Access to Adabas Audit Data Retrieval functions is controlled via SAF (System Authorization Facility) calling conventions using RACF (Resource Access Control Facility). Each time a function is called within Adabas Audit Data Retrieval, the product creates a RACF entity, which is checked against the best-matching profile defined in RACF.
The security check is performed in the subsystem to prevent manipulation.
All Beta product security checking is done using the RACF user resource class $BETA.
Before the security exit can be activated, it is necessary to define the $BETA class to RACF. For more information, see "User resource class $BETA" in BSA Installation and System Guide.
The installation security administrator must define all resources to RACF in the resource class $BETA. Resources must be defined either as fully-qualified or generic profile names.
By default, a profile name looks like this:
B97.ssid.action[.form.extension.report]
where:
(If you are not working with reports, replace the qualifier report with a hash sign or with an asterisk.)
The security exit that is provided by Beta Systems distinguishes between two access levels for all resources defined in the class $BETA:
Owner and security level are passed to the security exit and may be used when defining security profiles. In this case, a profile name looks like this:
B97.ssid.action.owner.seclevel[.form.extension.report]
The Adabas Audit Data Retrieval sample security exit does not include the owner and security level. When modifying the security exit to include owner and security level, please make sure that the maximum length of resource names in the class $BETA is not exceeded. At present, the maximum length is 64 bytes.
Extensions may be blank.
By default, the security exit substitutes a blank extension using a hash sign ( # ). To protect lists whose extension is blank, define the following profile to RACF:
B97.ssid.action.form.#.#
If you are using Adabas Audit Data Retrieval in a multi-CPU environment and would like to allow user access to Adabas Audit Data Retrieval subsystems on remote CPUs, you must provide the same RACF resource profile definitions on the local CPU as are defined for the remote CPU. This is necessary because security checking (logon and access validation) are always performed on the local CPU, even if the access is to a remote Adabas Audit Data Retrieval subsystem.