This section describes which resources have to be defined in the external security system in conjunction with Natural SAF Security, and how they are activated. It covers the following topics:
Note on terminology:
Some external security systems use the term "resource profile",
others the term "rule". In this documentation the term "resource profile" is
used.
Some external security systems use the term "resource class",
others the term "resource type". In this documentation the term "resource
class" is used.
The existing user definitions in the external security system can be used. No additional user-specific definitions have to be made in the external security system.
If the NSF user options NSF *GROUP and NSF *USER-NAME are set to "Y", the user's group and user name as defined in the external security system are passed to Natural SAF Security.
The resource-class name for Natural environments is defined with the
macro parameter NACLSF
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNSF
.
A Natural environment is determined by the combination of the Natural system files FNAT, FDIC, FSEC and FUSER. For each system-file combination that is to be protected, a resource profile has to be defined in the external security system.
The identification of the resource profile must be a 40-digit number corresponding to the database ID / file number (DBID/FNR) combinations of the four system files. The database IDs and file numbers must be specified in the following sequence:
FNAT DBID and FNR,
FDIC DBID and FNR,
FSEC DBID and FNR,
FUSER DBID and FNR.
Each DBID and FNR must be specified as a 5-digit number (padded with leading zeros).
For example, the following environment:
FNAT=(00011,00035), FDIC=(00011,00033), FSEC=(00011,00034), FUSER=(00011,00032)
would have to be specified as follows:
0001100035000110003300011000340001100032
The access level specified in the resource profile determines whether a user has access to the environment. A user needs at least READ access to be able to access a Natural environment.
The NSF environment option Protect Environments determines if access to a Natural environment is to be controlled by Natural SAF Security. If this option is set to "Y", the access level defined for the environment in the external security system determines whether a user has access to it or not.
With Natural SAF Security, Natural libraries can be protected to control users' access to them. You can protect a Natural library:
independently of the environment, or
in specific environments.
The resource-class name for Natural libraries is defined with the
macro parameter NACLTC
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNTC
.
If a Natural library is to be protected, a resource profile has to be defined for it in the external security system. The resource-profile name must correspond to the library ID and may be up to 8 characters long.
The access level specified in the resource profile is checked when a user logs on to a Natural library. A user needs at least READ access to be able to log on to a library.
The NSF library option Protect Libraries determines if access to Natural libraries is to be controlled by Natural SAF Security. If this option is set to "Y", the access level defined for a library in the external security system determines whether a user can log on to the library or not.
The resource-class name for Natural libraries is defined with the
macro parameter NACLTC
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNTC
.
If a Natural library is to be protected in a specific Natural environment (Natural system-file combination), a resource profile for the environment-library combination has to be defined in the external security system. A Natural environment is determined by a one-character alias. The resource-profile name must consist of the alias and the library ID (up to 8 characters), separated by a period:
a.library-ID
In Natural Security, you have to define an environment profile for the environment. In the environment profile, the alias to be used has to be specified.
The NSF library option Protect Libraries has to be set to "Y" to activate Natural SAF Security's library-access control.
The environment-specific library-access check is activated by setting the NSF library option with Environment to "Y". Access to the library is then only possible in environments to which the user has READ access.
If the NSF library option Disable Natural Commands is set to "Y", the access level defined for the library (or library-environment combination) in the external security system also determines whether or not users may use Natural system commands within the library. A user needs at least CONTROL access to use system commands.
If the NSF library option Set FUSER Read-Only is set to "Y", the access level defined for the library (or library-environment combination) in the external security system also determines whether or not a user may make modifications on the FUSER system file from within the library. A user needs at least ALTER access to make modifications on the FUSER file.
With Natural SAF Security, Natural programming objects in libraries can be protected to control users' execution of them.
Only programming objects which are defined in the external security system can be protected; undefined programming objects can be executed by any user.
The protection of programming objects requires that Natural SAF Security has been installed appropriately; see Step 2 of the Natural SAF Security installation procedure.
The resource-class name for Natural programming objects is defined with
the macro parameter NACLPG
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNPG
.
At start-up, the SAF server retrieves a list of defined programming objects from the external security system, so that Natural SAF Security can determine which objects require authorization checks without continually accessing the SAF repository. Whenever programming-object definitions in the external security system are changed, the SAF server has to be restarted for these changes to take effect.
For CA-ACF2 and CA Top Secret, the list of defined programming objects
cannot be obtained directly from the security repository. Instead, it must be
provided in an intermediate dataset into which the information is written by
CA-ACF2 and CA Top Secret. The dataset must be allocated to the DD name
SEFEXT
in the SAF daemon's JCL. Examples are provided in the
Adabas Limited Libraries source library: members SAFAEXT
for
CA-ACF2 and SAFTEXT
for CA Top Secret. Whenever programming-object
definitions in CA-ACF2 or CA Top Secret are changed, the dataset has to be
newly created for these changes to take effect.
If a Natural programming object is to be protected, a resource profile has to be defined for it in the external security system.
The resource-profile name must correspond to the library ID, and the module name of the programming object, each of which may be up to 8 characters long and which must be separated by a period:
library-ID.module-name
The library-ID you choose depends on how you set the Natural SAF Security Definitions (see below).
If a Natural library is protected in a specific Natural environment (see Access to a Library in Specific Environments above), the programming objects contained in the library can also protected in this environment. For this purpose, a corresponding resource profile has to be defined in the external security system, identifying the environment (determined by a one-character alias), library and programming object:
a.library-ID.module-name
The access level specified in the resource profile determines whether a user can execute the programming object or not. A user needs at least READ access to be able to execute a Natural programming object.
The NSF library option Protect Natural Modules determines if the exexution of a Natural programming object is to be controlled by Natural SAF Security, in which case the access level defined for the programming object in the external security system determines whether a user can execute or not.
The Protect Natural Modules option is only evaluated if the NSF library option Protect Libraries has been set to a value other than "N".
An authorization check is performed when a user attempts to execute a
programming object. Depending on the setting of the Protect Natural
Modules option, the authorization check is performed either for the
user's current library (as determined by the current value of the Natural
system variable *LIBRARY-ID
) or for the library in which the
programming object is stored.
For example, let us assume the following situation:
A user is logged on to the library SALARY, which contains a program BONUS.
The library SALARY has a steplib PAYGENRL, which contains a program PAYMENTS.
The user invokes the program BONUS, which in turn invokes the program PAYMENTS.
If the option Protect Natural Modules is set to "Y", Natural SAF Security checks if the user is allowed to execute
program BONUS in library SALARY, and
program PAYMENTS in library SALARY;
this means, the following resource profiles would be checked:
SALARY.BONUS, and
SALARY.PAYMENTS.
If the option Protect Natural Modules is set to "X", Natural SAF Security checks if the user is allowed to execute
program BONUS in library SALARY, and
program PAYMENTS in library PAYGENRL;
that means, the following resource profiles would be checked:
SALARY.BONUS and
PAYGENRL.PAYMENTS.
If authorization checks are to be environment-specific, the NSF library option with Environment has to be set to "Y".
If the execution of programming objects in controlled by Natural Security, error NAT0963 is issued in the case of a user attempting to execute a programming object for which he/she has no authorization. If it is controlled by Natural SAF Security, however, error NAT0972 is issued in such a case instead.
With Natural SAF Security, Natural RPC services can be protected against unauthorized use. You can protect a Natural RPC service:
independently of the environment, or
in specific environments.
The resource-class name for Natural RPC services is defined with the
macro parameter NACLRP
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNRP
.
If a Natural RPC service is to be protected, a resource profile has to be defined for it in the external security system.
The resource-profile name must correspond to the library ID and subprogram name, each of which may be up to 8 characters long and which must be separated by a period:
library-ID.subprogram-name
The access level specified in the resource profile determines whether a user can use the service or not. A user needs at least READ access to be able to execute a Natural subprogram via RPC.
The NSF RPC option "Protect Services" determines if access to Natural RPC services is to be controlled by Natural SAF Security, in which case the access level defined for the RPC service in the external security system determines whether a user can use the service or not.
The resource-class name for Natural RPC services is defined with the
macro parameter NACLRP
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNRP
.
If a Natural RPC service is to be protected in a specific Natural environment (Natural system-file combination), a resource profile has to be defined for the environment-service combination in the external security system. A Natural environment is determined by a one-character alias. The resource-profile name must consist of the alias, the library ID (up to 8 characters), and the subprogram name, separated from one another by periods:
a.library-ID.subprogram-name
In Natural Security, you have to define an environment profile for the environment. In the environment profile, the alias to be used has to be specified.
The NSF RPC option Protect Services has to be set to "Y" or "F" to activate Natural SAF Security's service-access control.
The environment-specific service-access check is activated by setting the NSF RPC option with Environment to "Y". Use of the RPC service is then only possible in environments to which the user has READ access.
With Natural SAF Security, user-defined resources can be protected against unauthorized use. You can protect a user-defined resource:
independently of the environment, or
in specific environments.
The resource-class name for user-defined resources is defined with the
macro parameter NACLAP
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNPG
.
If a user-defined resource is to be protected, a resource profile has to be defined for it in the external security system.
The name of a resource profile can, for example, consist of a library ID, main function and subfunction. The library ID may be up to 8 characters long, the main function is usually (but not necessarily) the name of the programming object, and the subfunction is a 3-character code identifying the function to be performed. Each of the three must be separated from one another by a period:
library-ID.main-function.sub-function
The resource profile determines whether a user may access a user-defined resource or not.
The necessary security requests are handled via application programming interfaces provided by Natural SAF Security.
The resource-class name for user-defined resources is defined with the
macro parameter NACLAP
in the configuration module of the SAF
server (see Step 4 of the Natural SAF Security
installation
procedure). The default name is SAGNPG
.
If a user-defined resource is to be protected in a specific Natural environment (Natural system-file combination), a resource profile has to be defined for the environment-resource combination in the external security system. A Natural environment is determined by a one-character alias. The resource-profile name is composed as above, prefixed by the alias, for example:
a.library-ID.main-function.sub-function
The resource profile determines whether a user may access a user-defined resource in that environment or not.
In Natural Security, you have to define an environment profile for the environment. In the environment profile, the alias to be used has to be specified.
The environment-specific resource-access check is activated by setting the NSF user-resource option with Environment to "Y".
The necessary security requests are handled via application programming interfaces provided by Natural SAF Security.
The following table summarized the resource-class definitions to be made in the configuration module of the SAF server:
Resource | Macro Parameter in Configuration Module | Default Name | Length of Resource-Profile Name |
---|---|---|---|
Environments | NACLSF | SAGNSF | 40 |
Libraries | NACLTC | SAGNTC | 10 |
Programming objects | NACLPG | SAGNPG | 19 or 23 (*) |
RPC services |
NACLRP | SAGNRP | 19 |
User-defined resources |
NACLAP |
SAGNPG |
23 |
* Both NACLPG
and NACLAP
have the same default
name, SAGNPG
. If only NACLPG
is used, a length of 19
is sufficient. If both NACLPG
and NACLAP
are used, a
length of 23 is required.
The following table shows how CA-ACF2 and CA Top Secret translate RACF attributes, and also gives an overview of the effects of the access levels:
RACF Attribute | CA-ACF2 Resource Rule | CA Top Secret | Natural Commands | FUSER System File |
---|---|---|---|---|
READ | READ | READ | Commands are disabled (same as profile parameter NC=ON ).
|
FUSER is read-only. |
UPDATE | UPDATE | UPDATE | ||
CONTROL | DELETE | CONTROL | Commands are allowed (same as profile parameter NC=OFF ).
|
|
ALTER | ADD | ALL | Modification on FUSER are allowed. |
This section provides examples of how resources are defined in the external security system:
This is an example of how to define resources in RACF.
For details on RACF features, see IBM's RACF documentation. See also the SAF Security Kernel documentation.
For details on how to add a resource class to the RACF class descriptor table, see IBM's SPL RACF manual; for an example, see "IBM SYS1.SAMPLIB", member RACINSTL. Allocate a maximum length of 40 for the class. Define the class to enable discrete and generic profile use. Check further attributes controlling the level of RACF messages generated when performing RACROUTE calls, as well as the required level of SMF recording. Sample definitions are provided in source member RACFCLSX.
Add the resource class "SAGNSF" for Natural environments.
Update the z/OS router table, as described in IBM's SPL RACF manual; for an example, see "IBM SYS1.SAMPLIB", member RACINSTL, section RFTABLE.
Activate the new resource class "SAGNSF" with SETROPTS (see IBM's RACF Command Language Reference manual):
SETROPTS CLASSACT(SAGNSF) SETROPTS GENCMD(SAGNSF) SETROPTS GENERIC(SAGNSF)
Assume the following Natural environment (system-file combination) to be protected:
FNAT=(76,225) FDIC=(76,148) FSEC=(76,223) FUSER=(76,1000)
To add a resource profile for the above environment, and grant READ access to user ID "ADE", issue the following RACF commands:
RDEFINE SAGNSF 0007600225000760014800076002300007601000 UACC(NONE) PERMIT 0007600225000760014800076002300007601000 CLASS(SAGNSF) ACCESS(READ) ID(ADE)
This is an example of how to define resources in CA-ACF2.
For details on CA-ACF2 features, see Computer Associates' CA-ACF2 documentation. See also the SAF Security Kernel documentation.
Add a CLASMAP record for Natural environments as follows:
ENTITYLN(0) MUSID() RESOURCE(SAGNSF) RSRCTYPE(NSF)
Assume the following Natural environment (system-file combination) to be protected:
FNAT=(76,225) FDIC=(76,148) FSEC=(76,223) FUSER=(76,1000)
To allow the above environment for all user IDs, define the following rule:
$KEY(0007600225000760014800076002300007601000) TYPE(NSF) UID(*) SERVICE(READ,UPDATE) ALLOW
To disallow access to the above environment for user ID "ADE", define the following rule:
$KEY(0007600225000760014800076002300007601000) TYPE(NSF) UID(ADE) SERVICE(READ,UPDATE) PREVENT
This is an example of how to define resources in CA Top Secret.
For details on CA Top Secret features, see Computer Associates' CA Top Secret documentation. See also the SAF Security Kernel documentation.
To add the resource type "SAGNSF" for Natural environments to the CA Top Secret resource definition table (RDT), issue the following command (see Computer Associates' CA Top Secret Reference Guide for details):
TSS ADD(RDT) RESCLASS(SAGNSF) RESCODE(HEXCODE) ATTR(LONG) ACLST(NONE,READ,CONTROL) DEFACC(NONE)
Ownership must be assgined to a resource profile, before access to it can be permitted.
Assume the following Natural environment (system-file combination) to be protected:
FNAT=(76,225) FDIC=(76,148) FSEC=(76,223) FUSER=(76,1000)
To define a resource profile for the above environment, and assign user "USER1" as owner to this resource profile, issue the following command:
TSS ADD(USER1) SAGNSF(0007600225000760014800076002300007601000)
To grant user "ADE" READ access to the above environment, issue the following command:
TSS PER(ADE) SAGNSF(0007600225000760014800076002300007601000) FAC(fac) ACCESS (READ)