Defining and Maintaining CA Ideal for CA Datacom Users

This page contains the following topics:
cadts151
  • The user definition provides multiple levels of security for 
    CA Ideal™ for CA Datacom®
    . It secures access to 
    CA Ideal™ for CA Datacom®
     to development and production systems in 
    CA Ideal™ for CA Datacom®
    , and to specific activities in each system. The user definition identifies each 
    CA Ideal™ for CA Datacom®
     user, establishes the user name, grants 
    CA Ideal™ for CA Datacom®
     privileges, assigns the user to systems, and assigns authorization levels in each system.
This page contains the following topics:
Creating and Maintaining User Definitions
You can define each user individually to
CA Ideal™ for CA Datacom®
or you can define one or more user groups with access to common systems and appropriate authorizations in those systems. This section explains how to create and maintain the user definitions.
You can define and maintain user definitions either directly through the commands described in this section or by selecting options from the User Maintenance Menu. To display the User Maintenance Menu, select option 1 on the Administration Maintenance Menu or enter the
CA Ideal™ for CA Datacom®
command USER.
=> => => ---------------------------------------------------------------------------- IDEAL: USER MAINTENANCE      USR                         SYS: DOC      MENU  Enter desired option number ===>      There are 7 options in this menu:  1. EDIT/DISPLAY         - Edit or display a user definition  2. CREATE               - Create a user definition  3. PRINT                - Print a user definition  4. DELETE               - Delete a user definition  5. MARK STATUS          - Mark user status to production or history  6. DUPLICATE            - Duplicate user definition to next version  7. DISPLAY INDEX        - Display index of user definitions
Some of the options on the User Maintenance Menu display fill-in panels for data entry.
When a fill-in is complete, press Enter or a PF key to apply the modified data. Pressing the Enter key applies the data, but leaves the current fill-in displayed. To continue, enter the appropriate command or press the appropriate PF key. Pressing the Clear key returns the session to the
CA Ideal™ for CA Datacom®
Main Menu without applying the modified data. Pressing a PA key also ignores modified data. The PA1 key issues a RESHOW. The PA2 key displays current PF/PA key assignments.
For prompter panels, pressing Enter processes the command completed on the prompter.
Creating a
CA Ideal™ for CA Datacom®
User Definition
To create the first version of a user definition, enter the command CREATE USER. The CREATE USER command displays a blank user definition fill-in. The User Definition Fill-in is a panel that establishes the user, assigns a user privilege, enters descriptive information about the user, and establishes the user's authorization level in each assigned system. If a user is already defined in the dictionary (for Datadictionary or CA DataQuery, for example), duplicate the user to the next version and edit the new version to define the user to
CA Ideal™ for CA Datacom®
.
A newly created user definition is assigned a version number of 1. This version of the user definition is in test status. You can edit it at any subsequent session as long as it remains in test status.
Note:
  • Before a user can sign on to
    CA Ideal™ for CA Datacom®
    , the user definition must be marked to production status.
  • When you are using an external security system to control access to
    CA Ideal™ for CA Datacom®
    , you must be sure that a user definition exists for the administrator before changing the SC00OPTS table to include the option SECRTY=Y. If a user definition does not exist, you cannot sign on to
    CA Ideal™ for CA Datacom®
    to create the remaining user definitions.
To display the User Definition Fill-in, enter the command CREATE USER or select Option 2, CREATE, from the User Maintenance Menu.
=> => => ------------------------------------------------------------------------------- IDEAL: USER DEFINITION       USR   (001) TEST               SYS: DOC    FILL-IN Person name    _______________  IDEAL user id ___ Description    ____________________________________ Full name      ____________________________________________________________ Password       ____________   Re-enter to confirm pswd ____________ Identification _________           Title ____________________ Org. unit      ______              Grade ______ Date created   2/17/06     Last modified ........  at ..:.. IDEAL Privileges:   Mark at least 1 with an “X” to enable IDEAL signon  ( _ ) IDEAL Administrator - May use any IDEAL facility  ( _ ) PRINT Administrator - Has control of Print facility  ( _ ) DVW   Administrator - Catalogs DATAVIEW definitions  ( _ ) IDEAL User          - May use all non-Administrator facilities Assigned      (Indicate at least 1 assigned SYSTEM): SYSTEM(S)   CONTROL     UPDATE    READ   UPDATE-PNL  UPDATE-RPT  RUN-PROD   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )   ___        ( _ )      ( _ )     ( _ )    ( _ )       ( _ )      ( _ )
Note:
Issue “MARK * PROD” or “MARK USER xxx VER n TO PROD” to enable signon.
The fields on the User Definition Fill-in consist of:
  • Person name-
    One- to 15-character identification of the person (user) being defined. This name must be unique at the site.
    CA Ideal™ for CA Datacom®
    initializes Person name to the name entered in the CREATE command, if a name was supplied there. You cannot change Person name once it is entered and accepted. If you want a new Person name, you must delete the user definition and create a new one. The Person name can be one to 15 non-blank characters and can be any combination of letters, digits, or national characters except the first character cannot be a digit.
    The Person Name does not have to be the same as the security ID or the monitor op-ID used to logon if the UIDCHK parameter of the IDOPTSCB macro is set to NO. However, unless a default user ID (DFLTUSR) is specified to determine the
    CA Ideal™ for CA Datacom®
    authorizations, you must still define the security ID or op-ID as an alias for the Person Name in the dictionary facility.
  • IDEAL User ID-
    One- to three-character user identification. You must enter this user ID to make the user valid for
    CA Ideal™ for CA Datacom®
    and it must be unique to the site. Once defined in a User Definition Fill-in, you cannot change the
    CA Ideal™ for CA Datacom®
    user ID. If you want a new
    CA Ideal™ for CA Datacom®
    user ID, delete the user definition and create a new one. The user ID can be one to three non-blank characters and it is any combination of letters and digits. You can use national characters ($, #, @) but not as the initial characters. The one- to three-character IDEAL User ID becomes an alias for the PERSON in the Datadictionary facility. For more information, see Occurrence Naming Standards.
     Warning! IDEAL SHORT-ID $19 (x'5bf1f9') and $20 (x'5BF2F0') are not valid due to a CA Datadictionary internal use. Therefore, you cannot use those in CA Ideal for CA Datacom.
     
    Note:
    In CICS, the
    CA Ideal™ for CA Datacom®
    user ID must match the CICS op-ID unless either the UIDCHK parameter of the IDOPTSCB macro is set to NO or security is enabled (SECRTY=Y in the SC00OPTS table).
  • Description-
    Optional description of the user being defined.
  • Full name, Identification, Title, Org unit (organization unit), Grade
    -Descriptive information or organizational identification of the user. These areas are for documentation only and are optional.
  • Password
    -One- to 12-character string that the user must specify on the
    CA Ideal™ for CA Datacom®
    signon screen. The contents of this field on the user definition panel display or are invisible, depending on the value assigned to the IDOPTSCB parameter PSWDIS=. (The user can modify this password without editing the user definition fill-in by using the ALTER SIGNON PASSWORD command.)
  • Re-enter to confirm pswd
    -A prompt and the field that only appears when the IDOPTSCB parameter PSWDIS=INVISIBLE, verifying the password field. For more information about customizing the
    CA Ideal™ for CA Datacom®
     options block using IDOPTSCB, see Optimizing Storage Management.
  • Date created
    -Initial date of the user definition. The system supplies this date. It is not modifiable.
  • Last modified at
    -Date and time when this user definition was last accessed in edit mode. The system supplies the date. It is not modifiable. The system also supplies the time in the format hh:mm. It is not modifiable.
  • IDEAL Privileges
    -Each user of
    CA Ideal™ for CA Datacom®
    is assigned (by marking with an x) one or more levels of privileges that govern the commands and services available to that user. You must select at least one privilege to make the user definition valid for signing on to
    CA Ideal™ for CA Datacom®
    . (To disable an existing
    CA Ideal™ for CA Datacom®
    user, erase all
    CA Ideal™ for CA Datacom®
    privileges and ignore the resulting error message.)
    • IDEAL Administrator
      -Grants the user global authorization to perform any command or service in all systems, including all services governed by all other privileges.
    • PRINT Administrator
      -Establishes a
      CA Ideal™ for CA Datacom®
      user with the authorization to control the printing facility (which includes the ability to define and delete print destinations).
    • DVW Administrator
      -Establishes a
      CA Ideal™ for CA Datacom®
      user with the authorization to catalog dataviews for
      CA Ideal™ for CA Datacom®
      .
    • IDEAL User
      -Specifies that the user is authorized to use only commands that affect the current session.
    The following table illustrates how the selection of a privilege also implies commands and services governed by other privileges.
    Specified Privilege
    IDEAL Admin
    PRINT Admin
    DVW Admin
    IDEAL User
    IDEAL Administrator
    X
    X
    X
    X
    PRINT Administrator
    X
    X
    DVW Administrator
    X
    X
    IDEAL User
    X
  • Assigned systems
    -Designates which
    CA Ideal™ for CA Datacom®
    systems this user is authorized to use and the authorization level the user has for each system. To assign more than the ten systems allowed on the panel, scroll forward using the PF8 key.
    A user's access to a system and to the commands that can execute in a system is controlled by the authorization specified here. The user must be assigned to at least one
    CA Ideal™ for CA Datacom®
    system to successfully sign on to
    CA Ideal™ for CA Datacom®
    .
    • CONTROL
      -Authorizes full control of the specified system, including the creation and deletion of programs, panels, and reports; editing the identification fill-in for programs, panels, and reports; and editing the resource fill-in of a program definition. This authorization automatically implies all other levels in the system, except running production programs (RUN-PROD) that must be selected separately.
    • UPDATE
      -Authorizes the user to update (edit) or read (display, print, and so on) all programs, panels, and reports in the system (except the identification fill-in and resource fill-in). This authorization automatically implies all levels in the system except control (CONTROL) and running production programs (RUN-PROD).
    • READ
      -Authorizes the user to read (display, print, and so on) programs, report definitions, and panel definitions in the system.
    • UPDATE-PNL (update panel)
      -Authorizes the user to update panel definitions in the system.
    • UPDATE-RPT (update report)
      -Authorizes the user to update report definitions in the system.
    • RUN-PROD (run production)
      -Authorizes the user to run production programs in this system.
The following table illustrates how the assignment of an authorization in a system implies commands and services governed by a lesser authorization.
Specified Authorization
CONTROL
UPDATE
UPD-PNL
UPD-RPT
READ
RUN-PROD
CONTROL
X
X
X
X
X
UPDATE
X
X
X
X
UPD-PNL
X
X
UPD-RPT
X
X
READ
X
RUN-PROD
X
Note:
To enable the newly defined user to sign onto
CA Ideal™ for CA Datacom®
, issue the command MARK * PROD or MARK USER xxx VER
n
TO PROD after defining the user.
Maintaining User Definitions Online
Use the following
CA Ideal™ for CA Datacom®
commands to display, maintain, copy, and list existing user definitions.
  • CREATE USER
    Displays a fill-in panel that creates a user definition in the dictionary.
  • EDIT/DISPLAY USER
    Displays an existing user definition and makes it the current entity.
  • PRINT USER
    Prints a specific user definition.
  • DELETE USER
    Deletes a user definition that is in history or test status. User definitions in production status must be marked to history before they can be deleted.
    For important information about using the DELETE command to delete user definitions, see the notes following this table.
  • MARK STATUS USER
    Marks a user definition's status to production or history. A user definition must be in production status before the user can sign onto
    CA Ideal™ for CA Datacom®
    .
  • DUPLICATE USER
    Copies an existing user definition to the next version. The new definition becomes the current user definition, and the user fill-in displays for modification. You can modify the new user definition as long as the status is test. Until it is modified, the newly created version is identical to the previous version, including the name.
    Note:
    You cannot copy a user definition to a new name with the DUPLICATE USER command.
  • DISPLAY/PRINT INDEX
    Lists the name and status of each user definition currently in the dictionary. You can request an index for one or all users, with or without listing the related systems. Margin commands can be used to display, edit, delete, or mark the status of the displayed user definitions.
Note:
Before deleting a user definition, be sure to delete any data members that exist for that user since the DELETE MEMBER command requires the Person Name or User ID from the user definition. If the user definition is deleted before the members that belong to that user are deleted, the members become impossible to delete with the
CA Ideal™ for CA Datacom®
DELETE command.
To determine whether the user has members, use the command:
DISPLAY INDEX MEMBER USER 
username
Then enter the DELETE line command for each member displayed and press Enter. (You could use the following command to delete a member but the DELETE MEMBER command must be repeated for each member.)
DELETE MEMBER memname USER username
Marking a user definition to history and deleting it using this DELETE command also removes the corresponding PERSON entity occurrence from the dictionary facility. If that user was authorized for any other CA products, those authorizations are automatically deleted.
To disable a user from
CA Ideal™ for CA Datacom®
without affecting that user's authorizations for other CA products, follow this procedure:
  1. Duplicate the existing production version of the user to NEXT VERSION. This displays the next version of the user definition for editing.
  2. While viewing the user definition fill-in for the new test-status version (in edit mode), erase all
    CA Ideal™ for CA Datacom®
    privileges and press Enter.
    The following message displays:
    ADUEDP11 - Please enter <i_dcm> privilege(s)
  3. Ignore the preceding message and mark the new version of the user definition to production. The
    CA Ideal™ for CA Datacom®
    editor does not allow the update unless there is at least one SYSTEM related to the USER definition. Without any
    CA Ideal™ for CA Datacom®
    privileges, signon to
    CA Ideal™ for CA Datacom®
    with this user ID results in the following error message:
    IDADIDIN05E - USR xxx has no signon authorization for <i_dcm>
The Datadictionary batch utility, DDUPDATE, also removes
CA Ideal™ for CA Datacom®
authorization (transaction 1003 UNRL).
Creating
CA Ideal™ for CA Datacom®
Users in Batch
The usual method to create
CA Ideal™ for CA Datacom®
users is to use the CREATE USER command. However, adding large numbers of users this way can be a time-consuming process.
CA Ideal™ for CA Datacom®
users can be created in batch using Datadictionary (DDUPDATE).
A valid
CA Ideal™ for CA Datacom®
user definition consists of the following Datadictionary entity-occurrences:
  • A PERSON entity-occurrence
  • An ALIAS for the PERSON entity-occurrence that must match the PERSON userid attribute
  • One or more RELATIONSHIP occurrences between the PERSON and the four CA Ideal AUTHORIZATION profiles and (optionally) one of the DD AUTHORIZATION profiles:
    • $$ID-ADM IDEAL Administrator
    • $$ID-DVW DVW Administrator
    • $$PR-ADM PRINT Administrator
    • $$ID-USE IDEAL User
  • One or more RELATIONSHIP occurrences between the PERSON and the defined CA Ideal SYSTEM entity-occurrences. The intersection data (INTER-DATA) of this relationship occurrence must contain the following information:
    Pos Contents 1-3 $ID (constant) 4 One byte of bit settings for the authorization level in the related system, as follows: 1... .... - Control .1.. .... - Update ..1. .... - Read ...1 .... - Run-Prod .... 1... - Not Used .... .1.. - Not Used .... ..1. - Update-Report .... ...1 - Update-Panel
Following is a sample set of DDUPDATE transactions to add a new user to
CA Ideal™ for CA Datacom®
:
    -ADD PERSON,long-user-name     1003 RELT,SYSTEM,system-name(ver),PER-SYS-ACCESS         1003 DATA,$IDx       1010 ADD $$ID-ADM        1010 ADD $$ID-DVW        1010 ADD $$PR-ADM        1010 ADD $$ID-USE        1014 pppppppppppp uuu        -END         -UPD PERSON,long-user-name(001),PROD         -END    
  • The -ADD transaction is a header transaction. It adds the PERSON
    entity-occurrence for user long-user-name (from 1 to 15 characters).
  • The 1003 RELT, SYSTEM transaction relates the user 'long-user-name' to the system 'system-name(ver)'. The new user can be related to a maximum of 99 SYSTEMs.
  • There must be a matching 1003, DATA transaction for each 1003 RELT, SYSTEM transaction. The 1003 DATA transaction gives the user authorization within the system specified in the corresponding 1003 RELT, SYSTEM transaction. The authorization bit setting ('x') is determined using the following table:
    /--- AUTH IN SYS: TYPE:             HEX   CHAR |                 ---------------   ---   ---- |                 CTL + RUN-PROD     F3     3 |                 CTL                E3     T |                 UPD + RUN-PROD     7B     # |                 UPD                6C     % |                 READ + RUN-PROD    30       |                 READ               20       |                 RUN-PROD           10       |                                             ------------------------------------------
  • The 1010 ADD transaction assigns the user a privilege title: {IDEAL-ADMIN, DATAVIEW-ADMIN, PRINT-ADMIN, IDEAL-USER}.
    For example, to define an IDEAL-USER, supply only the following transaction:
    1010 ADD $$ID-USE
  • The 1014 transaction defines a password and the userid for the 'long-user-name'. If a password is not desired, the 1014 transaction must still be included to add the userid. Note that the userid MUST start in column 19.
  • The -END transaction marks the conclusion of each transaction group.
  • The -UPD transaction marks the 'long-user-name' definition to PROD status.
  • The -END transaction marks the conclusion of each transaction group.
When these transactions have been successfully executed, the new
CA Ideal™ for CA Datacom®
user is ready to sign on.
Using Batch to Maintain
CA Ideal™ for CA Datacom®
User Definitions
It is possible to create, as well as update, CA Ideal users in batch through the Datadictionary utility program DDUPDATE.
Adding Aliases
You may want to add aliases to existing user definitions on a large scale. The following DDUPDATE transactions let you add an alias to existing users in batch:
+UPD PERSON,person1(PROD,,ovrd) 1103 ADD alias1 +END +UPD PERSON,person2(PROD,,ovrd) 1103 ADD alias2 +END
Adding Systems
Changes to an existing user's SYSTEM authorization online require duplicating the user to the next version, modifying the user definition, and then marking the new version to PROD status. You can make the same changes in batch using DDUPDATE 1003 transactions to relate and unrelate systems to users. The following DDUPDATE transactions let you add an additional system to an existing user in batch.
+UPD PERSON,person1(PROD,,ovrd) 1003 RELT,SYSTEM,long-system-nme(PROD),PER-SYS-ACCESS 1003 DATA,$IDx +END
$ID
is a constant and
x
is the authorization. The 1003 DATA statement is the intersection data (INTER-DATA) for this RELATIONSHIP occurrence and must contain the following information:
  • Positions 1 through 3 contain the $ID (constant)
  • Position 4 contains a one-byte value with the following bit-settings for the authorization level in the related system:
    0x80 = Control
    0x40 = Update
    0x20 = Read
    0x10 = Run-Prod
    0x08 = Not Used
    0x04 = Not Used
    0x02 = Update-Report
    0x01 = Update-Panel
Updating System Authorizations
The following DDUPDATE transactions let you update the system authorization of a production status
CA Ideal™ for CA Datacom®
user definition in batch.
+UPD PERSON,person1(PROD,,ovrd) 1003 UNRL,SYSTEM,long-system-nme(PROD),PER-SYS-ACCESS 1003 RELT,SYSTEM,long-system-nme(PROD),PER-SYS-ACCESS 1003 DATA,sidx +END
Changing Passwords
If you need to change many
CA Ideal™ for CA Datacom®
user passwords, the easiest way in batch is to use a 1014 transaction in DDUPDATE for each user. You do not need to issue an ALTER SIGNON PASSWORD command to change the
CA Ideal™ for CA Datacom®
password. When you change your password in DDOL, you are also changing it for
CA Ideal™ for CA Datacom®
conversely.
In this case, using DDUPDATE is more efficient than using
CA Ideal™ for CA Datacom®
batch. One execution of DDUPDATE with one 1014 transaction is required for each user, unlike
CA Ideal™ for CA Datacom®
batch, which requires that you set up one batch job or one batch step for each user that includes the SIGNON and ALTER SIGNON password transactions.
Also, remember that you need a -UPD PERSON transaction header for each user.