Information on securing
CA Endevor SCM
To provide a comprehensive security program for
CA Endevor SCMChange Manager, address security issues in two essential areas: data set security and functional security.
This figure depicts the relationship between
CA Endevor SCMand functional and data set security.
As previously illustrated,
CA Endevor SCMuses one of the following functional security options: native security tables or External Security Interface (ESI).
Data Set Security Types
CA Endevor SCMdoes
notprovide data set security. Data set security is performed by a site security package, such as:
- CA ACF2 for z/OS
- CA Top Secret for z/OS
Data set security involves preventing unauthorized access to the data sets that
CA Endevor SCMuses. Two approaches are available for controlling access to your physical data sets:
- Program path protectionGives theCA Endevor SCMsystem access to the data sets it maintains. Use this product to perform maintenance on these data sets.
- Standard data set securityGives users direct access to data sets maintained byCA Endevor SCM. Although unauthorized access to data sets is prevented, authorized users can maintain these data sets without going through this product.
Implementing data set security in addition to functional security is recommended to control access to data sets by
CA Endevor SCMusers.
Functional security involves protecting
CA Endevor SCMinventory functions from unauthorized access. These functions include access to menu options, the ability to perform certain actions against certain inventory areas, and other secured
CA Endevor SCMoptions.
Functional security is provided by
CA Endevor SCM, unlike data set security. Choose between one of two methods for providing functional security:
- Native Security TablesControl environment access, primary and foreground menu options, and action authorization.
- External Security Interface (ESI)Controls environment access, primary and foreground menu options, action authorization, package actions, and concurrent action processing authorization. This tool lets you store security rules under your site security package. In addition, ESI lets you customize your functional security capabilities.
Security Control Points
CA Endevor SCMperforms security checks to allow or deny a user access to certain inventory areas and inventory actions. These checkpoints are referred to as
security control points.
The security control points listed determine the appropriate level of access to system inventories and functions:
- Environment SelectionVerifies your access to a requested environment.
- Primary OptionsVerifies your access to operations appearing in the Primary Options menu.
- Foreground OptionsVerifies your access to actions available on the Foreground Options menu.
- Action InitiationVerifies your access to actions such as DISPLAY, ADD/UPDATE, RETRIEVE, or GENERATE.
- Package ActionsVerifies user access to package actions such as CREATE, CAST, DYNAMIC, REVIEW, and EXECUTE (applies to ESI only).
- Concurrent Action ProcessingVerifies user access to request concurrent action processing.
When security control points are reached,
CA Endevor SCMchecks access privileges that are defined in one of the following security configurations:
- Native security tables
- ESI, interfacing with an external security product such as CA ACF2, CA Top Secret, RACF.
For example, when
CA Endevor SCMreaches a security control point, the system reviews the native security tables. The system determines whether a user is allowed to perform certain inventory actions against a portion of the inventory.
CA Endevor SCMhides inventory elements the user is not permitted to access and functions the user is not allowed to perform. In this way, ESI allows you to customize your functional security capabilities.
Native security uses the following three security tables to record security rules for access to inventory levels and functions:
- Access Security Table (one for an installation)Defines the environments to which you have access.
- User Security Table (one for an environment)Defines the menu options available to you after access to an environment is obtained. Further, this table defines actions that are allowed within the environment, by user, for each system and subsystem.
- Resource Security Table (one for an environment)Enforces naming conventions at the system/subsystem and element level.
The following figure shows how control points can control access to
CA Endevor SCMprocessing functions by checking native security tables.
As previously illustrated, upon entry into the system, your access to
CA Endevor SCMfunctions is controlled by
CA Endevor SCMSecurity Tables or the
CA Endevor SCM(ESI). Site security provides protection of system data sets.
External Security Interface (ESI)
ESI is an optional feature that lets you secure
CA Endevor SCMaccess and action functions through IBM System Authorization Facility (SAF), using the site security package on your system. ESI does so by letting you define the rules for functional security in your site security package (CA ACF2, CA Top Secret, RACF) rather than in the native tables that are supplied with
CA Endevor SCM. For more information about how to enable and use ESI, see Enabling External Security Interface (ESI).
The following diagram shows how ESI interacts with site security packages:
If ESI is enabled, security rules must be defined to the site security package. In the previous diagram,
CA Endevor SCMuses IBM's System Authorization Facility (SAF) calls to query the installed security package instead of using native security tables.
Selecting Your Security Option
CA Endevor SCMand its data sets, install a security function that prevents unauthorized access to your system. You may need to choose from among a number of data set and functional security options.
Data Set Security Methods
Options for data set security:
- Program path protectionAllows authorized users access to a data set through an authorized program.Permits library updates only throughCA Endevor SCM.Provides secure preventative control.
- Standard data set protectionAllows authorized users direct access to data sets.Permits library updates outside ofCA Endevor SCM.Provides a measure of preventative control.
- No data set protectionPermits unlimited access to data sets.You can useCA Endevor SCMFootprint Exception Reporting to detect unauthorized updates.
Functional Security Methods
Functional security can be provided by implementing one of the two following
CA Endevor SCMsecurity methods.
- Native security tablesProvides basic functional security.Allows access to environments.Permits primary and foreground menu options.Requires authorization of actions.
- ESIProvides basic functional security.Allows extension of functional security through customization.Integrates with existing security package, such as CA ACF2, CA Top Secret, RACF.
We recommend a comprehensive approach to system security that ensures functional and data set security. A carefully planned security program ensures the proper levels of access and data set security.
Address security during the final testing of your first
CA Endevor SCMapplication. The initial setup and testing steps for implementing a new application should not be disrupted by overly restrictive security rules.
How to Enable Data Set Security
Follow this process to implement data set access security and ensure your success.
- Lay out your data set access requirements in a simple, nontechnical form for review.
- Build your data set security profiles in Warning Mode.
- Test your security implementation and monitor any warnings that you receive.
- Set data set security profiles to Live Mode.
- Monitor security violations on an ongoing basis.
How to Enable Functional Security
Decide which means of functional security you want to use: native security tables or ESI. You can only use one method.
How to Implement Native Security
Follow this process to implement functional security using native security tables and ensure your success.
- Plan security for a pilot application.
- Define the three native security tables.
- Access Security Table.
- User Security Table.
- Resource Security Table.
- Activate the security tables.
- Test your security implementation, monitor violations, and correct tables.
How to Implement ESI Security
Follow this process to implement ESI security and ensure your success.
- Plan security for a pilot application.
- Customize the ESI Security Definition Table, BC1TNEQU.
- Lay out ESI security profiles.
- Build ESI security profiles in Warning Mode.
- Customize the C1DEFLTS TableESI is activated.
- Test ESI security and monitor warnings.
- Set ESI security profiles to Live Mode and monitor violations.