Security

Choosing and setting up a security system is an important part of product implementation. This section helps you make the best security system choices for your environment, and guides you through the necessary implementation steps.
nwmscl122
Download a PDF of this Security section.
Choosing and setting up a security system is an important part of product implementation. This section helps you make the best security system choices for your environment, and guides you through the necessary implementation steps.
Your products require a sophisticated security system, because:
  • Each product has many features.
  • The features often have varied security requirements.
  • The products have many users.
You have a number of options for implementing a security solution:
This section contains descriptive text and procedures about options and products for which you may not be licensed or do not have enabled. Inclusion of the descriptions of these options and products in this section in no way implies that you are licensed for these options or products.
Security System Options
Your product region can use internal or external security systems, or a combination of the two. The options available are:
  • UAMS -- the internal security interface
  • Partial security exit
  • The NMSAF solution
  • Full security exit
  • The NMSAFF solution
UAMS
UAMS (User ID Access Maintenance System) is the internal, CA-supplied security database of user details and access authority levels used by CA NetMaster. You can maintain all security details (including user passwords) in UAMS, or you can replace UAMS, either partially or fully, with an external security package.
UAMS does not reference other security software.  When you use UAMS alone, it stores all information about authorized users, including user ID, password, name, and privileges, is stored in an encrypted, VSAM data set. You can either define each user’s user ID separately, or, you can add users with the same security requirements by using a UAMS group.
Because UAMS is an internal security interface, your product region does not interface to any external security system or product. Using UAMS alone is a good choice for test systems and getting started with the product. When you are ready to move into production, the most common solution to use is NMSAF.
Partial Security Exit
You can use a partial security exit as a hybrid configuration with your product region. You would use the UAMS data set in conjunction with an exit that you create yourself. The partial exit interfaces to an external security system, and performs (at least) user ID and password validation. In this case, the UAMS data set would still contain user information and privileges. Passwords are not stored in the UAMS data set.
Creating your own hybrid security solution could be time-consuming, and so we recommend that you use NMSAF, described in other sections.
NMSAF Solution
NMSAF is a comprehensive security solution that uses a partial security exit. The solution uses the following facilities:
  • UAMS data set to store specific information for your product region
  • Your existing, pre-installed security product (accessed through the IBM-defined SAF interfaces) to perform the user validation and password checking
NMSAF uses its own parameter file (SXCTL) to provide flexible implementation.
Full Security Exit
Your regions could also make use of a full security exit configuration that you create yourself. In this case, your exit would perform all user authentication. It would also supply all user attributes and privilege information. The UAMS data set is not used in full-exit solutions. If your installation requires use of a full exit, we recommend that you use NMSAFF rather than coding your own solution.
NMSAFF Solution
A security solution using a full security exit is shipped with your product. This solution is known as NMSAFF.
NMSAFF uses its own parameter file (SXCTL) to provide flexible implementation.
Recommended Security Options
Typically, we recommend using NMSAF, because it is the easiest solution to implement. NMSAF provides clear, comprehensive facilities to administer security for your product region. You maintain user IDs and passwords in your external security product, not in CA NetMaster. The UAMS data set allows user modeling which gives you flexible control over privileges and access levels.
However, you can select other options instead, to best match your requirements. For example, you may want to consider using UAMS alone if these factors apply:
  • You have only one or two users in the region.
  • You do not want passwords to expire.
  • You use non-standard userids.
  • You create multiple non-standard userids for testing.
Similarly, consider using NMSAFF if you have specific or stringent requirements. If NMSAFF is not suitable for your requirements, consider writing your own partial or full security exit.
Additional Security Options
Your product provides additional security options in the following areas:
  • File access from NCL -- can be restricted by using the NCL authorization exit, NCLEX01
  • INMC link activation -- can be verified for authority by using the INMC security exit
  • The ALLOCATE command and
    CA SOLVE:FTS
    -- can be secured by using the data set access authorization exit
  • The data set services interface ($DSCALL) -- can be secured by using the data set services authorization exit.