#SECRTT

#SECRTT Generates the table that is used to route security check requests for each resource type to the internal or external security system.
idms19
#SECRTT Generates the table that is used to route security check requests for each resource type to the internal or external security system.
This article describes the following information:
2
2
#SECRTT Authorization
Authorization to assemble the #SECRTT macro, if any, is defined in an external security system.
#SECRTT Syntax
Syntax for TYPE=INITIAL
►►─── #SECRTT TYPE=INITIAL ───────────────────────────────────────────────────► ►─┬───────────────────────────────────┬──────────────────────────────────────► └─ ,ENVNAME= ─┬─
environment-name
─┬┘ └─ NULL ◄────────────┘ ►─┬───────────────────────────────┬──────────────────────────────────────────► └─ ,SGNRETN= ─┬─
time-interval
─┬┘ └─ OFF ◄─────────┘ ►─┬──────────────────────────────────────────────────────────────┬───────────► └─ ,SYSPROF= ─── ( ──┬─ OFF ──────────┬─┬────────────────┬─ ) ─┘ ├─ NULL ─────────┤ └─ , ─┬─ ON ─────┤ ├─ USER ─────────┤ └─ OFF ◄───┘ ├─ GROUP ────────┤ ├─ SYSTEM ───────┤ ├─ DEFAULT ◄─────┤ └─
profile-name
─┘ ►─┬──────────────────────────────────────────────────────────────┬───────────► └─ ,USRPROF= ─── ( ──┬─ OFF ──────────┬─┬────────────────┬─ ) ─┘ ├─ NULL ─────────┤ └─ , ─┬─ ON ─────┤ ├─ USER ◄────────┤ └─ OFF ◄───┘ ├─ GROUP ────────┤ ├─ SYSTEM ───────┤ └─
profile-name
─┘ ►─┬────────────────────────┬─────────────────────────────────────────────────► └─ ,DFLTSGN= ─┬─ YES ──┬─┘ └─ NO ◄──┘ ►─┬────────────────────────────────────────────────┬─────────────────────────► └─ ,DFLTUID= ──┬─────────
user-identifier
─────┬─┘ │ ┌─────── , ───────┐ │ └─ ( ─▼─┬─ VTAMNODE ──┬─┴── ) ──┘ ├─ PTERMID ───┤ └─ LTERMID ───┘ ►─┬──────────────────────────────┬───────────────────────────────────────────► └─ ,EXTRUID=
user-identifier
──┘ ►─┬───────────────────────────────────┬──────────────────────────────────────► └─ ,MAXRESN= ─┬─
resource-entries
─┬┘ └─ 150 ◄─────────────┘ ►─┬────────────────────────────┬─────────────────────────────────────────────►◄ └─ ,SVCNUM= ─┬─
svc-number
─┬┘ └─ 175 ◄───────┘
Syntax for TYPE=ENTRY and TYPE=OCCURRENCE
►►─── #SECRTT TYPE= ─┬─ ENTRY ────────────────────────────────┬───────────────► └─ OCCURrence,RESNAME= '
resource-name
', ─┘ ►─── RESTYPE=
resource-type-name
────────────────────────────────────────────► ►─┬──────────────────────────┬───────────────────────────────────────────────► └─ ,SECBY= ─┬─ EXTernal ─┬─┘ ├─ INTernal ─┤ └─ OFF ◄─────┘ ►─┬──────────────────────────────────────────┬───────────────────────────────► └─ ,EXTCLS= ─┬─
resource-class-variable
─┬─┘ └─ '
resource-class-name
' ───┘ ►─┬──────────────────────────────────────────┬───────────────────────────────► │ ┌──────── , ───────┐ │ └─ ,EXTNAME= ( ─▼─┬─ ACTIvity ───┬─┴─ ) ──┘ ├─ APPLname ───┤ ├─ DBNAme ─────┤ ├─ DDNAme ─────┤ ├─ ENVIr ──────┤ ├─ RESName ◄───┤ ├─ RESTYPE ────┤ ├─ SCHEma ─────┤ ├─ SSNAme ─────┤ ├─ SYSTem ─────┤ └─ VERSion ────┘ ►─┬────────────────────────┬────────────────────────────────────────────────► └─ ,NOPTCHK= ─┬─ YES ──┬─┘ └─ NO ◄──┘
Syntax for TYPE=FINAL
►►─── #SECRTT TYPE=FINAL ─────────────────────────────────────────────────────►◄
#SECRTT Parameters
  • TYPE=
    Specifies the type of action to result from assembling the macro.
    In a series of #SECRTT macros, the first of the series must specify TYPE=INITIAL and the last must specify TYPE=FINAL.
    • INITIAL
      Specifies that entries in the SRTT for all CA IDMS-defined resources are to be initialized:
      For each resource type, the initial values are the following:
      • SECBY=OFF
      • EXTNAME=(RESNAME)
      • EXTCLS=blanks
  • ENVNAME=
    environment-name
    Specifies a name for the environment that uses the SRTT.
    Environment-name
    can be used in external resource name construction.
    Environment-name
    must be one to eight characters in length.
    • NULL
      Specifies that there is no name for the environment that uses the SRTT.
  • SGNRETN
    Specifies whether CA IDMS should retain signon information originating from external request units (ERUs). This option provides performance improvements in environments which process large numbers of short-lived ERUs and external security systems.
    • time-interval
      Specifies the time in minutes that CA IDMS should retain signon information for external request units after the last session has been ended by signoff.
      You can specify the CA IDMS command, DCUF SHOW USERS ALL, to show the retained user's signons with an LTERMID of *NONE*.
      Note:
      If a user signs on to the CA IDMS CV through a VTAM or TSO UCF connection and this is the last (or only) session, a FULL signoff is performed and the retained signon information and control blocks are freed from the CA IDMS CV.
    • OFF
      Specifies that a full signoff, which frees all retained control blocks, will be performed at the end of the last (or only) session for the user OFF is the default.
  • SYSPROF=
    Specifies the default SYSTEM profile and whether SYSTEM profiles should be processed for external run units.
    • OFF
      Specifies that no SYSTEM profile should be processed.
      Note:
      If SYSTEM profiles are OFF, they will be off for all tasks including external run units, regardless of the setting of the second subparameter.
    • NULL
      Specifies that there is no default SYSTEM profile.
    • USER
      Specifies that the default SYSTEM profile name is the user-id.
    • GROUP
      Specifies that the default SYSTEM profile name is the name of the user's default group.
    • SYSTEM
      Specifies that the default SYSTEM profile name is the SYSTEM ID defined in SYSGEN.
    • profile-name
      /DEFAULT
      Specifies the name of the default profile. The profile name must be 1 to 18 characters.
      • ON
      Indicates that profiles should be processed for external run units. The default profile, if any, is specified by the first subparameter.
      • OFF
      Indicates that profiles should not be processed for external run units. The default is OFF.
  • USRPROF=
    Specifies the default USER profile and whether USER profiles should be processed for external run units.
    • OFF
      Specifies that no USER profile should be processed.
      Note:
      If USER profiles are OFF, they will be off for all tasks including external run units, regardless of the setting of the second subparameter.
    • NULL
      Specifies that there is no default USER profile.
    • USER
      Specifies that the default USER profile name is the user-id.
    • GROUP
      Specifies that the default USER profile name is the name of the user's default group.
    • SYSTEM
      Specifies that the default USER profile name is the SYSTEM ID defined in SYSGEN.
    • profile-name
      /DEFAULT
      Specifies the name of the default profile. The profile name must be 1 to 18 characters.
      • ON
        Indicates that profiles should be processed for external run units. The default profile, if any, is specified by the first subparameter.
      • OFF
        Indicates that profiles should not be processed for external run units. The default if OFF.
  • DFLTSGN=
    Specifies whether CA IDMS should perform a signon using a specific name if a security check is issued and the terminal operator has not signed on. The name to use for the default signon is defined by the DFLTUID parameter.
    • YES
      Enables default signon.
    • NO
      Disables this option.
  • DFLTUID=
    Specifies the default signon CA IDMS is to use when the DFLTSGN parameter is enabled, a security check is issued, and the terminal operator has not signed on. Specify a
    user-identifier
    or a list of up to three ID options in parentheses. If DFLTSGN=YES, and you don't specify DFLTUID parameters, the default is as follows: (VTAMNODE,PTERMID,LTERMID).
    • user-identifier
      Specifies the default signon as an unquoted literal from 1 to 18 characters in length.
    • VTAMNODE
      Specifies that for VTAM terminals, the VTAM node name is used as the default signon.
    • PTERMID
      Specifies that the PTERM ID is used as the default signon, if the PTERM is available and the option has not been satisfied by the VTAMNODE parameter (non-VTAM terminals, or VTAMNODE not specified for VTAM terminals).
    • LTERMID
      Specifies that the LTERM ID is used as the default signon, if the option has not been satisfied by the VTAMNODE or PTERMID parameters.
  • EXTRUID=
    Specifies the extract user ID that can be used at sites that do not have an external security system.
    User-identifier
    is an unquoted literal from 1- to 18-characters.
  • MAXRESN=
    max-resource-entries
    Specifies maximum number of entries in the #SECRTT global table.
    If the default of 150 entries is exceeded, the assembly of the #SECRTT fails with condition code of 12 and an assembler error message displays:
    "12, SRTT GLOBAL TABLE OVERFLOW. GENERATION ABORTED".
    When this error message is received, review the #SECRTT entries. Check the wildcards to ensure they are valid and used properly. When wildcards are used properly, they reduce the number of entries in #SECRTT global table.
    Excessive entries require CPU time to resolve each security check.
    150 is the default. It can be increased if necessary.
  • SVCNUM=
    svc-number
    Specifies the installed SVC number. This parameter is required. If
    svc-number
    is not specified, the system defaults to 175.
  • ENTRY
    Specifies that the user-supplied values apply to all occurrences of the resource type identified in the RESTYPE parameter.
    For each resource type whose default values you want to replace in SRTT, you must issue a #SECRTT macro with TYPE=ENTRY.
  • OCCURRENCE
    Specifies that the user-supplied values apply to one occurrence of the resource type identified in the RESTYPE parameter.
    TYPE=OCCURRENCE is valid only for resource types DB, SPGM, and TASK.
    EXTCLS= and EXTNAME= specifications are ignored if TYPE=OCCURRENCE. Therefore, if you specify TYPE=OCCURRENCE and SECBY=EXTERNAL to secure an occurrence override externally, be sure to specify EXTCLS= and EXTNAME= on the TYPE=ENTRY macro for the resource type. This information will be used for checks on the occurrence override.
  • RESNAME='
    resource-name
    '
    Names the occurrence of the resource to which the user-supplied values in the macro apply. You must enclose the resource name in quotes.
    If TYPE=OCCURRENCE, the value in
    resource-name
    is treated as a wildcarded name. Thus, if RESTYPE=SPGM and RESNAME='RHDC', the scope of the override is all program names that begin with 'RHDC'.
    If you do not want wildcarding to take effect -- that is, you want to limit the scope of the override to only one resource-name -- then include a blank character at the end of the resource-name. Thus, if RESTYPE=SPGM and RESNAME='TEST01 ', the scope of the override is the program 'TEST01' only.
  • RESTYPE=
    resource-type-name
    Specifies the resource type you are defining in the SRTT.
    Resource-type-name
    must be 1 to 4 characters in length and may identify a resource type defined by CA IDMS or a user-defined resource type.
    The following table lists valid resource type names for CA IDMS resources:
Global resources
SYSADMIN privilege
User
Group
User profile
SYSA
USER
GROU
UPRF
System resources
DCADMIN privilege
System
System profile
Signon
Activity
Task
Load module
Queue
Access module
Program
DCA
SYST
SPRF
SGON
ACTI
TASK
SLOD
QUEU
SACC
SPGM
Database resources
DBADMIN
Database
Area
Rununit
Schema (SQL)
Non-SQL schema
Access module
Table
DMCL
Database name table
DB
DB
DB (AREA)(1)
DB (NRU)(1)
DB (QSCH)(1)
DB (NSCH)(1)
DB (DACC)(1)
DB (TABL)(1)
DMCL
DBTB
(1) Resource type is secured when DB is secured. DBADMIN privilege is secured when you activate security for DB.
  • SECBY=
    Specifies the security option for the resource type identified in the RESTYPE parameter.
    • EXTERNAL
      Specifies that security-checking for the resource type is performed using definitions in an external security system.
      If you specify SECBY=EXTERNAL, you must include the EXTCLS and EXTNAME parameters in the macro.
    • INTERNAL
      Specifies that security-checking for the resource type is performed using security definitions in CA IDMS.
      SECBY=INTERNAL is valid for any CA IDMS resource type (see the following table). It is not valid for a user-defined resource type.
    • OFF
      Specifies that no security-checking is performed for the resource type; the resource type is unsecured.
  • EXTCLS=
    Maps the CA IDMS resource type specified in the RESTYPE parameter to the resource class you have defined for this type in the external security system.
    EXTCLS is required when TYPE=ENTRY and SECBY=EXTERNAL for the entry or for any occurrence override of the entry.
    If EXTCLS is specified, the information is recorded in the SRTT but used only when security enforcement is external.
    • resource-class-variable
      Specifies a variable containing the name of the external resource class.
    • resource-class-name
      '
      Specifies the name of the external resource class.
  • EXTNAME=
    Using a set of predefined keywords, specifies the fields to be included in the external resource name. The order in which you specify the keywords is the order in which the fields will be included in the external resource name.
    Since EXTNAME defines the format of the resource name for external security requests, the format you specify here must match the naming conventions for the corresponding resource class in the external security system.
    For more information on constructing external resource names, see Using External Security.
    EXTNAME is required when TYPE=ENTRY and SECBY=EXTERNAL for the entry or for any occurrence override of the entry.
    If EXTNAME is specified, the information is recorded in the SRTT but used only when security enforcement is external.
    • ACTIvity
      Includes in the external resource name the activity number supplied by the application.
      When formatted for an external security request, this field will be a 4- to 8-character string that is the concatenation of the following:
      • Either the application name or the first 5 characters of the application name (if the full name exceeds 5 characters).
      • The 3-digit activity number in displayable format.
    • APPLname
      Includes the full application name, as supplied on the current security request, in the external resource name.
    • DBNAme
      Includes the database name, as supplied on the current security request in the external resource name.
    • DDNAme
      Includes the ddname, as supplied on the current security request, in the external resource name. The ddname defines the operating system library in which the program (resource type SPGM) resides.
    • ENVIr
      Includes the environment name in the external resource name.
    • RESName
      Includes the resource name as specified on the current security request in the external resource name.
    • RESType
      Includes the resource type, as supplied on the RESTYPE= parameter for this SRTT entry, in the external resource name.
    • SCHEma
      Includes the schema name, as supplied on the current security request, in the external resource name. The schema name qualifies the names of SQL tables (resource type TABL) and access modules (resource types DACC and SACC).
    • SSNAme
      Includes the subschema name, as supplied on the current security request, in the external resource name.
    • SYSTem
      Includes the name of the CA IDMS system in the external resource name.
    • VERSion
      Includes the version number for load modules (resource type SLOD) and non-SQL schemas (resource type NSCH), as supplied on the current security request, in the external resource name.
  • NOPTCHK=
    Specifies if the PassTicket APPLID check should be suppressed. When set to YES, this option eliminates the need for RACF users to require access to the CV VTAM APPLID during sign-on processing. This option is only applicable for RESTYPE=SGON and SECBY=EXTERNAL.
    • YES
      Indicates that the check for the VTAM APPLID should be suppressed.
    • NO
      Indicates that the check for the VTAM APPLID should not be suppressed. The default is NO.
  • FINAL
    Indicates the end of SRTT specifications.
    You can specify TYPE=FINAL only once. SRTT entries will be generated from the series of #SECRTT macros beginning with the one that specifies TYPE=INITIAL.
#SECRTT Usage
User-Defined Resource Types
Resource-type-name
can be a user-defined resource type. The valid SECBY specifications for a user-defined resource type are EXTERNAL or OFF.
The following short resource type names are reserved by CA IDMS for future use. If you specify one of these short resource type names in a #SECRTT assembly, an error message will be returned.
DDA DPAN NSUB DPGM DMSG DREC DATT DSYS DCLA DUSR DUDE DDES DAPP DLIN DIAL DLTE DELE DPTE DFIL DQUE DLOD DTSK DMAP DACT DMOD
Order of EXTNAME Specification
The order of keywords that you specify in the EXTNAME parameter determines the order of fields in the external resource name format. For example, suppose that you specify for RESTYPE=TASK the following parameter:
EXTNAME=(RESTYPE,ENVIR,SYSTEM,RESNAME)
The external resource name format for a task will be the following:
TASK.
environment-name
.
system-name
.
task-identifier
Generating the #SECRTT Macro
To assemble and link edit the #SECRTT macro, you can use the appropriate JCL or commands.
For more information, see the Security Macro JCL section.
However, it is recommended that you use SMP to assemble this macro.
For more information, see "System Modification" in the
CA IDMS Installation Manual
for your operating system.
Using a Single Resource Class
In the following example, each resource type is assigned to the class IDMS. In each case, the resource type is part of the external resource name format:
----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- #SECRTT RESTYPE=TASK,SECBY=EXTERNAL, X EXTCLS='IDMS',EXTNAME=(RESTYPE,RESNAME) #SECRTT RESTYPE=SPGM,SECBY=EXTERNAL, X EXTCLS='IDMS',EXTNAME=(RESTYPE,DDNAME,RESNAME) #SECRTT RESTYPE=ACTI,SECBY=EXTERNAL, X EXTCLS='IDMS',EXTNAME=(RESTYPE,RESNAME)