Using CA IDMS Internal Security
CA IDMS resource types are grouped as follows:
CA IDMS resource types are grouped into three categories: global, system, and database.
What is a Global Resource?
A global resource is an entity which is shared by all CA IDMS processing in the security domain.
The following table shows the global resource types and the corresponding resource type keywords used in the SRTT and security information databases:
The definition of a global resource is stored in the user catalog. The user catalog is an area (SYSUSER.DDLSEC) that is shared for retrieval by all CA IDMS processing in the security domain.
The user resource type represents the end users, programmers, and administrators who will be accessing systems and databases in the CA IDMS security domain. Users are identified by a user ID that must be unique across the domain.
You maintain the definitions of users in CA IDMS with the CREATE/ALTER/DROP USER statements.
The group resource type represents a collection of users. The following are some important concepts related to groups:
- All users in a group implicitly hold all privileges granted to the group.
- You can assign a user to any number of groups.
- Every user belongs to the group PUBLIC.
- A group cannot be assigned to another group.
You maintain groups with the CREATE/ALTER/DROP GROUP statements.
A user profile is a set of attributes that apply to a given user for both online and batch execution in any system in the domain. You create a user profile with the CREATE USER PROFILE statement.
An attribute specifies an environmental default for a user session. An attribute is expressed as a keyword and an associated value for the keyword. For example, SCHEMA=MISTEST is an attribute, of which the keyword is SCHEMA.
Even though the user profile is defined in the CA IDMS user catalog, it is possible for user profile attributes to be invoked whether signon is secured internally or externally.
For more information on user profiles, see Securing User Profiles.
You can also create a system profile to associate with one or more users in granting signon privilege to a given system. The attributes in a system profile apply to a user session on a specified system. If both a user profile and a system profile are found when the user signs on, the attributes in the two profiles are merged into a user session profile. System profile attributes take precedence over user profile attributes for those attributes defined with an OVERRIDE parameter equal to YES.
For more information on creating system profiles, see the
CA IDMS System Tasks and Operator Reference section.
What is a System Resource
A system resource is an entity shared by all CA IDMS processing under the central version.
The following table shows the system resource types and the corresponding resource type keywords used in the SRTT and security information databases:
The system dictionary includes all information required to establish, maintain, and control the processing environment. System resources are defined in the DDLDML area of the system dictionary. A system resource is available to all systems generated from the system dictionary.
Purpose of Categories
The category is a mechanism that allows you to group occurrences of several resource types that you have secured internally so that you can grant privilege on the group of resources.
When you create a category, you assign it a name, allowing you to associate a meaningful identifier with the resources. For example, if you secure tasks internally, you might create a category 'SYS_TASKS' and add the DCMT and DCUF tasks to it. If you secure both tasks and programs, one category could contain both task and program resources.
You can define as many as 32,768 categories for your security scheme.
The following table shows resource types that can be categorized and the corresponding resource type keywords used in the SRTT and security information databases:
Access module (loadable entity)
If you secure the DB resource, you secure run units and access modules system-wide. You must then categorize load modules in order to grant users execution privilege on them, and you must do the same with access modules unless you choose to grant execution privilege on individual access modules rather than grouping them first.
For more information, see Securing Database Resources.
Defining a Category
You add resources to a category with a CREATE or ALTER CATEGORY statement, as in this example:
create category dcmt add program cdmslib.rhdcmt*;
Granting Privilege on the Category
After you define the category, the only means of access to a resource in the category is execution privilege on the category. You give this privilege to a user with a GRANT statement, as illustrated in this example:
grant execute on category dcmt to sam;
Runtime Category Selection
At runtime a given resource name may appear to qualify for assignment in more than one category. Consider these two categories:
create category dcmt add program cdmslib.rhdcmt*; create category dcmtab add program cdmslib.rhdcmtab;
When the security system processes as security check, it determines the category of the resource being checked by selecting the mask that is closest to the fully qualified name of the resource. For example, given the preceding two categories, the security system will determine that:
- Use of resource CDMSLIB.RHDCMTXY requires execution privilege on category DCMT.
- Use of resource CDMSLIB.RHDCMTAB requires execution privilege on category DCMTAB.
What is a Database Resource
A database resource is an entity associated with the definition of or access to a database.
Database Resource Types
The following table shows the database resources type and the corresponding resource type keywords used in the SRTT and security information databases:
Non-SQL defined schema
Securing Database Resources
If you specify internal security for the database (DB) resource type, you automatically secure the other resource types listed with DB in the preceding table.
You can grant privileges on the individual resource types, but you cannot turn security off in the SRTT for the resource types that are grouped with DB when DB is secured.
Database Occurrence Overrides
Using an occurrence override in the SRTT, you can specify a security option for an individual database associated with the system dictionary. For example, in one SRTT entry you can specify no security (the default) for resource type DB and in another entry specify internal security for the production database.
Ownership is an attribute of an SQL schema. A user who issues a CREATE SCHEMA statement owns the schema that is created.
A schema owner implicitly holds all access and definition privileges on the tables, functions, procedures, table procedures, views, and access modules associated with the schema. The owner also has the authority to grant those privileges to others.
An owner cannot
grantownership to another user but can
transferownership. In this way, ownership and its privileges are relinquished to the other user.
The DBMS does not check for ownership. It requests a check for a specific privilege such as SELECT privilege on a table, and the security system returns a positive response if the user in question is the owner of the object.