Using the NMSAF Security Solution

12-1
The NMSAF security solution is an integrated security management system for users of your regions.
The NMSAF security solution is based on the partial security exit facility and works with UAMS. The solution provides the following features:
  • A complete security solution for your region, using whatever external security system is in use
  • A sensible balance between what is stored in the external security system for your users and resources, and what is maintained on UAMS
  • Control and customizing options that allow for flexible implementation
The NMSAF security solution minimizes duplication between external security definitions and UAMS. By using the NMSAF security solution, it is possible to eliminate almost all maintenance issues associated with using a UAMS data set.
Components of NMSAF
The NMSAF security solution consists of the following components:
  • UAMS
    -- NMSAF uses the UAMS file to store user records that contain the access authorization details for a user ID. You can add, modify, or delete the user records manually in the UAMS file. If NMSAF is installed as recommended (with grouping and modeling enabled), then NMSAF automatically updates the UAMS file as needed. You do not need to perform any maintenance on your UAMS records.
  • Partial security exit
    -- NMSAF is a partial security exit to interface with your external security package for password checking. Passwords are not stored in UAMS.
  • Modeling
    -- You can use the modeling facility to reduce the number of users that must be defined to your product region (by using UAMS). When you use modeling, a set of model users is defined. Each model user definition is used to define the privileges that a specific type of user has.
    The NMSAF parameter file defines a list of resource names and associated model names. When a user logs on, this list is searched. Each resource name is tested to see whether the user has READ access. The model user ID of the first one that matches is then used as the user ID definition.
    By giving users PERMIT access to the appropriate resource, UAMS definitions are created or updated automatically when a user logs on to your product region.
  • SXCTL parameter file
    -- The SXCTL file is the control file that NMSAF uses. You can use the SXCTL file as supplied, or you can tailor it to your requirements by using parameters.
  • Other security exits
    -- NMDSNCHK and NMDSSCHK can work with NMSAF. Several other exits are supplied.
User Groups and Modeling with NMSAF
With user groups, you can classify users by the type of functions that they have access to. User groups are defined in the UAMS file. The following default groups are defined during installation:
  • Administrator
  • Network Operator
  • Operator
  • Monitor
If these groups do not suit your requirements, you can define others.
Benefits of Using Groups and Modeling
User groups simplify the definition of user records -- a user is allocated to a group, inheriting all of its access authorizations.
Using both groups and modeling provides the following combination of benefits:
  • When your region models a user, a copy of the model user ID record is produced.
  • By containing only the group name in this record, you ensure that the UAMS records (created as users are modeled) contain only unique user-specific information. Unique information includes user ID, user name, and telephone number.
  • To change the profiles of all users in a group, you need only change the group entry in UAMS.
  • To move a user from one group to another, you need only update the UAMS record to point to the correct group name.
  • When a user logs on to your product region for the first time, that user is tested against the listed resource names. When a resource that the user has permission to access is found, the associated model definition is used to create the UAMS record. The user is prompted to supply specific information, such as name and telephone number. However, everything else is taken from the model user for the appropriate group.