CA-View Security
Securing Reports in CA-View r11
Topics
- CA-View Security Overview
- External Security Enhancements in CA-View r11
- Internal Security Parameters
-
External Security Parameters
Activating FASTAUTH support
What Resources are protected?
Class/Resource Format
-
Required Access Levels
Securing Database Utilities
Security Related User Exits
Converting View 2.0 Security Rules
Troubleshooting Security Problems
- Resource Names
2
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CA-View Security Overview
Internal Security
•Verify Mode
• All Mode
• SARO Mode
• SAR Mode
• EXPO mode
• EXP mode
•Init Parms
• DEFMODE
• DELETE
• PWBATCH
•DEF USER TABLE
3
External Security
•Verify Logon Credentials
•Verify Report Function
Authority
•Verify Command Line Authority
•Verify DATABASE Authority
•Init Parms
• SECID
• SECURITY
• SECLIST
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CA-View Security Overview
- Internal Security does not require an External Security product
- Access to reports is defined within CA-View (SAR mode) or CADELIVER (EXP mode)
- Can be enhanced by coding user exits
- SARATHUX – Controls access to database utilities
- SARSECUX – Controls access to database objects
- SARUSxUX – Called to verify logon and logoff
- External Security interfaces to your External Security Product
- Optional – works in conjunction with Internal Security
- Access is defined via Class/Resource rules
- Access to protected resources can be logged
- Resource Class and access levels can be altered via SARSECUX
- Internal Security CANNOT override External Security
- When External Security is active, either system can deny the
access request.
4
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
External Security Enhancements
- External Security is NOT a new feature
- Previous releases used Dataset level security to control report
access
- R11 increased the sized of the Report ID to 32 characters
- Dataset names are limited to 44 characters
- R11 uses Class/Resource rules to overcome this limitation
- Uses an External Security CLASS (CHA1VIEW)
- Much more than the older Report level Security model
- Index report segments can now be secured
- Logical Views, Filters, Users, Devices, Panels, Banners, …
- Security calls are now part of the base product
- Exits are no longer needed for security checks
- Security calls were removed from user exits (SARUSxUX and
SARSECUX)
5
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Internal Security Parameters
- SECURITY=INIT
- NO External Security
- Full access to any report in ALL mode
- Limited access to reports in SAR, SARO, EXP, EXPO mode
- DEF USER password is not verified
- SECURITY=INTERNAL
- ALMOST the same as INIT
- DEF USER password is verified at entry
- SECURITY=LOGON
- ALMOST the same as INIT
- EXTERNAL password is verified at entry
- DEFMODE=NNNNN
- New users must be manually added to the USER TABLE
- Users cannot logon until they are added to the USER TABLE
6
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Internal Security Parameters
- DELETE=NO
- Online users cannot delete reports
- PWBATCH=database password
- This password must be specified in all batch control
statements that access this database.
- Batch jobs submitted from the online interface will
automatically include this password.
- Not printed on any listing
- Prevents users from submitting their own SARBCH jobs
- Should be changed at regular intervals
7
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
External Security Parameters
- SECURITY=EXTERNAL
- RACROUTE calls verify Userid/Password
- RACROUTE calls verify access to resources
- Reports, Views, Filters, Bookmarks, Annotations, …
- RACROUT calls verify access to command line functions
- DEF USER, DEF SYS, DEF DIST, DISPLAY, …
- SECID=secid
- High Level Qualifier (HLQ) for all resources in the database.
- SECID=VIEW (Default)
- SECLIST=NONE
- Turns off “List Level” security
- SECLIST=ALL
- Activates RACROUTE calls for REPORT, INDEX, and DEFINE
- Users only see a list of items they are authorized to access
8
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
External Security Parameters
- SECLIST=REPORT,INDEX,DEFINE
- Activates RACROUTE calls for each item in the list(s)
- REPORT security filters the Report (SYSOUT) selection list
- INDEX security filters a report index list
- DEFINE security filters DEF USER, DEF SYS, DEF DIST, and DEF VIEW
list
- Specify any combination of these options
- Users only see a list of items they are authorized to access.
- INDEX security can cause 1000’s of RACROUTE calls
- Response time will be increased
- Consider making these Resource Rules resident in your security
package.
- SECLIST security NOT a requirement for INDEX level security
- Without SECLIST security users see a list of all index values
- When a user selects a list entry, it is still validated for user access
9
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Activating FASTAUTH support
- Improves response time when using SECLIST=INDEX
- Verifies access for resource profiles brought into main
storage
- Does not issue SVC’s
- Rules must be resident
- Supported by:
- CA-Top Secret
- CA-ACF2
- RACF
- FEATURE #4 invokes FASTAUTH calls
10
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What Resources Are Protected?
Resource Type
11
Protected Resources
BANR
Banner page members (DISP Banner)
DBAS
SARDBASE functions (SARDBASE, SARINIT, SARBCH)
DEV
Device definition (DEF DEV command)
DIST
Distribution definition (DEF DIST command)
FILT
Filter definitions (DEF FILTER command)
IDXN
Index names
IDXV
Index value
NOTE
Annotations and bookmarks
PANL
Online panel members (DISP Online)
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What Resources Are Protected?
Resource
Type
Protected Resources
REPT
Sysouts/Reports
RAPS
All pages of a Sysout/Report
SYS
Sysout definition (DEF SYS command)
USER
User IDs (DEF USER command)
VIEW
Logical Views
External security applies to Online, Batch,
Cooperative processing, and SARSAM!
12
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Class/Resource Format
- Need to be defined to your External Security Product
- Single security class: CHA1VIEW
- Resource Name
- SECID=secid
- Resource types
- 14 resource types
- Resource types correspond to data within View database
- Entity name
- Imbedded blanks are converted to underscore (_)
- Imbedded asterisks are converted to plus sign (+)
- Access Level
- READ, UPDATE, CONTROL, ALTER
- Sample Resource Name
- secid.REPT.reportid
- VIEW.REPT.GENERAL_LEDGER
13
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Required Access Levels
Description
RACF
TSS
ACF2
Read access
READ
READ
READ
UPDATE
UPDATE
UPDATE
CONTROL
CONTROL
DELETE
ALTER
ALL
ADD
Update access
(L, P, J, /CHANGE, UNLOAD)
Elite access (ADDDS, K, I, …)
Delete or Rename
14
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Securing Database Utilities
- “DBAS” resource type controls access to database utilities
- SARDBASE
- SARINIT
- SARBCH
- “DBAS” security is DEACTIVATED by default
- Install SARATHU1 to activate DBAS security calls
- SARATHU1 is found in the PPOPTION install library
- SECID is not used with this resource type
- Resource type is DBAS
- Entity name is the database high level qualifier (HLQ)
- Example
- DBAS.SARP.SYSTEM1
HLQ of View Database
15
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security and Cross Memory
Services
- LGNSEC=YES
- Activates external security for XMS regions
- Userid validation
- No Prompting for Userid (except VTAM)
- Inherits the USERID from the CICS, IMS, or TSO session
- LGNSEC=YESP
- Activates external security for XMS regions
- Userid and Password validation
- Forces the user to enter USERID and PASSWORD
- These values are then validated with your external security product
- LGNPROP=YES
- SESSION Userid passed to MVS during submit processing
- LGNSEC=NO passes the XMS region USERID rather the session USERID
- Only valid with LGNSEC=YES or YESP
16
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security Related User Exits
- Logon User Exits
- SARUSAUX* - VTAM LOGON EXIT
- SARUSXUX* - XMS LOGON EXIT
- SARUSDUX* - DRAS LOGON EXIT
- SARUSRUS - ROSCOE LOGON EXIT
- SARUSTUX - TSO / ISPF LOGON EXIT
*
17
In View 2.0, these exits were used to verify userid and
password. This functionality is now performed in CA-View
if the SECURITY parameter is set to EXTERNAL or LOGON.
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security Related User Exits
- SARSECUX - CA-View Security exit
- Major changes from View 2.0
- All RACROUTE calls have been removed.
- Allows for Class/Resource modification before RACROUT
- External Security CLASS (CHA1VIEW)
- Standard resource name (Secid.Resource Type.Resource Name)
- Access Level (Read, Update, Control, Alter)
- Always called regardless of the SECURITY setting
- Return Codes:
-0
Exit has granted access – Do not call External Security
-4
Exit has denied access – Do not call External Security
- 8 CA-View should determine access based on the SECURITY
parameter
18
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security Related User Exits
- SARATHUX – Database Utility Exit
- Controls access to database utility functions
- SARDBASE, SARINIT, SARBCH
- Default exit allows access to all utility functions
- You must install SARATHU1 to activate security for database utility
functions
- Allows for Class/Resource modification before RACROUT
- External Security CLASS (CHA1VIEW)
- Standard resource name (DBAS.db high level qualifier)
- Access Level (Read, Update, Control, Alter)
- Always called regardless of the SECURITY setting
- Return Codes:
19
- 0
Exit has granted access – Do not call External Security
- 4
Exit has denied access – Do not call External Security
- 8
CA-View should determine access based on the SECURITY parameter
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Converting View 2.0 Security
Rules
- Documented procedures for converting CA-View 2.0 dataset rules
- CA-View System Reference Manual – Chapter 13
- Converting Unicenter CA-View 2.0 eTrust CA-Top Secret
Permissions
- Converting CA-ACF2 View Access Rule into CA-ACF2 View
Resource Rule
- Don’t delete your old View 2.0 access rules
- You will need them in case of a fallback
- Temporary solution until CA-View r11 rules are in place
- APAR QO90562 will allow you to use your View 2.0 access rules
with View r11
- Set SECID to the same value used in the old RACF or ACF2 parameter
- Report ID must not be greater than 12 characters
- New r11 resources will not be protected
- Views, Filters, Index Level Security, Command Line Functions, …
20
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Troubleshooting Security Problems
- Why was “Access Denied”
- Verify that the correct values have been set in SARINIT
- SECURITY=EXTERNAL
- SECID=secid
- SECLIST=
- Only having a problem with XMS users?
- Verify that LGNSEC is set to YES or YESP
- Verify that LGNPROP is set to YES
- Activate CA-View Security WTOs to see what is failing
- SARINIT Parm: FEATURE=1,xx,xx,xx
- Diagnostic security WTOs will be produced for all users on this database
- All security calls are traced
- SARATH92 messages document “failures”
- “Failures” are normal when we are filtering a selection list (SECLIST)
- Turn tracing off when you finish: FEATURE=xx,xx,xx
21
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Troubleshooting Security Problems
- SARATH92 AUTHORIZATION FAILED userid UNDER ISPF RC=0.20.0
- SARATH92 CLASS=CHA1VIEW ENTITY=VIEWR11.VIEW.000.P.GLREPORT
- IBM Security Server RACROUTE Macro Reference documents RC
22
SAF
RC
RACF
RC
RACF
Reason
0
20
XX
XX is the users highest authority to this resource
00 – No Authority
04 – Read Authority
08 – Update Authority
12 – Control Authority
16 – Alter Authority
4
4
0
RACF is not protecting the resource
Class CHA1VIEW is probably not defined to RACF
8
8
0
User does not have authority to access resource
Description
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Troubleshooting Security Problems
- Accessing a report - Normal diagnostic messages
- FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A
- Can the user access the report called XXXXX02A?
(yes)
- FUNC=CPLFVACC ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEW.VIEW.000.P.XXXXX02A
- Can the user access Public View 0 for the XXXXX02A report? (yes)
- FUNC=CPLFAPGS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.RAPS.XXXXX02A
- Can the user access ALL PAGES of the XXXXX02A report? (yes)
- Accessing a report – Abnormal diagnostic messages
- FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A
- Can the user access the report called XXXXX02A?
- TSS7250E 136 J=XXXXX02 A=XXXXX02 TYPE=CHA1VIEW
RESOURCE=VIEW.REPT.XXXXX02A
- Top Secret reports a security violation
- TSS7251E Access Denied to CHA1VIEW <VIEW.REPT.XXXXX02A>
- SARATH92 AUTHORIZATION FAILED XXXXX02 UNDER ISPF RC=8.8.0
- SARATH92 CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A
- CA-VIEW Reports an access failure
- User does not have authority to access this resource (8.8.0)
23
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Troubleshooting Security Problems
-
Browsing a report requires at least 3 security rules
1. The user needs READ access to the Report Resource
2. The user needs READ access to the logical view resource
3. The user needs READ access to the pages within a report
- The ALL PAGES resource (RAPS) allows the user to view the entire report
- If a user does not have access to the all pages resource, they can only browse
an Indexed segment (IDXV) of the report.
-
Printing a report requires at least 3 security rules
1. The user needs WRITE access to the Report Resource
2. The user needs READ access to the logical view resource
3. The user needs READ access to the pages within a report
- The ALL PAGES resource (RAPS) allows the user to print the entire report
- If a user does not have access to the all pages resource, they can only print an
Indexed segment (IDXV) of the report.
24
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: REPT (Sysouts / Reports)
FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.REPT.GLREPORT
Resource Type: RAPS (All Pages)
FUNC=CPLFAPGS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.RAPS.GLREPORT
Resource Type: VIEW (DEF VIEW)
FUNC=CPLFVACC ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.VIEW.001.P.GLREPORT
FUNC=CPLFVSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.VIEW.001.P.GLREPORT
25
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: IDXN (Access Index Name)
FUNC=CPLFIFS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.IDXN.DEPT
FUNC=CPLFIFS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.IDNX.UNNAMED
A default of “UNNAMED” will be used if an index name is not defined.
Resource Type: IDXV (Access Index Value)
FUNC=CPLFISL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.IDXV.DEPT.Dept001
Resource Type: BANR (Access Banner Page)
FUNC=CPLFBACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.BANR
FUNC=CPLFBSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.BANR.DEFAULT
26
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: PANL (Access Panel Member)
FUNC=CPLFPACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.PANL
FUNC=CPLFPSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.PANL.SARAFPBR
Resource Type: SYS (DEF SYS command)
FUNC=CPLFYACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.SYS
FUNC=CPLFYSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.SYS.GLREPORT
Resource Type: USER (DEF USER command)
FUNC=CPLFUACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.USER
FUNC=CPLFUSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.USER.XXXXX02
27
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: DEV (DEF DEV command)
FUNC=CPLFCACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DEV
FUNC=CPLFCSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.DEV.PRT2
Resource Type: DIST (DEF DIST command)
FUNC=CPLFDACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DIST
FUNC=CPLFDSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.DIST.USERDST
28
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: FILT (DEF FILT command)
FUNC=CPLFFACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.FILT
FUNC=CPLFFSL ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.FILT.SECFILT
Resource Type: NOTE (NOTE command)
FUNC=CPLFNCSC ACCESS=WRITE CLASS=CHA1VIEW
ENTITY=VIEWR11.NOTE.A.U.GLREPORT.FUNCTBL
FUNC=CPLFNASC ACCESS=READ CLASS=CHA1VIEW
ENTITY=VIEWR11.NOTE.A.U.GLREPORT.FUNCTBL
29
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Resource Names
Resource Type: DBAS (Utility Functions)
SARATHU1 implements DBAS security
DBAS.dbhlq
SARDBA15 Authorization failed
(SARDBASE)
SARINI19 Job/User not authorized to access data base (SARINIT)
SARBCH02 Job/User not authorized to access database (SARBCH)
30
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.