Adabas SAF Security Configuration Parameters

Enter a 1 to 8 character prefix which will be used as the first element of any resource profile names checked by Adabas SAF Security.

For example, specifying AAFPRFX=TEST,DBFLEN=1,DELIM=Y will cause accesses to database 153, file 12 to be checked against a resource profile named TEST.CMD00153.FIL00012.

The default is no prefix.

Note:
The prefix specified in SAFCFG may be overridden by DDSAF input. However, because DDSAF is not used for utilities, the nucleus and utility start checks are performed using the prefix defined in SAFCFG.

AAFPRFX=xxxxxxxx

Level of protection for Adabas Basic Services:

• 0: disables ADASAF protection for Adabas Basic Services

• 1: ADASAF is to protect main functions only

• 2: ADASAF is to protect both main and subfunctions

See also the section Adabas Basic Services.

ABS={0| 1 | 2 }

Indicates whether or not the Logon ID of the security package is to be used as the Adabas Security password.

• N: the Logon ID of the security package is not to be used as the Adabas Security password

• Y: the Logon ID is placed in the Additions 3 field of the Adabas control block for use by Adabas

• G: the caller’s SAF group is placed in the Additions 3 field of the Adabas control block for use by Adabas.

ADASCR={N | Y | G }

Indicates whether or not ADASAF should extract Adabas cipher codes from RACF and apply them to the relevant Adabas commands.

• N: ADASAF should not extract Adabas cipher codes from RACF and apply them to the relevant Adabas commands

• Y: ADASAF will extract Adabas cipher codes from RACF and apply them to the relevant Adabas commands

CIPHER={N| Y }

The name of the ADASAF database resource class name. The name can be up to eight alphanumeric characters.

DBCLASS={ name | ADASEC}

The format of the Database ID and file number in resource profiles:

• 0: 3 digits with leading zeroes

• 1: 5 digits with leading zeroes

• 2: up to 5 digits with leading zeroes suppressed

The default value is recommended to simplify reporting and maintenance of security profiles; to allow for the large Database IDs and file numbers introduced with Adabas version 6; and to allow for ET data protection, if required.

DBFLEN={ 0 |1| 2 }

The number of database checks to be buffered per user, in the cache defined by GWSIZE. These buffered checks are used to avoid repeated SAF calls for a user when LOGOFF=NEVER or LOGOFF=TIMEOUT is specified.

DBNCU=0

Indicates whether or not access to undefined Adabas resources should be allowed. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.

• N: access to undefined Adabas resources is not allowed

• Y: access to undefined Adabas resources is allowed

Note:
This option does not permit access to resources defined with universal access "none".

Note:
DBUNI is ignored when checking whether a nucleus or utility is allowed to execute.

DBUNI={N| Y }

Use of delimiter when defining an entity name.

• N: the entity name begins with ACC for access commands and UPD for update commands and does not contain a full stop (period) delimiter

• Y: the entity name begins with CMD and has a full stop (period) delimiter between the Database ID and file number

DELIM={ N | Y}

Indicates whether or not ADASAF should protect commands that access or create ET data.

• N: ADASAF should not protect commands that access or create ET data

• Y: ADASAF should protect commands that access or create ET data

This parameter is only honored if fixed-length Database IDs and file numbers are used in the resource profile names (that is, the DBFLEN parameter specifies 0 or 1). File number 00000 (DBFLEN=1) or 000 (DBFLEN=0) is checked for the relevant database. RE commands need read access; OP commands with Command Option 2 set to E need read access; ET, CL, and C3 commands with Command Option 2 set to E need update access.

ETDATA={ N |  Y }

Indicates the action to be taken when an Adabas utility SAF security check fails.

• YES: the utility job abends U0042. This is the default.

• NO: the security violation is ignored and the utility job is allowed to continue.

A setting of NO may be useful during the Adabas SAF Security implementation phase, to identify the required security definitions without impacting the execution of utility jobs.

FAILUTI={YES | NO}

The name of the load module containing grouped resource names for this nucleus. Grouped resource names can be used instead of database/file number when checking access to an Adabas file. The load module is created using the AAFFILE macro (see Defining Grouped Resource Names with AAFFILE in the section Accessing and Changing Database Data) and its name must be a valid load module name of up to 8 characters.

The default is not to use grouped resource names.

FILETAB=xxxxxxxx

Indicates whether or not the Group ID rather than the User ID is to be used for resource authorization checking.

• N: Group ID is not to be used for resource authorization checking

• Y: Group ID is to be used for resource authorization checking

GROUP={ N | Y }

The tracing level for database security checks.

• 0: no tracing

• 1: trace violations only

• 2: trace successful checks only

• 3: trace all checks

For easier problem diagnosis and auditing, trace messages include a time stamp and the name of the job that issued the Adabas call.

Trace information is also accumulated in the System Coordinator trace facility, if active.

GWMSGL={ 0 | 1 | 2 | 3 }  

The amount of storage (in kilobytes) to be used for caching user information related to the security system, for example checked entity names. For optimum performance in conjunction with LOGOFF=NEVER|TIMEOUT, ensure that GWSIZE is large enough to allow effective caching. For more information, see the description of LOGOFF and the topic Caching of Security Checks in section Accessing and Changing Database Data.

WAL 812:

GWSIZE=16 

WAL 813 and above:

GWSIZE=256

The SAF security type.

• 1: RACF

• 2: CA-Top Secret

• 3: CA-ACF2

• 4: RACF executing on a Fujitsu operating system.

 GWSTYP={ 1 | 2 | 3 | 4 }

Determines whether hold commands (L4, L5, L6, S4 and HI) require READ access (the default) or UPDATE access. You may decide to require UPDATE access to prevent inadvertent holding of records by clients who only have READ access impacting clients who have genuine UPDATE access.

HOLDCMD={ R | U }

Specify whether or not the LF command is protected.

• Y: the SAF User ID which issued the LF command must have read access to the relevant file

• N: no security check is performed for LF commands

LFPROT={ Y | N}

Indicates when ADASAF should log off users from the SAF security system.

• ALWAYS: ADASAF is to log off the user whenever the associated Adabas user session ends, either because of a Close command or because the Adabas user has been stopped or timed out.

• NEVER: ADASAF is to log off the user only when the user's memory (in the cache specified by GWSIZE) needs to be allocated to a new user.

• TIMEOUT: ADASAF is to log off the user only when the associated Adabas user session has been timed out or stopped.

The settings LOGOFF=NEVER and LOGOFF=TIMEOUT will substantially reduce SAF overheads in databases where users often issue Close commands and then start a new session. However, it may be necessary to increase GWSIZE to provide enough memory to save the user details across Close commands.

Use the Adabas session statistics "Number of users participating" and "Number of commands executed" to decide whether LOGOFF=NEVER or LOGOFF=TIMEOUT should be used. If the number of commands per user is relatively low, consider setting LOGOFF=TIMEOUT and then using ADASAF's Online Services to monitor the effectiveness of GWSIZE: option 1 shows the number of allocations (new users created) and overwrites (old users deleted); if these are high, increase GWSIZE.

If the Adabas non-activity timeout values are such that users are frequently timed out, set LOGOFF=NEVER rather than LOGOFF=TIMEOUT.

WAL 812:

LOGOFF={ ALWAYS | NEVER | TIMEOUT }

WAL 813 and above:

LOGOFF={ ALWAYS | NEVER | TIMEOUT } 

The number of files for which security information is to be cached for each user. If a user accesses more than this number of files, the oldest entries will be overwritten.

 MAXFILES={ nnnn | 16 }

The maximum number of passwords and cipher codes to be extracted from RACF for the current Adabas nucleus. If ADASAF finds more than this number, nucleus initialization is terminated with message AAF010.

MAXPCC={ nnnn | 16}

Indicates whether or not calls from unsecured mainframe clients are to be allowed. An unsecured mainframe client is a client operating in an environment that does not provide security information via the Adabas router. For example, a remote Lpar where the router has not been linked with the SAF security extensions (SVCSAF) or a CICS job that is using an Adabas link globals module that specifies SAF=NO.

• N: Calls from unsecured mainframe clients are not to be allowed

• Y: Calls from unsecured mainframe clients are to be allowed

Caution:
It is strongly recommended not to use NOTOKEN=Y since this may allow unauthorized access to or updating of Adabas data. NOTOKEN=Y is only intended for extremely short-term use during a phased implementation of Adabas SAF Security.

NOTOKEN={ N | Y }

The name of the ADASAF database resource class name for use in cross-level checks. The name can be up to eight alphanumeric characters.

NWCLASS={ name | ADASEC}

The number of database checks to be buffered per cross-level user, in the cache defined by GWSIZE.

NWNCU=0

Indicates whether or not access to undefined Adabas resources should be allowed for cross-level checks. The normal mode of operation is to prevent access to resources not defined to the security system. Profiles representing Adabas resources are added to the security repository with either a default access or by granting access to specific users and groups.

• N: access to undefined Adabas resources is not allowed for cross-level checks

• Y: access to undefined Adabas resources is allowed for cross-level checks

Note:
This option does not permit access to resources defined with universal access "none".

NWUNI={ N | Y }

The User ID to be used for database cross-level security checks issued on behalf of workstation users.

NWUSRW=WINUSER

Indicates whether or not ADASAF should extract Adabas passwords from RACF and apply them to the relevant Adabas commands.

• N: ADASAF should not extract Adabas passwords from RACF and apply them to the relevant Adabas commands

• Y: ADASAF should extract Adabas passwords from RACF and apply them to the relevant Adabas commands

PASSWORD={N | Y }

Specify whether or not the PC command is protected.

• N: no security checking of the PC command

• R: the SAF User ID which issued the PC command must have READ access to the file specified in the PC command

• U: the SAF User ID which issued the PC command must have UPDATE access to the file specified in the PC command

Note:
This configuration option has no influence on checking of commands issued by stored procedures. Those commands are always checked for the appropriate security access to the appropriate resource.

PCPROT={ N | R | U}

The mechanism ADASAF should use to protect calls from remote users.

• LINK: ADASAF is to use, as the SAF Logon ID, the Entire Net-Work link name by which the call arrived

• NODE: ADASAF is to use, as the SAF Logon ID, the Entire Net-Work node name from which the call arrived

• NONE: this setting must only be used in conjunction with Entire Net-Work SAF Security

• POPUP: ADASAF is to initiate the remote workstation logon procedure

REMOTE={ LINK | NODE | NONE | POPUP}

Specify whether security check trace messages should be written to DD SAFPRINT or to DD DDPRINT.

• N: security check trace messages are to be written to DD DDPRINT

• Y: security check trace messages are to be written to DD SAFPRINT

If SAFPRINT=Y is specified, but a SAFPRINT dataset is not provided, the trace messages will be written to DDPRINT.

The SAFPRINT dataset must be defined in the nucleus JCL and may refer to a SYSOUT dataset or to a file defined with RECFM=F (or FB) and LRECL=121.

SAFPRINT={N | Y }

The AAF prefix messages issued by ADASAF may be written in mixed or upper case. For compatibility with previous versions, the default is upper case.

• M: AAF prefix messages are to be written in mixed case

• U: AAF prefix messages are to be written in upper case

WTOCASE={ M | U }

The type of database cross-level security checking to be performed.

• 0: no cross-level checking

• 1: Perform a cross-level check only on a user's first call to a database nucleus

• 2: Perform a cross-level check every time a standard check is performed; this option may be useful if only certain files in the database should be accessible to a particular job

• 3: The User ID of the originating job should form part of the resource profile name. This option may be useful when different users have different access requirements, depending on the environment in which they are running

XLEVEL={0 | 1 | 2 | 3 }

DBCLASS={ name | ADASEC}
          

DBNCU=0

• N: access to undefined resources is not allowed

• Y: access to undefined resources is allowed

Notes:

1. This option does not permit access to resources defined with universal access "none".
2. DBUNI is ignored when checking whether a nucleus or utility is allowed to execute.

DBUNI={N| Y }

• F: access is not allowed for security

• W: access is allowed, even though the security system returned a violation

FAILMODE={F | W}

• 0: no tracing

• 1: trace violations only

• 2: trace successful checks only

• 3: trace all checks

GWMSGL={ 0 | 1 | 2 | 3 }  

GWSIZE=256

• 1: RACF

• 2: CA-Top Secret

• 3: CA-ACF2

• 4: RACF executing on a Fujitsu operating system.

GWSTYP={ 1 | 2 | 3 | 4 }

• N: security check trace messages are to be written to DD DDPRINT

• Y: security check trace messages are to be written to DD

SAFPRINT={N | Y }