Access to Adabas Audit Data Retrieval functions

Access to Adabas Audit Data Retrieval functions is controlled via SAF (System Authorization Facility) calling conventions using RACF (Resource Access Control Facility). Each time a function is called within Adabas Audit Data Retrieval, the product creates a RACF entity, which is checked against the best-matching profile defined in RACF.

The security check is performed in the subsystem to prevent manipulation.

Resource class $BETA

All Beta product security checking is done using the RACF user resource class $BETA.

Before the security exit can be activated, it is necessary to define the $BETA class to RACF. For more information, see "User resource class $BETA" in BSA Installation and System Guide.

Defining resources in class $BETA

The installation security administrator must define all resources to RACF in the resource class $BETA. Resources must be defined either as fully-qualified or generic profile names.

Profile names

By default, a profile name looks like this:

B97.ssid.action[.form.extension.report]

where:

• ssid is the Adabas Audit Data Retrieval subsystem ID
• action is a 3-character qualifier that refers to an Adabas Audit Data Retrieval function (see "Function codes and entity generation rules")
• form.extension.report the Adabas Audit Data Retrieval name of the list

  (If you are not working with reports, replace the qualifier report with a hash sign or with an asterisk.)

Access levels

The security exit that is provided by Beta Systems distinguishes between two access levels for all resources defined in the class $BETA:

• NONE (no access)
• READ (access allowed)

Owner and security level

Owner and security level are passed to the security exit and may be used when defining security profiles. In this case, a profile name looks like this:

B97.ssid.action.owner.seclevel[.form.extension.report]

The Adabas Audit Data Retrieval sample security exit does not include the owner and security level. When modifying the security exit to include owner and security level, please make sure that the maximum length of resource names in the class $BETA is not exceeded. At present, the maximum length is 64 bytes.

Note on extension

Extensions may be blank.

By default, the security exit substitutes a blank extension using a hash sign ( # ). To protect lists whose extension is blank, define the following profile to RACF:

B97.ssid.action.form.#.#

Note on multi-CPU environment

If you are using Adabas Audit Data Retrieval in a multi-CPU environment and would like to allow user access to Adabas Audit Data Retrieval subsystems on remote CPUs, you must provide the same RACF resource profile definitions on the local CPU as are defined for the remote CPU. This is necessary because security checking (logon and access validation) are always performed on the local CPU, even if the access is to a remote Adabas Audit Data Retrieval subsystem.