This section describes how you can control with Natural Security the use of various Natural utilities. It covers the following topics:
The utility protection provided by Natural Security, as described in this section, is function-oriented, which means that it is based on the concept that you can allow or disallow individual functions of a utility. You control the use of a utility by defining utility profiles for it, in which you allow/disallow its functions. The utilities that can be protected in this manner are listed below.
To invoke a Natural utility, you usually enter the utility name as a system command (for example, to invoke the SYSERR utility, you enter the system command SYSERR). If a utility is invoked in this way, one of the utility profiles defined for this utility applies and controls the use of the utility - thus providing consistent protection of the utility.
Invoking a utility does not change the library you are currently in; that is, when you exit the utility, you are still in the same library from which you invoked the utility. See also the section Utility Activation in the Natural Utilities documentation.
To control the use of a utility, you need not define a library profile for the library which contains the utility. A library profile for a utility is only relevant if the utility requires access to programs in other libraries (for example, user exits contained in steplibs).
If a library profile is defined for a library containing a utility, and you log on to a utility library, the same logon rules apply as for a logon to any other library (as described in the section Logging On). From within the utility library, the utility may be invoked either by entering the utility name as system command (as from any other library) or by the startup transaction "MENU" (if defined in the utility's library profile) being executed. In the latter case, however, a LOGOFF command will be performed when you exit the utility.
The utilities SYSERR and SYSMAIN (and NATLOAD, NATUNLD and SYSTRANS) process the contents of libraries; if the use of these utilities is not controlled by utility profiles, the Utilities option in the library profile of the library processed applies.
The use of the following Natural utilities can be controlled with utility profiles:
(*) These utilities are only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for these utilities can still be be maintained. However, as the functionality of these utilities is now provided by the SYSOBJH utility, it is recommended that SYSOBJH be used - and protected accordingly. A function is provided which allows you to convert existing profiles for the old utilities into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.
This section covers the following topics:
Basically, a utility profile consists of a list of the utility's functions, each of which can be allowed or disallowed by marking it with "A" or "D" respectively.
For each utility listed under Which Utilities Can Be Protected? (see above), you can define:
a default profile,
user-specific profiles,
library-specific profiles,
user-library-specific profiles.
Each utility is treated individually; that is, any utility profiles only apply to the utility they are defined for, and not to any other utilities.
Note:
If the use of a utility is protected by a utility profile, the
Natural profile parameter settings MADIO=0 and MAXCL=0 apply
automatically.
The default profile of a utility applies for all users (except those for which user-specific profiles are defined). It determines which of the utility's functions the users may use and which not.
If an individual user is to use (or not to use) other functions than the other users, you can define a user-specific utility profile.
Such a profile only applies to this user, it overrides the default profile, and determines which of the utility's functions this particular user may use and which not.
In this example, the SYSBPM function "Delete Object from Buffer Pool" is disallowed for all users - except for the user UX, for whom it is allowed.
This means that UX is the only user who may delete objects from the buffer pool.
User-specific utility profiles can be defined for users of types GROUP, ADMINISTRATOR and PERSON.
A user-specific utility profile can only be defined if a default profile (or a template) has been defined for that utility. (Templates are described under Defining Default Profiles below.)
Several utilities affect individual Natural libraries (for example, SYSERR can be used to maintain error messages that belong to a specific library). Generally, the utility's default profile applies to all affected libraries.
However, if some of the utility's functions are only to be allowed/disallowed for a particular library, you can define a library-specific utility profile.
Such a profile only applies to this library, it overrides the default profile as well as any user-specific profiles for that utility, and determines which of the utility's functions may be applied to this library and which not.
In this example, the SYSERR function "Delete messages" is allowed for all libraries - except for the library MYLIB, for which it is disallowed.
This means that all users can delete user error messages from any library, except from library MYLIB. No-one can delete messages from MYLIB.
(If any user-specific profiles were defined for SYSERR, they would apply to all other libraries, but not to library MYLIB.)
In this example, the SYSERR function "Delete messages" is disallowed for all libraries - except for the library PLAYLIB, for which it is allowed. For the user UX, the function "Delete messages" is allowed for all libraries.
This means that all users can delete error messages from library PLAYLIB. However, no user - except user UX - can delete messages from any other library. User UX is the only user who may delete messages from any library (including PLAYLIB).
Please note that user UX's permission to delete messages from PLAYLIB depends on the library-specific profile, not the user-specific profile.
Library-specific utility profiles can be defined for the following utilities: NATLOAD, NATUNLD, SYSBPM, SYSDDM, SYSERR, SYSMAIN, SYSOBJH, SYSTRANS.
A library-specific utility profile can only be defined if a default profile has been defined for that utility.
As described above, several utilities affect individual Natural libraries. Two kinds of situations may occur in which a user-library-specific utility profile may have to be defined:
A user-specific utility profile determines which of a utility's functions a particular user may use, regardless of the libraries which are affected by the functions (provided that no library-specific profiles are defined for this utility). However, if this user is to have different function usage permissions for a particular library affected by the utility's functions, you can define these in a user-library-specific utility profile.
A library-specific utility profile determines which of a utility's functions may be used when applied to a particular library; for this library, it applies for all users (regardless of any user-specific profiles). However, if a particular user is to have different function usage permissions for this library, you can define these in a user-library-specific utility profile.
A user-library-specific profile only applies for one user and one library, it overrides the library-specific utility profile of that library as well as the user-specific profile of that user, and it determines which of the utility's functions the user may use for this library.
In this example, the SYSERR function "Delete messages" is disallowed for all users (due to the default profile). The SYSERR function "Modify messages" is also disallowed for all users (due to the default profile) - except for user UX, for whom it is allowed (due to his/her user-specific profile). Also, for the user UX both functions are allowed for the library MYLIB (due to the user-library-specific profile).
This means that no user can modify or delete any error messages from any library. The only exception is user UX: User UX may modify messages from any library; moreover, user UX may delete messages from library MYLIB (but not from any other library).
Please note that user UX's permission to modify messages from MYLIB depends on the user-library-specific profile, not the user-specific profile.
This example results in the following setup:
Error messages of library MYLIB may only be modified by user UX.
Error messages of any other library may be modified by any user.
Error messages of library MYLIB cannot be deleted by any user.
Error messages of any other library may only be deleted by user UX, but not by any other user.
User-library-specific utility profiles can be defined for the following utilities: NATLOAD, NATUNLD, SYSBPM, SYSDDM, SYSERR, SYSMAIN, SYSOBJH, SYSTRANS.
A user-library-specific utility profile can only be defined for a user for which a user-specific utility profile has been defined.
When a user tries to use a utility function, Natural Security searches for the appropriate utility profile to determine whether the user is allowed to perform the function.
As shown below, you can influence the search sequence with the Session Options Privileged Groups and *GROUP Only, which can be set in a utility's default profile.
If "*GROUP Only" is set to "N", Natural Security searches for the following utility profiles in the following order:
the user-library-specific profile
of the user for the library affected (only if the user is of type A or P);
of a privileged group for the library affected (only if "Privileged Groups" is set to "Y");
of the current group in which the user is contained for the library affected;
of another group in which the user is contained for the library affected;
the library-specific profile of the library affected;
the user-specific profile
of the user (only if the user is of type A or P);
of a privileged group (only if "Privileged Groups" is set to "Y");
of the current group in which the user is contained;
of another group in which the user is contained;
the utility's default profile.
If "*GROUP Only" is set to "Y", Natural Security searches for the following utility profiles in the following order:
the user-library-specific profile
of the user for the library affected (only if the user is of type A or P);
of the current group in which the user is contained for the library affected;
the library-specific profile of the library affected;
the user-specific profile
of the user (only if the user is of type A or P);
of the current group in which the user is contained;
the utility's default profile.
For the search, the user and current group are determined by the current values of the Natural system variables *USER and *GROUP respectively. Privileged groups are the groups which are specified as Privileged Groups in the user's security profile; their IDs are processed in the sequence in which they are specified in the user profile. IDs of other groups are processed in alphabetical order.
The first profile encountered in this search determines whether the user is allowed to perform the function.
If none of the above profiles exists and the utility function affects the contents of a library, the Utilities option in the library profile applies.
A user may obtain information about the utility profile which currently applies by using the Natural system command PROFILE (see also the PROFILE Command in the section Protecting Libraries).
The following diagram shows the hierarchy of the utility profiles.
Assume the following situation: User UX (user type A), who is contained in group GX, wants to copy programming objects with the SYSMAIN utility from library LIB1 to library LIB2.
First, Natural Security checks if the user may copy programming objects with SYSMAIN from library LIB1; that is, if the Copy function for Programming Objects is allowed:
It checks the user-library-specific profile of user UX and library LIB1 for SYSMAIN.
If no such profile exists, it checks the user-library-specific profile of user GX and library LIB1 for SYSMAIN.
If no such profile exists, it checks the library-specific profile of library LIB1 for SYSMAIN.
If no such profile exists, it checks the user-specific profile of user UX for SYSMAIN.
If no such profile exists, it checks the user-specific profile of user GX for SYSMAIN.
If no such profile exists, it checks the default profile of SYSMAIN.
Then, Natural Security checks if the user may copy programming objects with SYSMAIN into library LIB2; that is, if the Copy function for Programming Objects is allowed:
It checks the user-library-specific profile of user UX and library LIB2 for SYSMAIN.
If no such profile exists, it checks the user-library-specific profile of user GX and library LIB2 for SYSMAIN.
If no such profile exists, it checks the library-specific profile of library LIB2 for SYSMAIN.
If no such profile exists, it checks the user-specific profile of user UX for SYSMAIN.
If no such profile exists, it checks the user-specific profile of user GX for SYSMAIN.
If no such profile exists, it checks the default profile of SYSMAIN.
As the various Natural utilities and their functions differ greatly from one another, the time when Natural Security checks whether a user may use a requested utility function differs from utility to utility, and from function to function.
When a user uses a utility under the control of a utility profile, the only Natural system commands available to the user within the utility are: FIN, LOGON, MAIL and PROFILE; all other system commands cannot be used. The reason for this is to preclude any "loopholes" in the protection established by the utility profiles.
To define default profiles, you use the Administrator Services section of Natural Security (as described under Defining Default Profiles below).
To define all other utility profiles, you use the Utility Maintenance section of Natural Security (as described under Defining Individual Profiles - Utility Maintenance below).
On the Main Menu, you select "Administrator Services". The Administrator Services Menu will be displayed.
Note:
Access to
Administrator Services may be restricted (as explained in the
section Administrator Services).
On the Administrator Services Menu 2, you select "Utility defaults/templates". The Define Utility Defaults/Templates screen will be displayed, listing all the utilities for which profiles can be defined.
The status of a utility (as indicated in the Message field) can be one of the following:
Status | Meaning |
---|---|
Nothing defined | No profile is defined for the utility.
If a utility function affects the contents of a library, its use is controlled by the Utilities option in the library security profile. |
Default defined | A default profile has been defined for the utility. This default
profile applies for all users for which no individual user-specific profile is
defined.
The Utilities option in library security profiles is ignored for this utility. |
Template defined | A profile has been defined for the utility. However, this
profile can only be used as a template to define individual user-specific
utility profiles.
If a utility function affects the contents of a library, its use is controlled by the Utilities option in the library security profile - except for those users for which a user-specific utility profile is defined. |
Whether a default profile is a "real" profile or only a template is determined by the field "Applies as Default Profile" (see below) within the profile.
Warning: To avoid the applicability of utility profiles and the Utilities option in library profiles getting mixed up, you should always define a default profile (not only a template) for a utility if you intend to define user-specific profiles for that utility. |
On the Define Utility Defaults/Templates screen, you can mark a utility with one of the following function codes:
Code | Function |
---|---|
AD | Define a default profile or template for the utility. |
MO | Modify the utility's existing default profile or template. |
DE | Delete the utility's existing default profile or template. |
DI | Display the utility's existing default profile or template. |
When you mark a utility with code "DE", a window will be displayed in which you confirm the deletion by entering the utility name. When you delete a utility's default profile or template, all other profiles for that utility - that is, user-specific, library-specific and user-library-specific utility profiles - will also be deleted.
When you mark a utility with code "AD", "MO" or "DI", its default profile or template will be displayed.
The default profile/template for each utility provides several options, which correspond to functions of the utility concerned. The options for each utility are described under Components of Utility Profiles below.
You can allow or disallow each option by marking it with "A" or "D" respectively. Initially, all options are disallowed.
With PF16 and PF17, you can set all options in a utility profile simultaneously to "A" or "D" respectively.
Note:
Natural Security performs consistency checks on the combinations of
allowed and disallowed options - impossible combinations of "A" and "D" are
automatically rejected.
Moreover, each profile provides the following field, which determines whether the profile is a "real" default profile or only a template:
Y | Default Profile - The profile applies for all users for which no individual utility profile is defined. |
---|---|
N | Template - The profile does not apply for any user. It can only be used as a template for the definition of individual user-specific utility profiles. |
Once this field is set to "Y" and any user-specific or library-specific profiles have been defined for that utility, you cannot reset it to "N". This is to ensure consistent utility protection.
Natural Security's Utility Maintenance is used to perform all functions related to the maintenance of individual utility profiles: user-specific profiles, library-specific profiles and user-library-specific profiles.
The components of an individual profile correspond to those of the corresponding default profile; they are described under Components of Utility Profiles below.
Note:
Owner logic applies to the creation/maintenance of individual
utility profiles.
This section covers the following topics related to utility profile creation/maintenance:
On the Main Menu, enter code "M" for "Maintenance". A window will be displayed.
In the window, mark object type "Utility" with a character or with the cursor. The Utility Maintenance selection list will be displayed.
The Utility Maintenance selection list shows all utilities for which either a default profile or a template has been defined. For each utility, the following information is displayed:
Default | Indicates whether a default profile has been defined for this
utility (YES/NO).
"NO" means that only a template has been defined. |
---|---|
User | Indicates whether any user-specific profiles exist for this utility (YES/NO). |
Library | Indicates whether any library-specific profiles exist for this utility (YES/NO). |
User-Lib. | Indicates whether any user-library-specific profiles exist for this utility (YES/NO). |
From the Utility Maintenance selection list, you invoke all functions for the creation, modification, deletion and display of individual utility profiles.
The following functions are available:
Code | Function |
---|---|
DD | Display default profile or template.
This function displays the default profile (or the template) defined for a utility. |
Functions for user-specific utility profiles: | |
DU | Display user-specific profiles.
This function displays a list of existing user-specific profiles for a utility. From the list, you can select the profiles to be displayed. |
AU | Add or maintain user-specific profiles.
This function displays a list of users (of types A, P and G). From the list, you can select the users for which you wish to define user-specific profiles for a utility. |
MU | Maintain user-specific profiles.
This function displays a list of existing user-specific profiles for a utility. From the list, you can select the profiles to be maintained. |
Functions for library-specific utility profiles: | |
DL | Display library-specific profiles.
This function displays a list of existing library-specific profiles for a utility. From the list, you can select the profiles to be displayed. |
AL | Add or maintain library-specific profiles.
This function displays a list of libraries. From the list, you can select the libraries for which you wish to define library-specific utility profiles. |
ML | Maintain library-specific profiles.
This function displays a list of existing library-specific profiles for a utility. From the list, you can select the profiles to be maintained. |
Functions for user-library-specific utility profiles: | |
DX | Display user-library-specific profiles.
This function displays a list of existing user-library-specific profiles of a specific user for a utility. From the list, you can select the profiles to be displayed. |
AX | Add or maintain user-library-specific profiles.
This function displays a list of libraries. From the list, you can select the libraries for which you wish to define user-library-specific utility profiles for a specific user. |
MX | Maintain user-library-specific profiles.
This function displays a list of existing user-library-specific profiles of a specific user for a utility. From the list, you can select the profiles to be maintained. |
The "Add or Maintain" functions (codes AU, AL, AX) display lists of all users/libraries, comprising those for which utility profiles exist as well as those for which no utility profiles have been defined. They allow you to add new utility profiles as well as modify, delete and display existing utility profiles.
The "Maintain" functions (codes MU, ML, MX) display lists of only those users/libraries for which utilities profiles exist. They allow you to modify, delete and display existing utility profiles.
You can "switch" directly from "Add or Maintain" to "Maintain" by reducing the displayed list from a list of all users/libraries to a list of only those with existing profiles. To do so, you mark with "X" the selection criterion field "U" (user-specific profile exists) "L" (library-specific profile exists) or "U-L" (user-library-specific profile exists) respectively in the heading of the list.
However, if you know beforehand that you are going to only maintain existing profiles but not add any new ones, it is recommended (for better performance) that you directly use codes MU, ML and MX respectively.
Each of the functions listed displays a list of items (users, libraries, profiles). When you invoke a function, a window will be displayed in which you can enter a start value for the list of items to be displayed.
For functions related to user-library-specific profiles, the ID of the user whose user-library-specific profiles are to be listed must also be specified in the start value window.
When you invoke one of the functions listed, you get a list of items (users, libraries or utility profiles).
On this list, you mark one or more items with a code to invoke a subfunction to be performed on the item.
The available subfunctions (Add, Modify, etc.) differ depending on the function invoked.
For a list of available subfunctions, you enter a question mark (?) in the field "Co".
On the selection list of users displayed with function codes AU, DU and MU, the following information is displayed for each user:
Type | Indicates the user type (A, P or G). |
---|---|
U | An "X" indicates that the user has a user-specific profile for this utility. |
U-L | An "X" indicates that the user has one or more user-library-specific profiles for this utility. |
On the selection list of libraries displayed with function codes AL, DL and ML, the following information is displayed for each library:
Prot. | Indicates the "people-protected" and "terminal-protected" settings as defined in the library security profile. |
---|---|
Link | (empty) |
L | An "X" indicates that the library has a library-specific profile for this utility. |
U | An "X" indicates that the library has one or more user-library-specific profiles for this utility. |
On the selection list of libraries displayed with function codes AX, DX and MX, the following information is displayed for each library:
Prot. | Indicates the "people-protected" and "terminal-protected" settings as defined in the library security profile. |
---|---|
Link | Indicates whether the user is linked to the library (LK = normal link, SL = special link). |
U-L | An "X" indicates that the user has a user-library-specific profile for this library for this utility. |
L | An "X" indicates that the library has a library-specific profile for this utility. |
A user-specific utility profile can only be defined for a utility for which either a default profile or a template exists.
To add a user-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "AU". A window will be displayed in which you can enter a start value for the list of users to be displayed. Then a list of users (of types A, P and G) will be displayed.
On that list, you mark the desired user with "AD". The user-specific profile for the utility will be displayed for you to define.
The options you can allow or disallow within the profile are the same as in the corresponding default profile or template (see Components of Utility Profiles below).
The initial "allowed/disallowed" settings in the user-specific profile are taken from the default profile or the template.
To modify or display a user-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "MU" or "DU" respectively. A window will be displayed in which you can enter a start value for the list of user-specific profiles to be displayed. Then a list of existing user-specific profiles for the selected utility will be displayed.
On that list, you mark the desired profile with "MO" (modify) or "DU" (display) respectively. The profile will be displayed for modification/display.
The options in the profile are the same as in the corresponding default profile or template (see Components of Utility Profiles below).
To delete a user-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "MU". A window will be displayed in which you can enter a start value for the list of user-specific profiles to be displayed. Then a list of existing user-specific profiles for the selected utility will be displayed.
On that list, you mark the desired profile with "DE". A window will be displayed in which you confirm the deletion.
When you delete a user-specific utility profile, all user-library-specific utility profiles for this user for this utility will also be deleted.
A library-specific utility profile can only be defined for a utility for which a default profile (not only a template) has been defined.
To add a library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "AL". A window will be displayed in which you can enter a start value for the list of libraries to be displayed. Then a list of libraries will be displayed.
On that list, you mark the desired library with "AD". The library-specific profile for the utility will be displayed for you to define.
The options you can allow or disallow within the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).
The initial "allowed/disallowed" settings in the library-specific profile are taken from the default profile.
To modify or display a library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "ML" or "DL" respectively. A window will be displayed in which you can enter a start value for the list of library-specific profiles to be displayed. Then a list of existing library-specific profiles for the selected utility will be displayed.
On that list, you mark the desired profile with "MO" (modify) or "DL" (display) respectively. The profile will be displayed for modification/display.
The options in the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).
To delete a library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "ML". A window will be displayed in which you can enter a start value for the list of library-specific profiles to be displayed. Then a list of existing library-specific profiles for the selected utility will be displayed.
On that list, you mark the desired profile with "DE". A window will be displayed in which you confirm the deletion.
A user-library-specific utility profile can only be defined for a user for which a user-specific profile for that utility exists.
To add a library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "AX". A window will be displayed in which you enter the ID of the user for whom a user-library-specific profile is to be defined; also, you can enter a start value for the list of libraries to be displayed. Then a list of libraries will be displayed.
On that list, you mark the desired library with "AD". The user-library-specific profile for the specified user for this library will be displayed for you to define.
The options you can allow or disallow within the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).
The initial "allowed/disallowed" settings in the user-library-specific profile are taken from the corresponding library-specific profile; if no such profile exists, they are taken from the corresponding user-specific profile.
To modify or display a library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "MX" or "DX" respectively. A window will be displayed in which you enter the ID of the user whose user-library-specific profile(s) are to be listed; also, you can enter a start value for the list of profiles to be displayed. Then a list of existing user-library-specific profiles of the specified user for the selected utility will be displayed.
On that list, you mark the desired profile with "MO" (modify) or "DX" (display) respectively. The profile will be displayed for modification/display.
The options in the profile are the same as in the corresponding default profile (see Components of Utility Profiles below).
To delete a user-library-specific utility profile, you mark the desired utility on the Utility Maintenance selection list with "MX". A window will be displayed in which you enter the ID of the user whose user-library-specific profile(s) are to be listed; also, you can enter a start value for the list of profiles to be displayed. Then a list of existing user-library-specific profiles of the specified user for the selected utility will be displayed.
On that list, you mark the desired profile with "DE". A window will be displayed in which you confirm the deletion.
A utility profile provides several options which correspond to the functions of the utility concerned. These options are the same in every profile related to that utility: default profile, user-specific, library-specific and user-library-specific profiles.
The individual options are described below for each utility:
The NATLOAD utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for NATLOAD can still be maintained. However, instead of NATLOAD, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your NATLOAD utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.
The profiles for the NATLOAD utility provide the following options:
Option | Explanation |
---|---|
Load Natural Objects
Del. |
Determines whether the user may load programming objects.
Determines whether the user may process delete instructions for programming objects (this requires that the loading of programming objects is allowed). |
Load DDMs
Del. |
Determines whether the user may load DDMs.
Determines whether the user may process delete instructions for DDMs (this requires that the loading of DDMs is allowed). |
Load Error Messages
Del. |
Determines whether the user may load error messages.
Determines whether the user may process delete instructions for error messages (this requires that the loading of error messages is allowed). |
Scan Natural Objects | Determines whether the user may scan the work file for programming objects. |
Scan DDMs | Determines whether the user may scan the work file for DDMs. |
Scan Error Messages | Determines whether the user may scan the work file for error messages. |
PC Upload | Determine whether the user may use the NATLOAD parameters of the same names. |
Replace | |
New Library |
The NATUNLD utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for NATUNLD can still be maintained. However, instead of NATUNLD, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your NATUNLD utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.
The profiles for the NATUNLD utility provide the following options:
Option | Determines whether the user may: |
---|---|
Unload Natural Objects | Unload programming objects. |
Unload DDMs | Unload DDMs. |
Unload Error Messages | Unload error messages. |
Unload Delete Instructions | Unload delete instructions. |
PC Download | Use the NATUNLD parameters of the same names. |
Target Library |
The SYSBPM utility is only available with Natural on mainframe computers.
The profiles for the SYSBPM utility provide several options. Each option corresponds to the SYSBPM function/command of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function/command.
The profiles for the SYSCP utility (Natural Code Page Administration) provide several options. Each option corresponds to the Natural Code Page Administration function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.
The SYSDB2 utility (Natural Tools for DB2) is only available with Natural on mainframe computers.
The profiles for the SYSDB2 utility provide several options. Each option corresponds to the Natural Tools for DB2 function/command of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function/command.
The SYSDDM utility is only available with Natural on mainframe computers, UNIX and OpenVMS.
The profiles for the SYSDDM utility provide several options. Each option corresponds to the SYSDDM function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.
The profiles for the SYSERR utility provide the following options:
Option | Explanation |
---|---|
Add New Messages | Determine whether the user may use the SYSERR functions of the same names. |
Delete Messages | |
Display Messages | |
Modify Messages | |
Print Messages | |
Scan in Messages | |
Select Messages from a List | |
Translate Messages into Another Language |
You can allow/disallow these options separately for:
user messages (PF7),
Natural system messages (PF8).
In addition, by pressing PF8 again, you can allow/disallow the use of the following SYSERR direct commands:
Command | Explanation |
---|---|
EXPORT | Possible values for each command:
|
IMPORT | |
LAYOUT | |
NEXT | |
RESTART | |
SAMPLE | |
SHIFT | |
TRACE | |
USER |
As the SYSMAIN utility is not identical on all platforms, some SYSMAIN options/functions may not be available on some platforms.
The SYSMAIN utility can be invoked in two ways:
with the command SYSMAIN,
via the application programming interface MAINUSER.
By default, utility profiles defined for the SYSMAIN utility apply to both ways. However, it is possible to define a separate set of utility profiles which control the use of SYSMAIN functions when invoked via MAINUSER. See MAINUSER API under Additional Options below for details.
The profiles for the SYSMAIN utility provide the following options:
Option | Explanation |
---|---|
Programming Objects | This general setting in the first column of the
screen determines whether the user may use SYSMAIN at all for this type of
object.
If this is set to "D" (disallowed), all subordinate function specifications for this object type must also be set to "D". |
Debug Environments | |
User Messages | |
DDMs | |
Natural Messages | |
Profiles | |
Rules | |
DL/I Subfiles | |
Resources |
In addition, you can allow/disallow the following functions for each object type individually:
Option | Determines whether the user may use: |
---|---|
Co | The SYSMAIN function COPY for this type of object. |
De | The SYSMAIN function DELETE for this type of object. |
Fi | The SYSMAIN function FIND for this type of object. |
Im | The SYSMAIN function IMPORT for this type of object. |
Li | The SYSMAIN function LIST for this type of object. |
Mo | The SYSMAIN function MOVE for this type of object. |
Ren | The SYSMAIN function RENAME for this type of object. |
Rep | The SYSMAIN function REPLACE for this type of object. |
FNAT | The SYSMAIN function SET FNAT for this type of object. |
FSEC | The SYSMAIN function SET FSEC for this type of object. (*) |
FDIC | The SYSMAIN function SET FDIC for this type of object. (*) |
(*) These options can be set in the default profile and in user-specific profiles, but not in library-specific or user-library-specific profiles.
The profiles for the SYSOBJH utility (Natural Object Handler) provide the following options:
Option | Explanation |
---|---|
Unload | Determine whether the user may use the Object Handler functions of the same names. |
UnDeLi | |
Load | |
Delete | |
Scan |
In addition, you can allow/disallow the above functions for each object type individually:
Option | Determines whether the function may be applied to: |
---|---|
Nat | Natural programming objects. |
Err | Error messages. |
CPr | Command processors. |
NRe | Natural-related objects. |
Ext | External objects. |
FDT | Adabas FDTs. |
MfD | Mainframe DDMs. |
MfR | Mainframe-related objects. |
App | Applications. |
Del | This option determines whether the Object Handler parameter DELETEALLOWED may be specified for the function. |
Par | This option determines whether Object Handler parameters may be specified for the function. |
Rep | This option determines whether the Object Handler parameter REPLACE may be specified for the function. |
Note:
In library-specific and user-library-specific profiles, options
applying to object types which are not library-related cannot be
allowed/disallowed.
Also, the profiles for SYSOBJH provide the following general options:
Option | Explanation |
---|---|
Admin | Determines whether the user may use the "Admin" section of the Object Handler. |
FSEC | Determines whether the user may specify the Object Handler parameters of the same names. |
FDIC | |
Transfer only |
|
In the profiles for SYSOBJH, you can also allow/disallow the following Object Handler direct commands:
Command | Explanation |
---|---|
Navigation Commands: | |
GO |
Determine whether the user may use the Object Handler direct commands of the same names. |
- GO HOME | |
- GO UNLOAD | |
- GO LOAD | |
- GO SCAN | |
- GO RESTART | |
- GO ADMIN | |
- GO VIEW | |
- GO FIND | |
- GO UNDELI | |
Configuration Commands: | |
SET |
Determine whether the user may use the Object Handler direct commands of the same names. |
- SET TRACE ON | |
- SET TRACE WORKFILE | |
- SET TRACEFILE | |
- SET FREE ON/OFF | |
- SET EXECUTIONMSG ON/OFF | |
- SET ADVANCEDCMD ON/OFF | |
Show Commands: | |
SHOW |
Determine whether the user may use the Object Handler direct commands of the same names. |
- SHOW LAST RESULT | |
- SHOW LAST MESSAGE | |
- SHOW PROFILE | |
- SHOW REPORT | |
- SHOW STATUS | |
- SHOW TRACE | |
Other Commands: | |
CHANGE WORKPLAN LIBRARY |
Determine whether the user may use the Object Handler direct commands of the same names. |
CLEAR | |
INIT | |
READ PROFILE | |
SETTINGS |
The SYSPARM utility is only available with Natural on mainframe computers.
The profiles for the SYSPARM utility provide several options. Each option corresponds to the SYSPARM function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.
The profiles for the SYSRPC utility provide several options. Each option corresponds to the SYSRPC function of the same name. By allowing/disallowing an option you determine whether the user may use the corresponding function.
The SYSTRANS utility is only available with Natural versions prior to 4.2 on mainframes and 6.2 on UNIX and Windows. For compatibility reasons, existing utility profiles for SYSTRANS can still be maintained. However, instead of SYSTRANS, it is recommended that the SYSOBJH utility be used and profiles defined for it. A function is provided which allows you to convert your SYSTRANS utility profiles into corresponding SYSOBJH utility profiles; it is described under Conversion of Utility Profiles.
The profiles for the SYSTRANS utility provide the following options:
Option | Determines whether the user may use: |
---|---|
Unload | The SYSTRANS Unload function. |
Load | The SYSTRANS Load function. |
Replace | The Replace option of the SYSTRANS Load function. |
Scan | The SYSTRANS Scan function. |
Restart | The SYSTRANS Restart function. |
In addition, you can allow/disallow the above functions for each object type individually:
Option | Determines whether the function may be applied to: |
---|---|
NAT | Natural programming objects. |
Map | Maps. |
DDM | DDMs. |
FDT | Adabas FDTs. |
Err | Error messages. |
CPr | Command processors. |
Lib | Libraries. |
All | All objects on the work file to be processed. |
Also, the profiles for SYSTRANS provide the following options, which apply to the Direct Transfer functions of SYSTRANS:
Option | Determines whether the user may use: |
---|---|
Direct Transfer Functions | Any SYSTRANS Direct Transfer functions (using Natural RPC). |
Transfer | The SYSTRANS function "Direct Transfer (using RPC)". |
Restart | The SYSTRANS function "Restart Direct Transfer". |
Report | The SYSTRANS function "Get Report from Direct Transfer Load". |
Define | The SYSTRANS function "Define Local Transfer System". |
The following Additional Options are part of the default security profiles of all utilities. They can only be set in the default profiles, but not in individual user-specific, library-specific or user-library-specific profiles. For each utility, the Additional Options settings apply to all utility profiles related to that utility.
If you press PF4 on a basic utility default profile screen, a window will be displayed from which you can select the following options:
Maintenance Information
Security Notes
Owners
Session Options
The options for which something has already been specified or defined are marked with a plus sign (+).
You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:
Additional Option | Explanation |
---|---|
Maintenance Information (display only) | In this window, the following information is displayed:
|
Security Notes | In this window, you may enter your notes on the security profile. |
Owners | In this window, you may enter up to eight IDs of
ADMINISTRATORs. Only the ADMINISTRATORs specified here will be allowed to
maintain this utility security profile. If no owner is specified, any user of
type ADMINISTRATOR may maintain the security profile.
For each owner, the number of co-owners whose countersignatures will be required for maintenance permission may optionally be specified in the field after the ID. For an explanation of owners and co-owners, see the section Countersignatures. |
Session Options | See below. |
If you mark "Session Options" in the Additional Options window with any character, the Session Options window will be displayed. In this window, you can set the following options:
Option | Explanation | ||||||||
---|---|---|---|---|---|---|---|---|---|
Access Recorded |
|
||||||||
Privileged Groups |
|
||||||||
*GROUP Only |
|
||||||||
MAINUSER API |
This option is only available for the SYSMAIN utility. It controls the use of SYSMAIN functions invoked via the application programming interface (API) MAINUSER. If you set this option to "Y", a separate entry named MAINUSER will be created on the Define Utility Defaults/Templates screen. With this, you can create a separate set of utility profiles to allow/disallow the use of SYSMAIN functions when invoked via the MAINUSER API. These profiles are independent of the "normal" SYSMAIN utility profiles which control the use SYSMAIN functions when invoked via the SYSMAIN command. The components of the MAINUSER utility profiles are the same as those of the SYSMAIN utility profiles. |
||||||||
Utilities option |
|
This function is used to convert your old NATLOAD, NATUNLD and SYSTRANS utility profiles into corresponding SYSOBJH utility profiles.
The conversion results in the following:
Creation of new profiles:
For every old NATLOAD/NATUNLD/SYSTRANS profile for which a
corresponding SYSOBJH profile does not yet exist, such a SYSOBJH profile will
be created automatically. The settings in the old profile will be mapped to the
new profile.
Adjustments of existing profiles:
For every old NATLOAD/NATUNLD/SYSTRANS profile for which a
corresponding SYSOBJH profile already exists, the settings in the SYSOBJH
profile may be adjusted automatically to reflect the settings in the old
profile(s). To avoid undesired changes in existing profiles, the conversion
function allows you to control and monitor which automatic adjustments are
made.
The resulting set of SYSOBJH profiles will provide utility protection equivalent to that of the old profiles.
The conversion function provides information on exactly which profiles were created/adjusted and why; in addition, you can see the cause and result of each adjustment made (see option "Select listing type" below).
In any case, after you have performed the conversion, you can make further adjustments to your SYSOBJH profiles manually by modifying them with Natural Security's utility maintenance functions.
To invoke the conversion function:
Enter the direct command CONVUTIL
in the command line
within the library SYSSEC.
The Convert Utility Profiles screen will be displayed. It provides the options described below.
The Convert Utility Profiles screen provides the following options to control the conversion process:
Option | Explanation |
---|---|
Select function |
Two functions are available:
|
Select conversion rule |
This option determines whether in already existing SYSOBJH profiles "allowed" settings are to overwrite "disallowed" settings, or vice verca:
|
Create default profile |
This option only applies if a default profile exists for an old utility, while for SYSOBJH only a template - but no default profile - exists. In this case, you can use this option to determine whether a default profile for SYSOBJH is to be created or not. |
Exclude profiles from conversion if SYSOBJH profile exists |
With this option, you can exclude certain types of old utility profiles from the conversion if a corresponding SYSOBJH profile already exists. You can exclude:
Thus you can preclude the undesired overwriting of settings in the respective existing SYSOBJH profiles. This option only affects already existing SYSOBJH profiles which would be modified by the conversion; it does not affect already existing SYSOBH profiles which would remain unchanged by the conversion nor new SYSOBJH profiles created by the conversion. It is recommended to first perform the CHECK function without excluding any profiles. Thus you can ascertain which existing SYSOBJH profiles would be modified automatically by the conversion - and then determine how to proceed with the conversion. |
Select listing type |
This option determines what information is displayed when the selected function is executed:
|
After the conversion, it is recommended that the old NATLOAD/NATUNLD/SYSTRANS profiles be deleted. This is not done automatically, but has to be done manually for each old utility, using function code "DE" on the Define Utility Defaults/Templates screen (see Defining Default Profiles).
When a new SYSOBJH profile is created as a result of the conversion, the settings from the corresponding old NATLOAD/NATUNLD/SYSTRANS profiles are mapped to this new profile. However, the new profile may contain settings which had no counterpart in the old profiles. For such settings, the values from the SYSOBJH template/default profile will be taken.
The conversion procedure compares each old library-specific, user-specific and library-specific profile with its corresponding SYSOBJH profile. If no corresponding library-/user-/user-library-specific SYSOBJH profile exists, the SYSOBJH default profile is used for the comparison. In this case, a new library-/user-/user-library-specific SYSOBJH profile is only created if its settings were different from the default profile (because a specific profile that is identical with the default profile would be superfluous). Exception: The creation of a new user-library-specific-profile also causes a new user-specific-profile for the same user to be created, even if the latter does not differ from the default profile.