Transferring Security Data To Another System File

This section describes how to transfer Natural Security data from one system file to another. It covers the following topics:


General Information on Security Data Transfer

The transfer of Natural Security data from one system file to another is only relevant if you use more than one Natural Security system file.

A Natural Security system file is specified with the Natural profile parameter FSEC (see Natural Parameter Reference documentation).

The library SYSSEC contains two programs for the transfer of Natural Security data from one system file to another: SECULD2 and SECLOAD:

  • SECULD2 is used to unload data from one system file to a work file.

  • SECLOAD is used to load the data from the work file onto the other system file.

The selection of data to be transferred is done with SECULD2. SECLOAD will always attempt to transfer the complete work file. However, SECLOAD will check whether the data to be transferred are consistent with the data already stored on the system file. Inconsistent data will not be loaded.

The programs SECULD2 and SECLOAD you use must both be of the same Natural Security version. Moreover, it is recommended that the latest available version of SECULD2 and SECLOAD be used.

An FSEC system file can be shared by all supported Natural Security versions. This means that you can continue to use an existing FSEC file and need not create a new FSEC file for a new Natural Security version. However, should you decide to use a new FSEC file for a new Natural Security version and wish to transfer existing security data to this new file, you unload/load the data using the standard SECULD2/SECLOAD transfer procedure.

Both SECULD2 and SECLOAD can only be invoked from within the library SYSSEC.

Using SECULD2

To invoke SECULD2, you enter the command SECULD2 in the command line of any Natural Security screen. The SECULD2 menu will be displayed.

To select the type of data to be transferred, you enter one of the following function codes on the SECULD2 menu:

Function Code Type of Data to be Unloaded
*   All security data.
D   All security data with deletion (all data will be loaded onto the work file and be deleted from the system file).
O   Objects defined in Natural Security (users, libraries, utility profiles, etc.).
L   Links between users and objects.
F   Links between libraries and files (this function is only available on mainframes).
C   Components of library profile (this function is not available on mainframes).
P   Default profiles (user or utility profiles).
W Process workplan.

In addition to the function code, you can specify the following on the SECULD2 menu:

Transfer Format

With this option, you specify to which work file the selected data are to be written:

  • Y = The data will be written to Work File 1 in alphanumeric form (this is the default for non-mainframe environments). Work File 1 can be used for any form of transfer supported by SECULD2/SECLOAD.

    This requires that the work file is of text (ASCII) format and has a file extension. If it had no file extension (or the file extension .sag), the data would be loaded in binary form and could not be processed by SECLOAD.

  • N = The data will be written to Work File 5 in binary form (this is the default for mainframe environments). Work File 5 can only be used if the data are to be transferred to another system file on the same hardware platform.

Object Type  

If you select function code O, L or P, you also have to specify the type of object/link to be unloaded.

If you select function code C, you also have to specify the type of components (DDM profiles) to be unloaded.

For a selection list of possible types, enter a question mark (?) in this field.

If you select function code W, you specify the ID of the workplan in this field.

Start Value

You can specify an ID to unload a certain object or range of objects.

See also Range below.

Start Value is not applicable to function codes * and D.

Range

This field determines how the value specified in the Start Value field is to be treated:

  • If you leave the Range field blank, the value in the Start Value field will be treated as an actual start value; that is, the range of objects to be unloaded will begin with the one whose object ID begins with to the value specified as Start Value.

  • If you enter an asterisk (*) in the Range field, the range of objects to be unloaded will comprise only those whose object IDs begin with the value specified as Start Value.

  • If you enter a plus sign (+) in the Range field, the range of objects to be unloaded will consist only of the one whose object ID is specified as Start Value - or, in the case of links, will include only those whose object ID is specified as Start Value.

Link ID

This field can only be used in conjunction with function code L. You can specify a user ID to unload only links of a certain user or range of users.

To selecte a range of links, you use see Range field (see below).

Range

This field can only be used in conjunction with function code L. It determines how the value specified in the Link ID field is to be treated:

  • If you leave the Range field blank, the value in the Link ID field will be treated as an actual start value; that is, the range of links to be unloaded will begin with the one whose user ID corresponds to the value specified as Link ID.

  • If you enter an asterisk (*) in the Range field, the range of links to be unloaded will only include those whose user IDs begin with the value specified as Link ID.

  • If you enter a plus sign (+) in the Range field, the range of links to be unloaded will only include those whose user ID corresponds to the value specified as Link ID.

Number  

You may specify the number of objects to be transferred.

(This option is not applicable to function codes * and D.)

Date from/to  

You may specify two dates to unload only objects which were created/last modified in that period of time.

(This option is not applicable to function code D.)

Work File  

You specify the name of the work file to which the data are to be written.

If you use Work File 5, the work-file name must end with ".sag".

This field is not available on mainframes.

Ty

The type of work file:

  • D = Default.

  • N = Entire Connection work file.

This field is not available on mainframes.

Using a Workplan

If you need to perform the same unload operation at regular intervals, you can use a so-called "workplan". Instead of having to make all the unload specifications every time on the SECULD2 menu, you need to make them only once in a workplan. You then use function code W and only specify the ID of the workplan in the field Object type on the SECULD2 menu.

A workplan is a Natural object of type "text", which has to be contained in the library SYSSEC.

The contents of the text member has to be as follows:

 
- START-SECULD-WORKPLAN                                       
UNLOAD       ________                                     
TRANSFER     _                                            
OBJECT-TYPE  ________                                     
OBJECT-ID    _______________________________             
OBJECT-RANGE _                                            
LINK-ID      _______________________________             
LINK-RANGE   _                                           
NUMBER       __                                  
DATE-FROM    __________                                               
DATE-TO      __________                      
- END-SECULD-WORKPLAN                                           

SECULD2 evaluates the text specified after the keywords - indicated by the lines above - as follows:

Keyword Explanation
- START-SECULD-WORKPLAN Indicates the beginning of the text data to be processed by SECULD2.
UNLOAD

You can specify one of the following:

  • ALL = corresponds to function code *.

  • DELETE = corresponds to function code D.

  • OBJECT = corresponds to function code O.

  • LINK = corresponds to function code L.

  • FILE = corresponds to function code F.

  • PROFILE = corresponds to function code P.

TRANSFER Corresponds to the SECULD2 menu field Transfer Format.
OBJECT-TYPE Corresponds to the SECULD2 menu field Object Type.
OBJECT-ID Corresponds to the SECULD2 menu field Start Value.
OBJECT-RANGE Corresponds to the SECULD2 menu field Range for objects.
LINK-ID Corresponds to the SECULD2 menu field Link ID.
LINK-RANGE Corresponds to the SECULD2 menu field Range for links.
NUMBER Corresponds to the SECULD2 menu field Number.
DATE-FROM

You can specify one of the following:

  • a date (in the format YYYY-MM-DD) as in the SECULD2 menu field Date from;

  • TODAY = the current date will be used;

  • LAST nnn = objects created/last modified in the last nnn days; that is, the current day plus the nnn previous days; nnn can be 1 to 999.

DATE-TO  

You can specify a date (in the format YYYY-MM-DD) as in the SECULD2 menu field Date to.

If TODAY or LAST nnn is specified after DATE-FROM, any specification after DATE-TO will be ignored.

- END-SECULD-WORKPLAN Indicates the end of the text data to be processed by SECULD2.

If you want to perform multiple unload operations with a single workplan, you specify multiple groups of keywords/texts after - START-SECULD-WORKPLAN and before - END-SECULD-WORKPLAN:

 
- START-SECULD-WORKPLAN                                       
UNLOAD       ________                                     
TRANSFER     _        
etc. ...                                            
UNLOAD       ________                                     
TRANSFER     _        
etc. ...                      
- END-SECULD-WORKPLAN                                           

A sample workplan T-WPLAN1 is provided in the library SYSSEC.

Using SECLOAD

Start of instruction setTo invoke SECLOAD:

  1. Enter the command SECLOAD in the command line of any Natural Security screen.

  2. You will then be prompted to make the following specifications:

Load NSC Data in Transfer Format from Work File 1
  • Y = The data will be read in the transfer format from Work File 1 (this is the default for non-mainframe environments).

  • N = The data will be read from Work File 5 (this is the default for mainframe environments).

User-Defined Conversion Table

You can determine whether or not a conversion table is to be used (Y/N).

The conversion table used is provided by the API subprogram NSCCONV, which is contained in the library SYSSEC. You can adjust the table to suit your requirements. For details, see the source of NSCCONV.

Simulate Loading   This option can be used to ascertain whether all data from the work file can be loaded, before you actually load them. When this function is executed, the data are loaded into the system file, and then, upon completion of the function, immediately deleted from it again.

When activating this function, you select what type of load report you want as a result of the simulation:

  • N = Simulation not active.

  • A = Simulation with load report listing All records.

  • R = Simulation with load report listing only Rejected records.

  • L = Simulation with load report listing only Loadable records.

Work File   You specify the name of the work file from which the data are to be written.

This field is not available on mainframes.

Type of Work File
  • D = Default.

  • N = Entire Connection work file.

This field is not available on mainframes.

Expire passwords for loaded user profiles This option can be used to enforce a password expiration for loaded user profiles (user types A, P, M).
  • Y = The passwords for loaded user profiles will be reset to being identical to the corresponding user IDs. At the next logon, these users will have to change their passwords.

  • N = No password expiration is applied in conjunction with the loading of user profiles.

This option does not apply to loaded user profiles in which the option Change after nnn days is set to 999. For these, the existing passwords will continue to be valid.

Note:
Data which are inconsistent or which already exist on the target system file will not be loaded. To ascertain why data were not loaded, please refer to the load report.

Transferring Data to Another Hardware Platform

With SECULD2 and SECLOAD, you can also transfer security data from one hardware platform to another.

Start of instruction setTo do so:

  1. Enter a "Y" in the Transfer Format field of the SECULD2 menu.

  2. By pressing PF4, you can then invoke an additional window in which you can specify the following optional parameters:

Target Environment   The operating system (as in the Natural system variable *OPSYS) of the target environment.
Target FSEC DBID/FNR   The database ID and file number of the FSEC system file to which the data are to be transferred. SECLOAD will compare these specifications with the DBID/FNR of the actual FSEC file to which the data are to be loaded: if they are not the same, the data cannot be loaded. In this way, you can prevent an uncontrolled loading of security data. Otherwise anybody who got hold of the work file, could load it anywhere.
Conversion EBCDIC-ASCII

You can determine whether EBCDIC-ASCII conversion is to be performed (Y/N).

The conversion is performed by the API subprogram NSCCONV, which is contained in the library SYSSEC. For details, see the source of NSCCONV.

User-Defined Conversion Table

You can determine whether or not a conversion table is to be used (Y/N).

The conversion table used is provided by the API subprogram NSCCONV, which is contained in the library SYSSEC. You can adjust the table to suit your requirements. For details, see the source of subprogram NSCCONV.

The data will then be written, in alphanumeric form, to Work File 1, from where they can be loaded with SECLOAD.

Note:
When data are transferred from a mainframe platform to another platform, SECLOAD also checks if library IDs conform to the naming conventions for libraries (as described under the system command LOGON in the Natural System Commands documentation).

Transferring Data in Batch Mode

SECULD2/SECLOAD in Batch Mode on Mainframes

Example jobs for executing SECULD2 and SECLOAD in batch mode on mainframe computers are shown below.

Example 1 of SECULD2 Job:

In this example, all users whose IDs begin with "ADE" and who were last modified between 1st January and 10th June 2008, and the library TESTLIB will be transferred to the work file CMWKF05.

//SECULD2 JOB DEMO,CLASS= ,MSGCLASS= ,REGION=2048K 
//********************************************************** 
//ULD      EXEC PGM=NATBATnn, 
// PARM='DBID=10,FNR=5,FSEC=(,8),FDIC=(,9),IM=D,MT=0,MAXCL=0,MADIO=0'
//STEPLIB  DD DISP=SHR,DSN=NATURAL.Vnn.LOAD 
//         DD DISP=SHR,DSN=ADABAS.Vnn.ADALOAD
//DDCARD   DD * 
ADARUN PROGRAM=USER,SVC=249,DATABASE=10,MODE=MULTI 
/* 
//CMPRINT  DD SYSOUT=* 
//CMWKF05  DD UNIT=TAPE,VOL=SER=NATSEC,DSN=NSC.ULD, 
// DCB=(RECFM=VB,LRECL=4624,BLKSIZE=4628,DEN=3),DISP=(,KEEP) 
//CMSYNIN  DD * 
SYSSEC,DBA,PASSWORD 
SECULD2 
O,N,US,ADE,*,,,,2008-01-01,2008-06-10 
O,N,LI,TESTLIB,1 
. 
FIN
/*

Example 2 of SECULD2 Job:

In this example, all users whose IDs begin with "ADE" will be transferred to the work file CMWKF01. If the "Transfer" option is specified as "Y", the job must contain a line for additional parameters (see Transferring Data to Another Hardware Platform above). In this example, no additional parameter specifications are made (that is, they are either not specified or specified as "N") .

//SECULD2 JOB DEMO,CLASS= ,MSGCLASS= ,REGION=2048K 
//********************************************************** 
//ULD      EXEC PGM=NATBATnn, 
// PARM='DBID=10,FNR=5,FSEC=(,8),FDIC=(,9),IM=D,MT=0,MAXCL=0,MADIO=0'
//STEPLIB  DD DISP=SHR,DSN=NATURAL.Vnn.LOAD 
//         DD DISP=SHR,DSN=ADABAS.Vnn.ADALOAD
//DDCARD   DD * 
ADARUN PROGRAM=USER,SVC=249,DATABASE=10,MODE=MULTI 
/* 
//CMPRINT  DD SYSOUT=* 
//CMWKF01  DD UNIT=TAPE,VOL=SER=NATSEC,DSN=NSC.ULD, 
// DCB=(RECFM=VB,LRECL=4624,BLKSIZE=4628,DEN=3),DISP=(,KEEP) 
//CMSYNIN  DD * 
SYSSEC,DBA,PASSWORD 
SECULD2 
O,Y,US,ADE,* 
,,,N,N 
. 
FIN
/*

Example 3 of SECULD2 Job:

In this example, all libraries whose IDs begin with "SF" will be transferred to the work file CMWKF01. The target environment is a PC, and the database ID and file number of the target FSEC system file are 89 and 356.

//SECULD2 JOB DEMO,CLASS= ,MSGCLASS= ,REGION=2048K 
//********************************************************** 
//ULD      EXEC PGM=NATBATnn, 
// PARM='DBID=10,FNR=5,FSEC=(,8),FDIC=(,9),IM=D,MT=0,MAXCL=0,MADIO=0'
//STEPLIB  DD DISP=SHR,DSN=NATURAL.Vnn.LOAD 
//         DD DISP=SHR,DSN=ADABAS.Vnn.ADALOAD
//DDCARD   DD * 
ADARUN PROGRAM=USER,SVC=249,DATABASE=10,MODE=MULTI 
/* 
//CMPRINT  DD SYSOUT=* 
//CMWKF01  DD UNIT=TAPE,VOL=SER=NATSEC,DSN=NSC.ULD, 
// DCB=(RECFM=VB,LRECL=4624,BLKSIZE=4628,DEN=3),DISP=(,KEEP) 
//CMSYNIN  DD * 
SYSSEC,DBA,PASSWORD 
SECULD2 
O,Y,LI,SF,*
WNT-X86,89,356,N,N 
. 
FIN
/*

Example 1 of SECLOAD Job:

In this example, the data will be read from work file 5 (CMWKF05).

//SECLOAD JOB  DEMO,MSGCLASS= ,CLASS= ,REGION=2048K 
//*************************************************** 
//LOAD     EXEC PGM=NATBATnn, 
// PARM='DBID=7,FNR=23,FSEC=(,24),FDIC=(,25),EJ=OFF,MT=0,IM=D,MADIO=0,MAXCL=0'
//STEPLIB  DD DSN=NATURAL.Vnn.LOAD,DISP=SHR 
//         DD DSN=ADABAS.Vnn.ADALOAD,DISP=SHR 
//CMPRINT  DD SYSOUT=* 
//DDCARD   DD * 
ADARUN PROGRAM=USER,SVC=249,DATABASE=7,MODE=MULTI 
/* 
//CMWKF05  DD UNIT=TAPE,VOL=SER=NATSEC,DSN=NSC.ULD,DISP=SHR 
//CMSYNIN  DD * 
SYSSEC,DBA,PASSWORD 
SECLOAD 
N,N,N,N
FIN
/*

Example 2 of SECLOAD Job:

In this example, the data will be read from work file 1 (CMWKF01).

//SECLOAD JOB  DEMO,MSGCLASS= ,CLASS= ,REGION=2048K 
//*************************************************** 
//LOAD     EXEC PGM=NATBATnn, 
// PARM='DBID=7,FNR=23,FSEC=(,24),FDIC=(,25),EJ=OFF,MT=0,IM=D,MADIO=0,MAXCL=0'
//STEPLIB  DD DSN=NATURAL.Vnn.LOAD,DISP=SHR 
//         DD DSN=ADABAS.Vnn.ADALOAD,DISP=SHR 
//CMPRINT  DD SYSOUT=* 
//DDCARD   DD * 
ADARUN PROGRAM=USER,SVC=249,DATABASE=7,MODE=MULTI 
/* 
//CMWKF01  DD UNIT=TAPE,VOL=SER=NATSEC,DSN=NSC.ULD,DISP=SHR 
//CMSYNIN  DD * 
SYSSEC,DBA,PASSWORD 
SECLOAD 
Y,N,N,N
FIN
/*

SECULD2/SECLOAD in Batch Mode under UNIX and OpenVMS

To execute SECULD2 and SECLOAD in batch mode under UNIX or OpenVMS, you have to provide input in the batch-mode files as follows:

The input file assigned to CMSYNIN has to contain the following:

SECULD2
FIN

In the input file assigned to CMOBJIN you specify the data to be transferred; for example:

SYSSEC,DBA,PASSWORD,,
O,Y,US,ADE*,,,,,2008-02-01,2008-02-28
,,,N,N
.

This example assumes that the session was started with AUTO=OFF. With AUTO=ON, you omit the user ID and password from the first line.

The result of the data transfer will be shown in the output file assigned to CMPRINT.

For general information, see the batch-mode section in the Natural Operations documentation for UNIX or OpenVMS.