Protecting Utilities

This section describes how you can control with Natural Security the use of various Natural utilities. It covers the following topics:


General Utility Protection Considerations

The utility protection provided by Natural Security, as described in this section, is function-oriented, which means that it is based on the concept that you can allow or disallow individual functions of a utility. You control the use of a utility by defining utility profiles for it, in which you allow/disallow its functions. The utilities that can be protected in this manner are listed below.

To invoke a Natural utility, you usually enter the utility name as a system command (for example, to invoke the SYSERR utility, you enter the system command SYSERR). If a utility is invoked in this way, one of the utility profiles defined for this utility applies and controls the use of the utility - thus providing consistent protection of the utility.

Invoking a utility does not change the library you are currently in; that is, when you exit the utility, you are still in the same library from which you invoked the utility. See also the section Utility Activation in the Natural Utilities documentation.

To control the use of a utility, you need not define a library profile for the library which contains the utility. A library profile for a utility is only relevant if the utility requires access to programs in other libraries (for example, user exits contained in steplibs).

If a library profile is defined for a library containing a utility, and you log on to a utility library, the same logon rules apply as for a logon to any other library (as described in the section Logging On). From within the utility library, the utility may be invoked either by entering the utility name as system command (as from any other library) or by the startup transaction MENU (if defined in the utility's library profile) being executed. In the latter case, however, a LOGOFF command will be performed when you exit the utility.

The utilities SYSERR and SYSMAIN (and NATLOAD, NATUNLD and SYSTRANS) process the contents of libraries; if the use of these utilities is not controlled by utility profiles, the Utilities option in the library profile of the library processed applies.

Which Utilities Can Be Protected?

The use of the following Natural utilities can be controlled with utility profiles:

(*) These utilities are only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for these utilities can still be be maintained. However, as the functionality of these utilities is now provided by the SYSOBJH utility, it is recommended that SYSOBJH be used - and protected accordingly. A function is provided which allows you to convert existing profiles for the old utilities into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.

Utility Profiles

This section covers the following topics:

Types of Utility Profiles

Basically, a utility profile consists of a list of the utility's functions, each of which can be allowed or disallowed by marking it with "A" or "D" respectively.

For each utility listed under Which Utilities Can Be Protected? (see above), you can define:

  • a default profile,

  • user-specific profiles,

  • library-specific profiles,

  • user-library-specific profiles.

Each utility is treated individually; that is, any utility profiles only apply to the utility they are defined for, and not to any other utilities.

Note:
If the use of a utility is protected by a utility profile, the Natural profile parameter settings MADIO=0 and MAXCL=0 apply automatically.

Default Utility Profile

The default profile of a utility applies for all users (except those for which user-specific profiles are defined). It determines which of the utility's functions the users may use and which not.

User-Specific Utility Profiles

If an individual user is to use (or not to use) other functions than the other users, you can define a user-specific utility profile.

Such a profile only applies to this user, it overrides the default profile, and determines which of the utility's functions this particular user may use and which not.

Example:

In this example, the SYSBPM function "Delete Object from Buffer Pool" is disallowed for all users - except for the user UX, for whom it is allowed.

This means that UX is the only user who may delete objects from the buffer pool.

User-specific utility profiles can be defined for users of types "Group", "Administrator" and "Person".

A user-specific utility profile can only be defined if a default profile (or a template) has been defined for that utility. (Templates are described under Defining Default Profiles below.)

Library-Specific Utility Profiles

Several utilities affect individual Natural libraries (for example, SYSERR can be used to maintain error messages that belong to a specific library). Generally, the utility's default profile applies to all affected libraries.

However, if some of the utility's functions are only to be allowed/disallowed for a particular library, you can define a library-specific utility profile.

Such a profile only applies to this library, it overrides the default profile as well as any user-specific profiles for that utility, and determines which of the utility's functions may be applied to this library and which not.

Example 1:

In this example, the SYSERR function "Delete messages" is allowed for all libraries - except for the library MYLIB, for which it is disallowed.

This means that all users can delete user error messages from any library, except from library MYLIB. No-one can delete messages from MYLIB.

(If any user-specific profiles were defined for SYSERR, they would apply to all other libraries, but not to library MYLIB.)

Example 2:

In this example, the SYSERR function "Delete messages" is disallowed for all libraries - except for the library PLAYLIB, for which it is allowed. For the user UX, the function "Delete messages" is allowed for all libraries.

This means that all users can delete error messages from library PLAYLIB. However, no user - except user UX - can delete messages from any other library. User UX is the only user who may delete messages from any library (including PLAYLIB).

Please note that user UX's permission to delete messages from PLAYLIB depends on the library-specific profile, not the user-specific profile.

Library-specific utility profiles can be defined for the following utilities: NATLOAD, NATUNLD, SYSBPM, SYSDDM, SYSERR, SYSMAIN, SYSOBJH, SYSTRANS.

A library-specific utility profile can only be defined if a default profile has been defined for that utility.

User-Library-Specific Utility Profiles

As described above, several utilities affect individual Natural libraries. Two kinds of situations may occur in which a user-library-specific utility profile may have to be defined:

  • A user-specific utility profile determines which of a utility's functions a particular user may use, regardless of the libraries which are affected by the functions (provided that no library-specific profiles are defined for this utility). However, if this user is to have different function usage permissions for a particular library affected by the utility's functions, you can define these in a user-library-specific utility profile.

  • A library-specific utility profile determines which of a utility's functions may be used when applied to a particular library; for this library, it applies for all users (regardless of any user-specific profiles). However, if a particular user is to have different function usage permissions for this library, you can define these in a user-library-specific utility profile.

A user-library-specific profile only applies for one user and one library, it overrides the library-specific utility profile of that library as well as the user-specific profile of that user, and it determines which of the utility's functions the user may use for this library.

Example 1:

In this example, the SYSERR function "Delete messages" is disallowed for all users (due to the default profile). The SYSERR function "Modify messages" is also disallowed for all users (due to the default profile) - except for user UX, for whom it is allowed (due to his/her user-specific profile). Also, for the user UX both functions are allowed for the library MYLIB (due to the user-library-specific profile).

This means that no user can modify or delete any error messages from any library. The only exception is user UX: User UX may modify messages from any library; moreover, user UX may delete messages from library MYLIB (but not from any other library).

Please note that user UX's permission to modify messages from MYLIB depends on the user-library-specific profile, not the user-specific profile.

Example 2:

This example results in the following setup:

  • Error messages of library MYLIB may only be modified by user UX.

  • Error messages of any other library may be modified by any user.

  • Error messages of library MYLIB cannot be deleted by any user.

  • Error messages of any other library may only be deleted by user UX, but not by any other user.

User-library-specific utility profiles can be defined for the following utilities: NATLOAD, NATUNLD, SYSBPM, SYSDDM, SYSERR, SYSMAIN, SYSOBJH, SYSTRANS.

A user-library-specific utility profile can only be defined for a user for which a user-specific utility profile has been defined.

Which Utility Profile Applies?

When a user tries to use a utility function, Natural Security searches for the appropriate utility profile to determine whether the user is allowed to perform the function.

As shown below, you can influence the search sequence with the Session Options Privileged Groups and *GROUP Only, which can be set in a utility's default profile.

If *GROUP Only is set to "N", Natural Security searches for the following utility profiles in the following order:

  1. the user-library-specific profile

    1. of the user for the library affected (only if the user is of type A or P);

    2. of a privileged group for the library affected (only if Privileged Groups is set to "Y");

    3. of the current group in which the user is contained for the library affected;

    4. of another group in which the user is contained for the library affected;

  2. the library-specific profile of the library affected;

  3. the user-specific profile

    1. of the user (only if the user is of type A or P);

    2. of a privileged group (only if Privileged Groups is set to "Y");

    3. of the current group in which the user is contained;

    4. of another group in which the user is contained;

  4. the utility's default profile.

If *GROUP Only is set to "Y", Natural Security searches for the following utility profiles in the following order:

  1. the user-library-specific profile

    1. of the user for the library affected (only if the user is of type A or P);

    2. of the current group in which the user is contained for the library affected;

  2. the library-specific profile of the library affected;

  3. the user-specific profile

    1. of the user (only if the user is of type A or P);

    2. of the current group in which the user is contained;

  4. the utility's default profile.

For the search, the user and current group are determined by the current values of the Natural system variables *USER and *GROUP respectively. Privileged groups are the groups which are specified as Privileged Groups in the user's security profile; their IDs are processed in the sequence in which they are specified in the user profile. IDs of other groups are processed in alphabetical order.

The first profile encountered in this search determines whether the user is allowed to perform the function.

If none of the above profiles exists and the utility function affects the contents of a library, the Utilities option in the library profile applies.

A user may obtain information about the utility profile which currently applies by using the Natural system command PROFILE (see also the PROFILE Command in the section Protecting Libraries).

The following diagram shows the hierarchy of the utility profiles.

Hierarchy of Utility Profiles

Example:

Assume the following situation: User UX (user type A), who is contained in group GX, wants to copy programming objects with the SYSMAIN utility from library LIB1 to library LIB2.

First, Natural Security checks if the user may copy programming objects with SYSMAIN from library LIB1; that is, if the Copy function for Programming Objects is allowed:

  1. It checks the user-library-specific profile of user UX and library LIB1 for SYSMAIN.

  2. If no such profile exists, it checks the user-library-specific profile of user GX and library LIB1 for SYSMAIN.

  3. If no such profile exists, it checks the library-specific profile of library LIB1 for SYSMAIN.

  4. If no such profile exists, it checks the user-specific profile of user UX for SYSMAIN.

  5. If no such profile exists, it checks the user-specific profile of user GX for SYSMAIN.

  6. If no such profile exists, it checks the default profile of SYSMAIN.

Then, Natural Security checks if the user may copy programming objects with SYSMAIN into library LIB2; that is, if the Copy function for Programming Objects is allowed:

  1. It checks the user-library-specific profile of user UX and library LIB2 for SYSMAIN.

  2. If no such profile exists, it checks the user-library-specific profile of user GX and library LIB2 for SYSMAIN.

  3. If no such profile exists, it checks the library-specific profile of library LIB2 for SYSMAIN.

  4. If no such profile exists, it checks the user-specific profile of user UX for SYSMAIN.

  5. If no such profile exists, it checks the user-specific profile of user GX for SYSMAIN.

  6. If no such profile exists, it checks the default profile of SYSMAIN.

When Does a Utility Profile Take Effect?

As the various Natural utilities and their functions differ greatly from one another, the time when Natural Security checks whether a user may use a requested utility function differs from utility to utility, and from function to function.

Available System Commands

When a user uses a utility under the control of a utility profile, the only Natural system commands available to the user within the utility are: FIN, LOGON, MAIL and PROFILE; all other system commands cannot be used. The reason for this is to preclude any "loopholes" in the protection established by the utility profiles.

Where to Define Profiles

To define default profiles, you use the Administrator Services section of Natural Security (as described under Defining Default Profiles below).

To define all other utility profiles, you use the Utility Maintenance section of Natural Security (as described under Defining Individual Profiles - Utility Maintenance below).

Defining Default Profiles

On the Main Menu, select Administrator Services.

If you are allowed access to Administrator Services, the Administrator Services Menu 1 will be displayed.

Press PF8.

On the Administrator Services Menu 2, select Utility Defaults/Templates.

The Define Utility Defaults/Templates screen will be displayed, listing all the utilities for which profiles can be defined.

The status of a utility (as indicated in the Message field) can be one of the following:

Status Meaning
Nothing defined   No profile is defined for the utility.

If a utility function affects the contents of a library, its use is controlled by the Utilities option in the library security profile.

Default defined   A default profile has been defined for the utility. This default profile applies for all users for which no individual user-specific profile is defined.

The Utilities option in library security profiles is ignored for this utility.

Template defined   A profile has been defined for the utility. However, this profile can only be used as a template to define individual user-specific utility profiles.

If a utility function affects the contents of a library, its use is controlled by the Utilities option in the library security profile - except for those users for which a user-specific utility profile is defined.

Whether a default profile is a "real" profile or only a template is determined by the field Applies as Default Profile (see below) within the profile.

Warning:
To avoid the applicability of utility profiles and the Utilities option in library profiles getting mixed up, you should always define a default profile (not only a template) for a utility if you intend to define user-specific profiles for that utility.

On the Define Utility Defaults/Templates screen, you can mark a utility with one of the following function codes:

Code Function
AD   Define a default profile or template for the utility.
MO   Modify the utility's existing default profile or template.
DE   Delete the utility's existing default profile or template.
DI   Display the utility's existing default profile or template.

When you mark a utility with code DE, a window will be displayed in which you confirm the deletion by entering the utility name. When you delete a utility's default profile or template, all other profiles for that utility - that is, user-specific, library-specific and user-library-specific utility profiles - will also be deleted.

When you mark a utility with code AD, MO or DI, its default profile or template will be displayed.

The default profile/template for each utility provides several options, which correspond to functions of the utility concerned. The options for each utility are described under Components of Utility Profiles below.

You can allow or disallow each option by marking it with "A" or "D" respectively. Initially, all options are disallowed.

With PF16 and PF17, you can set all options in a utility profile simultaneously to "A" or "D" respectively.

Note:
Natural Security performs consistency checks on the combinations of allowed and disallowed options - impossible combinations of "A" and "D" are automatically rejected.

Moreover, each profile provides the following field, which determines whether the profile is a "real" default profile or only a template:

Applies as Default Profile

Y Default Profile - The profile applies for all users for which no individual utility profile is defined.
N   Template - The profile does not apply for any user. It can only be used as a template for the definition of individual user-specific utility profiles.

Once this field is set to "Y" and any user-specific or library-specific profiles have been defined for that utility, you cannot reset it to "N". This is to ensure consistent utility protection.

Defining Individual Profiles - Utility Maintenance

Natural Security's Utility Maintenance is used to perform all functions related to the maintenance of individual utility profiles: user-specific profiles, library-specific profiles and user-library-specific profiles.

The components of an individual profile correspond to those of the corresponding default profile; they are described under Components of Utility Profiles below.

Note:
Owner logic applies to the creation/maintenance of individual utility profiles.

This section covers the following topics related to utility profile creation/maintenance:

Invoking Utility Maintenance

Start of instruction setTo invoke utility maintenance:

  1. On the Main Menu, select Maintenance.

    A window will be displayed.

  2. In the window, mark the object type Utility with a character or with the cursor.

    The Utility Maintenance selection list will be displayed.

    It shows all utilities for which either a default profile or a template has been defined. For each utility, the following information is displayed:

Default Indicates whether a default profile has been defined for this utility (YES/NO).

NO means that only a template has been defined.

User   Indicates whether any user-specific profiles exist for this utility (YES/NO).
Library   Indicates whether any library-specific profiles exist for this utility (YES/NO).
User-Lib.   Indicates whether any user-library-specific profiles exist for this utility (YES/NO).

Utility Maintenance Functions

From the Utility Maintenance selection list, you invoke all functions for the creation, modification, deletion and display of individual utility profiles.

The following functions are available:

Code Function
DD   Display default profile or template.

This function displays the default profile (or the template) defined for a utility.

Functions for user-specific utility profiles:
DU   Display user-specific profiles.

This function displays a list of existing user-specific profiles for a utility. From the list, you can select the profiles to be displayed.

AU   Add or maintain user-specific profiles.

This function displays a list of users (of types A, P and G). From the list, you can select the users for which you wish to define user-specific profiles for a utility.

MU   Maintain user-specific profiles.

This function displays a list of existing user-specific profiles for a utility. From the list, you can select the profiles to be maintained.

Functions for library-specific utility profiles:
DL   Display library-specific profiles.

This function displays a list of existing library-specific profiles for a utility. From the list, you can select the profiles to be displayed.

AL   Add or maintain library-specific profiles.

This function displays a list of libraries. From the list, you can select the libraries for which you wish to define library-specific utility profiles.

ML   Maintain library-specific profiles.

This function displays a list of existing library-specific profiles for a utility. From the list, you can select the profiles to be maintained.

Functions for user-library-specific utility profiles:
DX   Display user-library-specific profiles.

This function displays a list of existing user-library-specific profiles of a specific user for a utility. From the list, you can select the profiles to be displayed.

AX   Add or maintain user-library-specific profiles.

This function displays a list of libraries. From the list, you can select the libraries for which you wish to define user-library-specific utility profiles for a specific user.

MX   Maintain user-library-specific profiles.

This function displays a list of existing user-library-specific profiles of a specific user for a utility. From the list, you can select the profiles to be maintained.

"Add or Maintain" or "Maintain"?

The "Add or Maintain" functions (codes AU, AL, AX) display lists of all users/libraries, comprising those for which utility profiles exist as well as those for which no utility profiles have been defined. They allow you to add new utility profiles as well as modify, delete and display existing utility profiles.

The "Maintain" functions (codes MU, ML, MX) display lists of only those users/libraries for which utilities profiles exist. They allow you to modify, delete and display existing utility profiles.

You can "switch" directly from "Add or Maintain" to "Maintain" by reducing the displayed list from a list of all users/libraries to a list of only those with existing profiles. To do so, you mark with "X" the selection criterion field "U" (user-specific profile exists) "L" (library-specific profile exists) or "U-L" (user-library-specific profile exists) respectively in the heading of the list.

However, if you know beforehand that you are going to only maintain existing profiles but not add any new ones, it is recommended (for better performance) that you directly use codes MU, ML and MX respectively.

Start Values

Each of the functions listed displays a list of items (users, libraries, profiles). When you invoke a function, a window will be displayed in which you can enter a start value for the list of items to be displayed.

For functions related to user-library-specific profiles, the ID of the user whose user-library-specific profiles are to be listed must also be specified in the start value window.

Subfunctions

When you invoke one of the functions listed, you get a list of items (users, libraries or utility profiles).

On this list, you mark one or more items with a code to invoke a subfunction to be performed on the item.

The available subfunctions (Add, Modify, etc.) differ depending on the function invoked.

For a list of available subfunctions, you enter a question mark (?) in the field Co.

Information Displayed

Add/Maintain/Display User-Specific Utility Profiles

On the selection list of users displayed with function codes AU, DU and MU, the following information is displayed for each user:

Type Indicates the user type (A, P or G).
U   An "X" indicates that the user has a user-specific profile for this utility.
U-L   An "X" indicates that the user has one or more user-library-specific profiles for this utility.

Add/Maintain/Display Library-Specific Utility Profiles

On the selection list of libraries displayed with function codes AL, DL and ML, the following information is displayed for each library:

Prot. Indicates the "people-protected" and "terminal-protected" settings as defined in the library security profile.
Link   (empty)
L   An "X" indicates that the library has a library-specific profile for this utility.
U   An "X" indicates that the library has one or more user-library-specific profiles for this utility.

Add/Maintain/Display User-Library-Specific Utility Profiles

On the selection list of libraries displayed with function codes AX, DX and MX, the following information is displayed for each library:

Prot. Indicates the "people-protected" and "terminal-protected" settings as defined in the library security profile.
Link   Indicates whether the user is linked to the library (LK = normal link, SL = special link).
U-L   An "X" indicates that the user has a user-library-specific profile for this library for this utility.
L   An "X" indicates that the library has a library-specific profile for this utility.

Adding a User-Specific Utility Profile

A user-specific utility profile can only be defined for a utility for which either a default profile or a template exists.

Start of instruction setTo add a user-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with AU.

    A window will be displayed in which you can enter a start value for the list of users to be displayed. Then a list of users (of types A, P and G) will be displayed.

  2. On that list, mark the desired user with AD.

    The user-specific profile for the utility will be displayed for you to define.

The options you can allow or disallow within the profile are the same as in the corresponding default profile or template (see Components of Utility Profiles below).

The initial "allowed/disallowed" settings in the user-specific profile are taken from the default profile or the template.

Modifying/Displaying a User-Specific Utility Profile

Start of instruction setTo modify or display a user-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with MU or DU respectively.

    A window will be displayed in which you can enter a start value for the list of user-specific profiles to be displayed. Then a list of existing user-specific profiles for the selected utility will be displayed.

  2. On that list, mark the desired profile with MO (modify) or DU (display) respectively.

    The profile will be displayed for modification/display.

The options in the profile are the same as in the corresponding default profile or template (see Components of Utility Profiles below).

Deleting a User-Specific Utility Profile

Start of instruction setTo delete a user-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with MU.

    A window will be displayed in which you can enter a start value for the list of user-specific profiles to be displayed. Then a list of existing user-specific profiles for the selected utility will be displayed.

  2. On that list, mark the desired profile with DE.

  3. A window will be displayed in which you confirm the deletion.

When you delete a user-specific utility profile, all user-library-specific utility profiles for this user for this utility will also be deleted.

Adding a Library-Specific Utility

A library-specific utility profile can only be defined for a utility for which a default profile (not only a template) has been defined.

Start of instruction setTo add a library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with AL.

    A window will be displayed in which you can enter a start value for the list of libraries to be displayed. Then a list of libraries will be displayed.

  2. On that list, mark the desired library with AD.

    The library-specific profile for the utility will be displayed for you to define.

The options you can allow or disallow within the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).

The initial "allowed/disallowed" settings in the library-specific profile are taken from the default profile.

Modifying/Displaying a Library-Specific Utility Profile

Start of instruction setTo modify or display a library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with ML or DL respectively.

    A window will be displayed in which you can enter a start value for the list of library-specific profiles to be displayed. Then a list of existing library-specific profiles for the selected utility will be displayed.

  2. On that list, mark the desired profile with MO (modify) or DL (display) respectively.

    The profile will be displayed for modification/display.

The options in the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).

Deleting a Library-Specific Utility Profile

Start of instruction setTo delete a library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with ML.

    A window will be displayed in which you can enter a start value for the list of library-specific profiles to be displayed. Then a list of existing library-specific profiles for the selected utility will be displayed.

  2. On that list, mark the desired profile with DE.

  3. A window will be displayed in which you confirm the deletion.

Adding a User-Library-Specific Utility Profile

A user-library-specific utility profile can only be defined for a user for which a user-specific profile for that utility exists.

Start of instruction setTo add a library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with AX.

    A window will be displayed in which you enter the ID of the user for whom a user-library-specific profile is to be defined; also, you can enter a start value for the list of libraries to be displayed. Then a list of libraries will be displayed.

  2. On that list, mark the desired library with AD.

    The user-library-specific profile for the specified user for this library will be displayed for you to define.

The options you can allow or disallow within the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).

The initial "allowed/disallowed" settings in the user-library-specific profile are taken from the corresponding library-specific profile; if no such profile exists, they are taken from the corresponding user-specific profile.

Modifying/Displaying a User-Library-Specific Utility Profile

Start of instruction setTo modify or display a library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with MX or DX respectively.

    A window will be displayed in which you enter the ID of the user whose user-library-specific profile(s) are to be listed; also, you can enter a start value for the list of profiles to be displayed. Then a list of existing user-library-specific profiles of the specified user for the selected utility will be displayed.

  2. On that list, mark the desired profile with MO (modify) or DX (display) respectively.

    The profile will be displayed for modification/display.

The options in the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).

Deleting a User-Library-Specific Utility Profile

Start of instruction setTo delete a user-library-specific utility profile:

  1. Mark the desired utility on the Utility Maintenance selection list with MX.

    A window will be displayed in which you enter the ID of the user whose user-library-specific profile(s) are to be listed; also, you can enter a start value for the list of profiles to be displayed. Then a list of existing user-library-specific profiles of the specified user for the selected utility will be displayed.

  2. On that list, mark the desired profile with DE.

  3. A window will be displayed in which you confirm the deletion.

Components of Utility Profiles

A utility profile provides several options which correspond to the functions of the utility concerned. These options are the same in every profile related to that utility: default profile, user-specific, library-specific and user-library-specific profiles.

The individual options are described below for each utility:

NATLOAD Utility Profiles

The NATLOAD utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for NATLOAD can still be maintained. However, instead of NATLOAD, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your NATLOAD utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.

The profiles for the NATLOAD utility provide the following options:

Option Explanation
Load Natural Objects

Del.

Determines whether the user may load programming objects.

Determines whether the user may process delete instructions for programming objects (this requires that the loading of programming objects is allowed).

Load DDMs

Del.

Determines whether the user may load DDMs.

Determines whether the user may process delete instructions for DDMs (this requires that the loading of DDMs is allowed).

Load Error Messages

Del.

Determines whether the user may load error messages.

Determines whether the user may process delete instructions for error messages (this requires that the loading of error messages is allowed).

Scan Natural Objects   Determines whether the user may scan the work file for programming objects.
Scan DDMs   Determines whether the user may scan the work file for DDMs.
Scan Error Messages   Determines whether the user may scan the work file for error messages.
PC Upload   Determine whether the user may use the NATLOAD parameters of the same names.
Replace  
New Library  

NATUNLD Utility Profiles

The NATUNLD utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for NATUNLD can still be maintained. However, instead of NATUNLD, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your NATUNLD utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.

The profiles for the NATUNLD utility provide the following options:

Option Determines whether the user may:
Unload Natural Objects   Unload programming objects.
Unload DDMs   Unload DDMs.
Unload Error Messages   Unload error messages.
Unload Delete Instructions   Unload delete instructions.
PC Download   Use the NATUNLD parameters of the same names.
Target Library  

PROFILER Utility Profiles

The PROFILER utility is only available with Natural on mainframe computers.

The profiles for the PROFILER utility provide several options. Each option corresponds to the PROFILER function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.

SYSBPM Utility Profiles

The SYSBPM utility is only available with Natural on mainframe computers.

The profiles for the SYSBPM utility provide several options. Each option corresponds to the SYSBPM function/command of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function/command.

SYSCP - Code Page Administration - Utility Profiles

The profiles for the SYSCP utility (Natural Code Page Administration) provide several options. Each option corresponds to the Natural Code Page Administration function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.

SYSDB2 - Tools for DB2 - Utility Profiles

The SYSDB2 utility (Natural Tools for DB2) is only available with Natural on mainframe computers.

The profiles for the SYSDB2 utility provide several options. Each option corresponds to the Natural Tools for DB2 function/command of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function/command.

SYSDDM Utility Profiles

The SYSDDM utility is only available with Natural on mainframe computers, UNIX and OpenVMS (on UNIX and OpenVMS, it is called "DDM Services").

The profiles for the SYSDDM utility provide several options. Each option corresponds to the SYSDDM function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.

SYSERR Utility Profiles

The profiles for the SYSERR utility provide the following options:

Option Explanation
Add New Messages   Determine whether the user may use the SYSERR functions of the same names.
Delete Messages  
Display Messages  
Modify Messages  
Print Messages  
Scan in Messages  
Select Messages from a List  
Translate Messages into Another Language  

You can allow/disallow these options separately for:

  • user messages (PF7),

  • Natural system messages (PF8).

In addition, by pressing PF8 again, you can allow/disallow the use of the following SYSERR direct commands:

Command Explanation
EXPORT Possible values for each command:
  • A = Command is allowed for all users.

  • R = Command is restricted: it is allowed for Natural Security administrators only.

  • D = Command is disallowed for all users.

IMPORT
LAYOUT
NEXT
RESTART
SAMPLE
SHIFT
TRACE  
USER

SYSMAIN Utility Profiles

As the SYSMAIN utility is not identical on all platforms, some SYSMAIN options/functions may not be available on some platforms.

The SYSMAIN utility can be invoked in two ways:

  • with the command SYSMAIN,

  • via the application programming interface MAINUSER.

By default, utility profiles defined for the SYSMAIN utility apply to both ways. However, it is possible to define a separate set of utility profiles which control the use of SYSMAIN functions when invoked via MAINUSER. See MAINUSER API under Additional Options below for details.

The profiles for the SYSMAIN utility provide the following options:

Option Explanation
Programming Objects   This general setting in the first column of the screen determines whether the user may use SYSMAIN at all for this type of object.

If this is set to "D" (disallowed), all subordinate function specifications for this object type must also be set to "D".

Debug Environments  
User Messages  
DDMs  
Natural Messages  
Profiles  
Rules  
DL/I Subfiles  
Resources

In addition, you can allow/disallow the following functions for each object type individually:

Option Determines whether the user may use:
Co   The SYSMAIN function COPY for this type of object.
De   The SYSMAIN function DELETE for this type of object.
Fi   The SYSMAIN function FIND for this type of object.
Im   The SYSMAIN function IMPORT for this type of object.
Li   The SYSMAIN function LIST for this type of object.
Mo   The SYSMAIN function MOVE for this type of object.
Ren   The SYSMAIN function RENAME for this type of object.
Rep   The SYSMAIN function REPLACE for this type of object.
FNAT   The SYSMAIN function SET FNAT for this type of object.
FSEC   The SYSMAIN function SET FSEC for this type of object. (*)
FDIC   The SYSMAIN function SET FDIC for this type of object. (*)

(*) These options can be set in the default profile and in user-specific profiles, but not in library-specific or user-library-specific profiles.

SYSOBJH - Object Handler - Utility Profiles

The profiles for the SYSOBJH utility (Natural Object Handler) provide the following options:

Option Explanation
Unload   Determine whether the user may use the Object Handler functions of the same names.
UnDeLi
Load  
Delete  
Scan

In addition, you can allow/disallow the above functions for each object type individually:

Option Determines whether the function may be applied to:
Nat   Natural programming objects.
Err   Error messages.
CPr   Command processors.
NRe   Natural-related objects.
Ext   External objects.
FDT   Adabas FDTs.
MfD   Mainframe DDMs.
MfR   Mainframe-related objects.
App   Applications.
Further Function-Related Options
Del (*) This option determines whether the Object Handler parameter DELETEALLOWED may be specified for the function.
Par  (*) This option determines whether Object Handler parameters may be specified for the function.
Rep   This option determines whether the Object Handler parameter REPLACE may be specified for the function.

(*) These options can only be set in user-specific profiles; their settings in the user-specific profiles also apply to the library-specific and user-library-specific profiles.

Note:
In library-specific and user-library-specific profiles, options applying to object types which are not library-related cannot be allowed/disallowed.

Also, the profiles for SYSOBJH provide the following general options:

Option Explanation
Admin   Determines whether the user may use the "Admin" section of the Object Handler.
FSEC   Determines whether the user may specify the Object Handler parameters of the same names.
FDIC  
Transfer only  
  • Y = Only the transfer format may be used (processes only sources).

  • N = Transfer and internal formats may be used (processes sources and cataloged objects).

In the profiles for SYSOBJH, you can also allow/disallow the following Object Handler direct commands:

Command Explanation
Navigation Commands:
GO

Determine whether the user may use the Object Handler direct commands of the same names.

- GO HOME
- GO UNLOAD
- GO LOAD
- GO SCAN
- GO RESTART
- GO ADMIN
- GO VIEW
- GO FIND
- GO UNDELI
Configuration Commands:
SET

Determine whether the user may use the Object Handler direct commands of the same names.

- SET TRACE ON
- SET TRACE WORKFILE
- SET TRACEFILE
- SET FREE ON/OFF
- SET EXECUTIONMSG ON/OFF
- SET ADVANCEDCMD ON/OFF
Show Commands:
SHOW

Determine whether the user may use the Object Handler direct commands of the same names.

- SHOW LAST RESULT
- SHOW LAST MESSAGE
- SHOW PROFILE
- SHOW REPORT
- SHOW STATUS
- SHOW TRACE
Other Commands:
CHANGE WORKPLAN LIBRARY

Determine whether the user may use the Object Handler direct commands of the same names.

CLEAR
INIT
READ PROFILE
SETTINGS

SYSPARM Utility Profiles

The SYSPARM utility is only available with Natural on mainframe computers.

The profiles for the SYSPARM utility provide several options. Each option corresponds to the SYSPARM function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.

SYSRPC Utility Profiles

The profiles for the SYSRPC utility provide several options. Each option corresponds to the SYSRPC function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.

SYSTRANS Utility Profiles

The SYSTRANS utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for SYSTRANS can still be maintained. However, instead of SYSTRANS, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your SYSTRANS utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.

The profiles for the SYSTRANS utility provide the following options:

Option Determines whether the user may use:
Unload   The SYSTRANS Unload function.
Load   The SYSTRANS Load function.
Replace   The Replace option of the SYSTRANS Load function.
Scan   The SYSTRANS Scan function.
Restart   The SYSTRANS Restart function.

In addition, you can allow/disallow the above functions for each object type individually:

Option Determines whether the function may be applied to:
NAT   Natural programming objects.
Map   Maps.
DDM   DDMs.
FDT   Adabas FDTs.
Err   Error messages.
CPr   Command processors.
Lib   Libraries.
All   All objects on the work file to be processed.

Also, the profiles for SYSTRANS provide the following options, which apply to the Direct Transfer functions of SYSTRANS:

Option Determines whether the user may use:
Direct Transfer Functions   Any SYSTRANS Direct Transfer functions (using Natural RPC).
Transfer   The SYSTRANS function "Direct Transfer (using RPC)".
Restart   The SYSTRANS function "Restart Direct Transfer".
Report   The SYSTRANS function "Get Report from Direct Transfer Load".
Define   The SYSTRANS function "Define Local Transfer System".

Additional Options

The following Additional Options are part of the default security profiles of all utilities. They can only be set in the default profiles, but not in individual user-specific, library-specific or user-library-specific profiles. For each utility, the Additional Options settings apply to all utility profiles related to that utility.

If you press PF4 on a basic utility default profile screen, a window will be displayed from which you can select the following options:

  • Maintenance Information

  • Security Notes

  • Owners

  • Session Options

The options for which something has already been specified or defined are marked with a plus sign (+).

You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:

Additional Option Explanation
Maintenance Information (display only) In this window, the following information is displayed:
  • the date and time when the security profile was created, the ID of the administrator who created it, and (if applicable) the IDs of the co-owners who countersigned for the creation;

  • the date and time when the security profile was last modified, the ID of the administrator who made the last modification, and (if applicable) the IDs of the co-owners who countersigned for the modification.

Security Notes   In this window, you may enter your notes on the security profile.
Owners   In this window, you may enter up to eight IDs of administrators. Only the administrators specified here will be allowed to maintain this utility security profile. If no owner is specified, any user of type "Administrator" may maintain the security profile.

For each owner, the number of co-owners whose countersignatures will be required for maintenance permission may optionally be specified in the field after the ID.

For an explanation of owners and co-owners, see the section Countersignatures.

Session Options   See below.

Session Options

If you mark Session Options in the Additional Options window with any character, the Session Options window will be displayed. In this window, you can set the following options:

Option Explanation
Access Recorded
This option determines whether users' access to the utility is to be recorded or not.
Y Every time a user invokes the utility, a record will be written by Natural Security. You may review the use of the utilities by viewing these access records (see Logon Records in the section Administrator Services for further information).
N Access to the utility is not recorded.
Privileged Groups
With this option, you can influence the order in which Natural Security searches for the appropriate utility profile to apply. It determines whether or not utility profiles defined for groups which are specified as Privileged Groups in a user security profile are part of the search order. See the section Which Utility Profile Applies? above.
Y User-library-specific and user-specific profiles of privileged groups are part of the search order.
N Privileged groups have no influence on the search order.
If the option *GROUP Only (see below) is set to "Y", this option must be set to "N".
*GROUP Only
With this option, you can influence the order in which Natural Security searches for the appropriate utility profile to apply:
Y User-library-specific and user-specific profiles of the current group (as determined by the value of the Natural system variable *GROUP) are part of the search order, but those of any other group in which the user is contained are not.
N User-library-specific and user-specific profiles of all groups in which the user is contained are part of the search order.

See the section Which Utility Profile Applies? above for details.

If this option is set to "Y", the option Privileged Groups (see above) must be set to "N".

MAINUSER API  

This option is only available for the SYSMAIN utility. It controls the use of SYSMAIN functions invoked via the application programming interface (API) MAINUSER.

If you set this option to "Y", a separate entry named MAINUSER will be created on the Define Utility Defaults/Templates screen. With this, you can create a separate set of utility profiles to allow/disallow the use of SYSMAIN functions when invoked via the MAINUSER API. These profiles are independent of the "normal" SYSMAIN utility profiles which control the use SYSMAIN functions when invoked via the SYSMAIN command.

The components of the MAINUSER utility profiles are the same as those of the SYSMAIN utility profiles.

Utilities option

This option is only available for the utilities SYSMAIN and SYSOBJH. It can be used to apply the Utilities option in library profiles to these utilities.

Y The Utilities option in a library profile determines who may use SYSMAIN/SYSOBJH to process the contents of the library.
O Same as "Y". In addition, if the Utilities option in a library profile is set to "O" and an owner requires a countersignature, the countersignature prompt will be suppressed; instead, the library will be excluded from SYSMAIN/SYSOBJH processing.
N The Utilities option in library profiles has no effect for SYSOBJH; it has no effect for SYSMAIN if no utility profile is defined for SYSMAIN.

Conversion of Utility Profiles

This function is used to convert your old NATLOAD, NATUNLD and SYSTRANS utility profiles into corresponding SYSOBJH utility profiles.

The conversion results in the following:

  • Creation of new profiles:
    For every old NATLOAD/NATUNLD/SYSTRANS profile for which a corresponding SYSOBJH profile does not yet exist, such a SYSOBJH profile will be created automatically. The settings in the old profile will be mapped to the new profile.

  • Adjustments of existing profiles:
    For every old NATLOAD/NATUNLD/SYSTRANS profile for which a corresponding SYSOBJH profile already exists, the settings in the SYSOBJH profile may be adjusted automatically to reflect the settings in the old profile(s). To avoid undesired changes in existing profiles, the conversion function allows you to control and monitor which automatic adjustments are made.

The resulting set of SYSOBJH profiles will provide utility protection equivalent to that of the old profiles.

The conversion function provides information on exactly which profiles were created/adjusted and why; in addition, you can see the cause and result of each adjustment made (see option "Select listing type" below).

In any case, after you have performed the conversion, you can make further adjustments to your SYSOBJH profiles manually by modifying them with Natural Security's utility maintenance functions.

Start of instruction setTo invoke the conversion function:

  • Enter the direct command CONVUTIL in the command line within the library SYSSEC.

    The Convert Utility Profiles screen will be displayed. It provides the options described below.

Conversion Options

The Convert Utility Profiles screen provides the following options to control the conversion process:

Option Explanation
Select function

Two functions are available:

  • CHECK - performs a test run of the intended conversion and shows the SYSOBJH profile settings which would result from it.

  • CONVERT - performs the actual conversion and shows the resulting SYSOBJH profile settings.

Select conversion rule

This option determines whether in already existing SYSOBJH profiles "allowed" settings are to overwrite "disallowed" settings, or vice verca:

  • A - "Allow" forced: If a function is set to "A" in an old utility profile and the corresponding function in the corresponding existing SYSOBJH profile is set to "D", the "D" will be overwritten by the "A". This means that the function which previously was disallowed in the SYSOBJH profile will now be allowed.

  • D - "Disallow" forced: If a function is set to "D" in an old utility profile and the corresponding function in the corresponding existing SYSOBJH profile is set to "A", the "A" will be overwritten by the "D". This means that the function which previously was allowed in the SYSOBJH profile will now be disallowed.

Create default profile

This option only applies if a default profile exists for an old utility, while for SYSOBJH only a template - but no default profile - exists. In this case, you can use this option to determine whether a default profile for SYSOBJH is to be created or not.

Exclude profiles from conversion if SYSOBJH profile exists

With this option, you can exclude certain types of old utility profiles from the conversion if a corresponding SYSOBJH profile already exists. You can exclude:

  • default profiles,

  • library-specific profiles,

  • user-specific profiles,

  • user-library-specific profiles.

Thus you can preclude the undesired overwriting of settings in the respective existing SYSOBJH profiles.

This option only affects already existing SYSOBJH profiles which would be modified by the conversion; it does not affect already existing SYSOBH profiles which would remain unchanged by the conversion nor new SYSOBJH profiles created by the conversion.

It is recommended to first perform the CHECK function without excluding any profiles. Thus you can ascertain which existing SYSOBJH profiles would be modified automatically by the conversion - and then determine how to proceed with the conversion.

Select listing type

This option determines what information is displayed when the selected function is executed:

  • D - displays detailed information on which setting in which old profile is converted to which setting in which SYSOBJH profile.

  • S - displays summary information on which SYSOBJH profiles are created and modified as a result of the conversion.

Old Profiles

After the conversion, it is recommended that the old NATLOAD/NATUNLD/SYSTRANS profiles be deleted. This is not done automatically, but has to be done manually for each old utility, using function code DE on the Define Utility Defaults/Templates screen (see Defining Default Profiles).

New Profiles

When a new SYSOBJH profile is created as a result of the conversion, the settings from the corresponding old NATLOAD/NATUNLD/SYSTRANS profiles are mapped to this new profile. However, the new profile may contain settings which had no counterpart in the old profiles. For such settings, the values from the SYSOBJH template/default profile will be taken.

The conversion procedure compares each old library-specific, user-specific and library-specific profile with its corresponding SYSOBJH profile. If no corresponding library-/user-/user-library-specific SYSOBJH profile exists, the SYSOBJH default profile is used for the comparison. In this case, a new library-/user-/user-library-specific SYSOBJH profile is only created if its settings were different from the default profile (because a specific profile that is identical with the default profile would be superfluous). Exception: The creation of a new user-library-specific-profile also causes a new user-specific-profile for the same user to be created, even if the latter does not differ from the default profile.