Using the NMSAF Security Solution

The NMSAF security solution is an integrated security management system for users of your regions. It is based on the partial security exit facility and works with UAMS. The solution provides the following features and advantages:
The NMSAF security solution is an integrated security management system for users of your regions. It is based on the partial security exit facility and works with UAMS. The solution provides the following features and advantages:
  • Enables a complete security solution for your region, using whatever external security system is already in use
  • Synchronizes the data in the external security system for your users and resources (including login credentials), with the internal UAMS database.
    Updates such as password changes and deletions of users are synchronized immediately. User ID and password validation are carried out by your security software. Attempts to use invalid credentials to log in to the product are rejected automatically. The CA NetMaster administrator controls security for the product without needing to contact the administrators of the external security system, because NMSAF relies on UAMS for panel and function authority in CA NetMaster.
  • Provided as part of an already assembled and linked load module in the NetMaster Load library.
  • Offers control and customizing options that allow for flexible implementation
The NMSAF security solution minimizes duplication between external security definitions and UAMS. Using the NMSAF security solution can eliminate almost all maintenance issues associated with using a UAMS data set.
Components of NMSAF
The NMSAF security solution consists of the following components:
  • UAMS
    -- NMSAF uses the UAMS file to store user records that contain the access authorization details for a user ID. You can add, modify, or delete the user records manually in the UAMS file. If NMSAF is installed as recommended (with both grouping and modeling enabled), then NMSAF automatically updates the UAMS file as needed. You do not need to perform any maintenance on your UAMS records.
  • Partial security exit
    -- NMSAF is a partial security exit that interfaces with your external security package for password checking. Passwords are not stored in UAMS. NMSAF is a preconfigured, assembled, and linked load module in the CA NetMaster Load Library. 
  • Modeling
    -- Use the modeling facility to reduce the number of users that you must define to your product region (by using UAMS). When you use modeling, a set of model users is defined. Each model user definition is used to define the privileges for a specific type of user.
    The NMSAF parameter file defines a list of resource names and associated model names. The system searches this list when a user logs on, testing each resource name to see whether the user has READ access. The model user ID of the first one that matches is then used as the user ID definition.
    By giving users PERMIT access to the appropriate resource, UAMS definitions are created or updated automatically when a user logs on to your product region.
  • SXCTL parameter file
    -- This file is the control file used by NMSAF. You can use the default values for the parameters in the file, or you can customize them. The file name is HLQ.PARMLIB. A sample SXCTL file, SXPdmid, is in the PARMLIB dataset. The member name is by default "SXP" followed by the four-character
    , for example, SXPNM01. You can see more information on the file parameters in SXCTL Parameters.
  • Other security exits
    -- You can optionally use the security exits NMDSNCHK and NMDSSCHK in addition to NMSAF. These exits are supplied as samples in HLQ.CC2DSAMP and are documented in the comments. Several other exits are supplied.
User Groups and Modeling with NMSAF
With user groups, you can classify users by the type of functions to which they have access. User groups are defined in the UAMS file. The following default groups are defined during installation:
  • Administrator
  • Network Operator
  • Operator
  • Monitor
If these groups do not suit your requirements, you can define others. If you use modeling in NMSAF, then the first time each user logs in to CA NetMaster, the user is assigned to the group that matches his or her model definition in SXCTL.
Benefits of Using Groups and Modeling
User groups simplify the definition of user records -- a user is allocated to a group, inheriting all of that group's access authorizations.
Using both groups and modeling provides the following combination of benefits:
  • When your region models a user, a copy of the model user ID record is produced.
  • By containing only the group name in this record, you ensure that the UAMS records (which is created as users are modeled) contain only unique user-specific information. Unique information includes user ID, user name, and telephone number.
  • To change the profiles of all users in a group, you only need to change the group entry in UAMS.
  • To move a user from one group to another, you only need to update the UAMS record to point to the correct group name.
  • When a user logs on to your product region for the first time, that user is tested against the listed resource names. When a resource that the user has permission to access is found, the associated model definition is used to create the UAMS record. The user is prompted to supply specific information, such as name and telephone number. However, everything else is taken from the model user for the appropriate group.