CA View Security Considerations

This page describes the configuration requirements for implementing external security for CA View in a cooperative environment. For more information about setting up your security environment, see . No additional considerations exist for CA DRAS.
view
This page describes the configuration requirements for implementing external security for CA View in a cooperative environment. For more information about setting up your security environment, see
Security
. No additional considerations exist for CA DRAS.
CA View Modes and Access from CA OM Web Viewer
CA View provides support for SAR, SARO, EXP, and EXPO modes for report and cross-report index selection.
Within CA View, selection is based on the MODE and DISTID (for EXP and SAR modes) that is defined to the CA View database for the logon ID for the user. New users not previously defined to the CA View database default to the mode referenced by the CA View DEFMODE initialization parameter, and the DISTID is set to the logon ID of the user. The user profile exit, SARPRFUX, is called to allow overrides of default or existing user profile.
SAR, SARO, EXP, EXPO Mode Support
CA View provides support for SAR, SARO, EXP, and EXPO modes for report and cross-report index selection.
Within CA View, selection is based on the MODE and DISTID (for EXP and SAR modes) that is defined to the CA View database for the logon ID for the user. New users not previously defined to the CA View database default to the mode referenced by the CA View DEFMODE initialization parameter, and the DISTID is set to the logon ID of the user. The user profile exit, SARPRFUX, is called to allow overrides of default or existing user profile.
CA OM Web Viewer automatically displays the selection list based on the default definition, or the last MODE used in 3270 viewing mode.
You can log in and change the mode and DISTID settings dialog.
JOB Mode and CA OM Web Viewer
Users can access JOB mode only through logging in to CA View directly through the mainframe. Users cannot access JOB mode through CA OM Web Viewer, which can result in the following scenarios:
  • A mainframe user last accessed CA View in JOB mode and later attempts to access CA View through CA OM Web Viewer. The user is provided access through the first available mode for which the user is authorized. If the user is authorized for JOB mode only, the user is denied access and an error message appears.
  • A new user attempts to access CA View through CA OM Web Viewer and the CA View SARINIT DEFMODE parameter is set to allow access through JOB mode only. The user is denied access and an error message appears.
To address these scenarios and to help provide users with optimal access to both products, follow these best practices:
  • When you grant JOB mode access to existing CA View users, inform them that they cannot access CA OM Web Viewer through JOB mode, as explained earlier.
  • When you define new CA View users and grant them access to JOB mode, also grant them access to at least one other mode. Verify that the other mode is appropriate for their role in your organization.
CA Top Secret Security Considerations
If you use CA Top Secret Security as your primary security package, take the following steps to establish the authorization required by the CA DRAS task to access the CA View database.
  1. Create an ACID that must be assigned to the CA DRAS started task.
  2. Give this ACID the appropriate security permissions for the CA View and CA DRAS datasets.
  3. Give this ACID access to the CA View facility.
  4. Define a new CA DRAS facility in Top Secret.
  5. Give this ACID a MASTFAC pointing to the new CA DRAS facility.
  6. Add an entry in the started task table to assign this ACID to the CA DRAS started task.
  7. Give users access to the CA DRAS facility.
  8. Restart the CA DRAS started task to pick up the new security definitions.
CA ACF2 Security Considerations
If you use CA ACF2 Security as your primary security package, take the following steps to establish the authorization required by the CA DRAS task to access the CA View database.
  1. Create a LOGONID for the started tasks as follows:
    INSERT DRAS STC NAME(dras)
  2. Compile a data set rule to give the CA DRAS task access to CA View data sets as follows:
    $KEY(drashighlvl)
    caview.hlq UID(view uid) R(A) W(A) A(L) E(A)
    Note:
    As an alternative to compiling data set rules, the CA DRAS task logon ID can be given NON-CNCL privileges. This logon ID can then access any data set or resource without having to compile rules. Using this method, CA DRAS has full access to CA View. The internal security rules defined in CA View then control password or password phrase and user ID validation and SYSOUT ID access authorization.
  3. Create the logon ID as follows:
    INSERT DRAS STC NAME(dras) NON-CNCL
    Note:
    If users log on to CA View or CA DRAS, that logon ID also needs the MUSASS (Multi-User Single Address Space System) logon ID attribute as follows:
    INSERT DRAS STC NAME(dras) NON-CNCL MUSASS
Important!
To verify the proper CA View user definition and security setup, view the reports from a 3270 emulator. If you cannot view reports through your mainframe emulation, you cannot generate a report list through cooperative processing. To correct this, review this topic or contact
Broadcom Support
for assistance.