA) ACCESS(READ)
To permit USERA to print reports that do not exceed the DPAGMAX number of pages, use the following commands:
RDEFINE FACILITY $$PAGII UACC(NONE)
PERMIT $$PAGII ID(USERA) CLASS(FACILITY) ACCESS(READ)
For TopSecret:
To allow USERA to immediately print a report of any size, use the following commands:
TSS ADD(system-dept) IBMFAC($$PAGI)
TSS PERMIT(USERA) IBMFAC($$PAGI) ACCESS(READ)
To permit USERA to print reports that do not exceed the DPAGMAX number of pages, use the following command:
TSS PERMIT(USERA) IBMFAC($$PAGI) ACCESS(READ)
For ACF2/SAF:
To allow USERA to immediately print a report of any size, use the following commands:
SET RESOURCE(CMF)
COMP
$KEY($$PAGI**) TYPE(CMF)
UID(USERA) ALLOW
To permit USERA to print reports that do not exceed the DPAGMAX number of pages, use the following command:
SET RESOURCE(CMF)
COMP
$KEY($$PAGII*) TYPE(CMF)
UID(USERA) ALLOW
Parent Topic |