Extended Definition Mode

The CTDSE24 security module retrieves security definitions from the Recipient Tree. The administrator can authorize Control‑D/Page On Demand users to view mainframe reports by adding the appropriate mainframe logon ID to the AUTHORIZE field in the recipient definitions in the Recipient Tree. For information about how this is done, see Basic Definition Mode.

Reports appearing in the report list can be controlled based on the report names in Control-D/Page On Demand.

Security by report name works only under Control-D extended security mode. To switch on, set the REPNCHK parameter to Y, as discussed in Step 1. Implement Control-D Security.

To give permissions for end users to see reports in the report list, the following entity must be defined in the SAF (System Access Facility):

$$RPNASR.qname.report name

The maximum length of the report name is 50 characters. Such entities must be defined under class that accept entities which are 68 characters long. The name of this class must by specified in the IOAXCLAS parameter of IOASECP section in the SECPARM.

$$RPNASR entities must be defined in SAF in uppercase.

IOAX037 exit is used to convert these entities to uppercase.

By default, IOAX037 contains tables for the English language.

Report names in SAF entities must not contain blank characters. By default, blank characters are replaced by underscore characters. You can use the REPSPACE parameter to choose a different character, as discussed in Step 1. Implement Control-D Security.

Access a Report From Control‑D/Page On Demand

The user’s authority to issue an action (update, delete, and so on) on a certain report is checked with the following entities:

Table 56 Report Access

In the above entities, userid is the user ID to whom the report belongs.

To permit USERA (meaning, the mainframe logon ID) to view (browse) a report that belongs to USERB (meaning, the Control‑D recipient name), use the following command:

For RACF:

RDEFINE FACILITY $$VIEASR.qname.USERB UACC(NONE)
PERMIT $$VIEASR.qname.USERB ACCESS(READ) ID(USERA) CLASS(FACILITY)

For TopSecret:

To allow USERA to immediately print a report of any size, use the following commands:

TSS PERMIT(USERA) IBMFAC($$VIEASR.qname.USERB) ACC(READ)

For ACF2/SAF:

To allow USERA to immediately print a report of any size, use the following commands:

SET RESOURCE(CMF)
COMP
$KEY($$VIEASR.qname.USERB) TYPE(CMF)
UID(USERA) ALLOW

Limit Immediate Print of Reports

When the user requests immediate print, and the report contains more than the minimum number of pages specified in parameter DPAGMIN, the following entity is checked to verify that the user is authorized to send to the printer the number of pages contained in the report:

Table 57 Report Limits

For RACF:

To allow USERA to immediately print a report of any size, use the following commands:

RDEFINE FACILITY $$PGASRI UACC(NONE)
PERMIT $$PGASRI CLASS(FACILITY) ID(USERA) ACCESS(READ)

To permit USERA to print reports that do not exceed the DPAGMAX number of pages, use the following commands:

RDEFINE FACILITY $$PGASRII UACC(NONE)
PERMIT $$PGASRII ID(USERA) CLASS(FACILITY) ACCESS(READ)

To allow USERA to immediately print a report of any size, use the following commands:

TSS PERMIT(USERA) IBMFAC($$PGASRI) ACC(READ)

For ACF2/SAF:

To allow USERA to immediately print a report of any size, use the following commands:

SET RESOURCE(CMF)
COMP
$KEY($$PGASRI) TYPE(CMF)
UID(USERA) ALLOW