User-Defined System Security Rules

This section provides the information on the following topics:
idms
This section provides the information on the following topics:
Installation Codes
You can assign an installation code attribute value to the INSTCODE attribute keyword in a user or system profile. If you specify OVERRIDE=NO for INSTCODE, you can use the attribute for site-specific security checking. At runtime, an application program or exit 29 can retrieve the INSTCODE attribute value for the user session by linking to RHDCUF00 and issuing the DCUF SHOW INSTCODE command.
 
Note:
 For more information on linking to DCUF, see the 
CA IDMS System Tasks and Operator Reference section
.
INSTCODE Considerations
In the logic to retrieve an INSTCODE attribute value, you should account for these possibilities:
  • INSTCODE may not be an attribute of a given user session.
  • An attribute value may be as many as 32 characters.
Using Terminal Autotasks
 
What is an Autotask
A terminal autotask is a task that you associate with a logical terminal. Through this association, you direct the CA IDMS system to initiate the preassigned task when either of these conditions occurs:
  • The ENTER NEXT TASK CODE prompt would normally be displayed.
  • A top-level program or dialog issues a DC RETURN request that specifies no next task code.
Suppose, for example, that a user who signs on to a CA IDMS system is assigned logical terminal LT12012. If this logical terminal is associated with an autotask, the system automatically initiates the autotask when the user connects to the terminal. After the user enters the name of the system, instead of displaying the ENTER NEXT TASK CODE prompt (which allows the user to choose what task to invoke), the terminal displays whatever screen is mapped out by the program associated with the preassigned autotask.
Securing a Terminal Autotask
Since terminal autotasks must be able to execute without a signed on user, they must be unsecured. If tasks are secured internally, you can unsecure terminal autotasks by assigning them to a category on which PUBLIC holds EXECUTE privilege. Alternatively, you can add an occurrence override to turn off security for each terminal autotask in the SRTT.
If tasks are secured externally, you must use an occurrence override in the SRTT to unsecure a terminal autotask.
When Should You Use an Autotask
Use an autotask for workers at one terminal who require access to 
a limited number of data processing functions
.
For example, you can use an autotask for clerks who enter orders into a purchasing system. Or you can set up an autotask that executes a single manufacturing application. The application itself can perform a variety of functions, such as bill of material processing and master production scheduling.
In both of these cases, you create a menu for display when the autotask is invoked. This menu lists each option the user can choose, including a signon and signoff option if appropriate.
You can also use an autotask to invoke a 
site-defined signon menu
. Set up this menu to appear when users connect to the terminal. After signing on to this menu, users invoke any task for which they are authorized.
How to Use an Autotask
To use an autotask, you must do the following:
  • Associate an autotask with selected logical terminals.
  • Optionally, establish signon and signoff functions as part of the autotask menu.
  • Optionally, associate physical terminals with particular devices.
  • Optionally, check a user's authority to use a particular terminal.
These topics along with the related design suggestions are discussed as follows.
Associating an Autotask with Selected Logical Terminals
Associating an Autotask with a Logical Terminal
You associate an autotask with a logical terminal using the AUTOTASK parameter of the system generation LTERM statement. This statement allows you to specify whether a task will be initiated automatically for the logical terminal:
  • AUTOTASK IS NULL
    , the default, indicates that no task will be initiated automatically for this logical terminal. Logical terminals defined as printers 
    must
     use the default value NULL.
  • AUTOTASK IS
     
    task-code
     specifies the system will execute the specified task code automatically.
    The task code specified must be defined in the system dictionary with the system generation TASK statement. The task must be defined with the NOINPUT option because a terminal autotask should execute immediately.
Example
To associate LTERM LT12012 with the task code ORDERS, submit this information to the system generation compiler:
ADD LTERM LT12012 VERSION 1   AUTOTASK IS ORDERS   ENABLED   PRIORITY IS 0   PTERM IS PT12012.
Signon and Signoff Functions for an Autotask
Forcing Signon Through a Terminal Autotask
If you are using a site-specific signon menu to force a signon and you want users to see the ENTER NEXT TASK CODE prompt after they sign on to the CA IDMS system:
  • Clear the autotask field (LTEAUTSK) in the logical terminal element (LTE) when the user signs on to the runtime system.
  • Reset the autotask field when the user signs off from the runtime system.
For more information on the LTE (#LTEDS DSECT), see the
CA IDMS DSECT Reference section
.
In a CA Technologies ADS Environment
If your autotask invokes a CA technologies ADS application, you can specify the following:
  • Automatic signon for the application, by using a CA technologies ADS signon menu
  • Automatic signoff for the application, by using the CA technologies ADS SIGNOFF function
For more information on CA technologies ADS signon menus and the CA technologies ADS SIGNOFF function, see the
CA IDMS ADS Reference section
.
In an SQL or DML Environment
If your autotask invokes an SQL or DML application, design the application as follows:
  1. When the user signs on through the autotask menu, link to the RHDCSNON program from the autotask program.
    For more information, see the "SIGNON task" in the
    CA IDMS System Tasks and Operator Reference section
    .
    Alternatively, if no signon CLIST is invoked, an Assembler program can issue the #SECSGON macro to initiate user signon.
    For more information, see #SECSGON.
  2. When the user signs off through the autotask menu, link to either RHDCSNOF or RHDCBYE:
    • RHDCSNOF is the program normally invoked by the CA IDMS system SIGNOFF task (RHDCSNOF leaves the ENTER NEXT TASK CODE prompt displayed on the terminal).
    • RHDCBYE is the program normally invoked by the CA IDMS system BYE task (RHDCBYE does not leave the ENTER NEXT TASK CODE prompt displayed on the terminal).
    Alternatively, if you do not wish to free resources as RHDCBYE and RHDCSON do, an Assembler program can issue the #SECSGOF macro to initiate user signoff.
    For more information, see #SECSGOF.
How to Clear and Reset the Autotask Field
To display the ENTER NEXT TASK CODE prompt after the signon menu, you clear the autotask field. You can reset the autotask field at signoff. You can do this by using exit 29 to move the appropriate value to the autotask field (LTEAUTSK) in the logical terminal element (LTE) after a successful signon or signoff. After signon, you move low values (binary zeros) to this field; after signoff, you move the appropriate task code. 
Note:
For more information on the LTE (#LTEDS DSECT), see the
CA IDMS DSECT Reference section
.
Associating Terminals with Devices
Overview
Once you associate an autotask with selected logical terminals, you need to ensure that these terminals correspond to particular devices. You do this by associating logical terminal/physical terminal pairs with the appropriate devices.
UCF, VTAM, and TCAM
For UCF, VTAM, and TCAM, you can choose whether to associate a logical/physical terminal pair with a particular device. If you do not explicitly associate a terminal pair with a device, the system takes the first available pair when a user signs on.
Other Access Methods
For all other access methods, you 
must
 associate terminal pairs with devices. In this case, users are always assigned a specific logical and physical terminal when they sign on to a particular device.
How to Associate Terminals with Devices
To associate UCF, VTAM, and TCAM terminals with particular devices, you use the NAME IS parameter of the system generation PTERM statement.
Suppose, for example, that the system definition includes logical terminal LT12012 and physical terminal PT12012. To associate this terminal pair with device FT068109, submit this information to the system generation compiler:
MODIFY PTERM PT12012     ACQUIRE     NAME IS FT068109.
Note:
For more information on associating terminals with devices, see the
CA IDMS Administrating section
.
Checking Authority to Access a Particular Terminal
How to Check a User's Authority
When you implement autotasks, users can access only preassigned tasks at particular terminals. If you want to prevent users from accessing terminals that are 
not
 associated with a specific task, you must check their authority to use these terminals.
You can do this by:
  1. Establishing installation codes that authorize users to access particular physical terminals.
    For example, you can specify a physical terminal ID, logical terminal ID, or VTAM node name as the attribute value for INSTCODE in the user or system profile.
  2. Checking a user's INSTCODE attribute when the user signs on to a terminal.
Design Considerations
Secure the DCMT VARY LTERM Command
Users can override the autotask assigned to a logical terminal with the DCMT VARY LTERM ONLINE command. If you are using autotasks in a secure environment, be sure to secure this DCMT command.
For information on securing DCMT commands, see Securing System Resources.
Associate Terminals with Devices Only when Necessary
When using autotasks, you should consider how many people will be using terminals that are restricted to particular tasks. You can use your terminal network more effectively if you associate terminals with devices only when necessary.
Terminal Association Criteria
:
Need
Terminal configuration
A few people who will be using terminals restricted to an autotask
Associate the restricted terminals with particular devices.
Keep the other terminals generic (that is, not associated with particular devices).
Optionally, check a user's authorization to use a particular logical terminal at signon.
Many people who will be using terminals restricted to an autotask
Associate the non-restricted terminals with particular devices.
Keep the restricted terminals generic.
Optionally, check a user's authorization to use a particular logical terminal at signon.