Securing User Profiles

About User Profiles
idms
About User Profiles
You define a user profile to specify attributes for a user session in the domain (that is, irrespective of the system to which the user is signed on) whether the execution mode is online or batch.
Until you secure the user profile resource, any user can maintain user profile definitions in the user catalog.
How to Secure User Profiles
To secure user profiles internally, include an entry in the SRTT:
#SECRTT    TYPE=ENTRY,       RESTYPE=UPRF,                                           X       SECBY=INTERNAL                                          X
To secure the user profiles externally, include an entry in the SRTT:
#SECRTT    TYPE=ENTRY,       RESTYPE=UPRF,                                           X       SECBY=EXTERNAL,                                         X       
Additional parameters required
For more information, see #SECRTT.
Attributes
An attribute is the combination of a keyword and a value associated with the keyword. A user profile can contain multiple attributes.
Attributes are used by CA IDMS software to control the user session. Attributes can also be retrieved by application programs for additional application security and other purposes.
When you specify an attribute in a user profile definition, you have the option of marking it to indicate that the user is not permitted to override the attribute value at runtime with a DCUF SET PROFILE statement or, for attribute keywords with meaning to CA IDMS, with a SYSIDMS parameter.
For more information on DCUF SET PROFILE, see the
CA IDMS System Tasks and Operator Reference section
.
For more information on SYSIDMS parameters, see the
Using section
.
How to Define User Profiles
You define a user profile with the CREATE USER PROFILE statement.
In this example, the first statement creates a user profile called MISPROF and the second statement associates the profile with user RKN:
create user profile misprof   attributes     dept='0056' override no,     jobcode='42' override no,     schema='&user'.,     prtdest='gdnc005'; alter user rkn   profile misprof;
For more information on creating and maintaining user profile definitions, see the following sections:
Granting Definition Privileges on User Profiles
You can delegate the authority to define and maintain user profiles by granting definition privileges on user profiles. You can specify any combination of CREATE, ALTER, DROP, and DISPLAY privileges, or you can specify all definition privileges (DEFINE). You can specify WITH GRANT OPTION when you grant these privileges to allow the user to grant the same privileges to another user.
For more information, see GRANT Definition Privileges.
Associating User Profiles with Users
You can associate a user profile with a user in one of the following ways:
  • Explicitly
    in the PROFILE parameter of a CREATE USER or ALTER USER statement.
    For more information, see the following sections:
  • Implicitly
    by assigning the user profile a name matching the user ID.
    This user profile is located at signon if no user profile has been specified in the user definition.
User Attributes in a System Profile
A system profile allows you to set the attributes of a user's session for a specific system. The system profile associated with the user is determined in one of the following ways:
  • By the specification, if any, made in the GRANT SIGNON statement for the user.
  • By the specification of default system profile made on the initial #SECRTT macro.
  • If not specified on the #SECRTT macro, the system profile DEFAULT, if it exists.
Even if there is no system profile specification in GRANT SIGNON or on the #SECRTT, you can tailor a system profile to a user or the user's default group by specifying INCLUDE='&USER'. or INCLUDE='&GROUP'. in a system profile named 'DEFAULT.' because the system will search for the system profile DEFAULT at signon time.
If you have created a system profile with a name that matches the ID of the signed-on
user
and system profile DEFAULT contains INCLUDE='&USER'., the attributes of the nested system profile with a name matching &USER. are set for the session profile.
If you have created a system profile with a name that matches the name of the signed-on user's default
group
and system profile DEFAULT contains INCLUDE='&GROUP'., the attributes of the nested system profile with a name matching &GROUP. are set for session profile.
Scope of Profiles
The scope of system profile DEFAULT is the set of systems that share the SYSTEM.DDLDML area in which DEFAULT is defined. The scope of a user profile is the CA IDMS domain, which is the set of systems that share the SYSUSER.DDLSEC area. System profile attributes take precedence over matching user profile attributes unless the user profile attribute is defined with the OVERRIDE NO parameter.
For more information on system profiles, see the
CA IDMS System Tasks and Operator Reference section
.