This section describes how to define users and how to define groups, which represent a collection of users and provide security options for domains, business services, and/or methods. These definitions allow you to set up a secure environment for your business services. With one setting, you can grant or deny a group of users access to one or more domains, or set privileges for individual services and methods.

To set up a secure environment for your business services

1. Define groups to represent collections of users.

2. Define users in the Business Service Administration subsystem.

3. Associate users with the appropriate groups.

4. Define domains to represent collections of services associated with related business functions.

This section covers the following topics:

• Introduction

• Define Groups

• Define Users

---

Introduction

The following table describes the components to create a secure environment for a business service:

Component	Description
Group	Represents multiple users with the same need and authority to access particular business services and their methods. For example, an organization may have separate groups for Quality Assurance, Sales, and Administration.
User	Represents individual users in the Business Service Administration subsystem. User profiles define the groups to which each user belongs.
Domains, services, and methods	Domains represent a collection of several business services related to a business function. Each business service has access to one or more methods. Note: Security at the domain, service, and/or method level is only available with Natural Business Services.

The following diagram shows the relationships between a user and the associated group, domains, services, and methods:

Because the user, Fred, is a member of the Administration group, he potentially has access to all domains, services, and service methods associated with that group. But in this example, Fred has only been granted access to two domains, four services, and one method.

When the CSRLOAD program is run during installation, the following groups and sample users are loaded into the Business Service repository:

Group	Sample User	Function	Security Access
ADMIN	PWRUSR	Administration activities, such as: Auditing business service activities Deploying services Applying security Developing code Invoking the DEMO domain services	Full access to the ADMIN, INTERNAL, and DEMO domains.
DEVS	PWRUSR DEVnn	Development activities, such as: Developing new business services in Natural Creating services in Java Note: This group is restricted to development activities; it cannot access security data and cannot deploy, audit, or maintain domains.	Full access to the INTERNAL and DEMO domains, as well as access to the following methods in the ADMIN domain: GET BrowseDomain BrowseServices FindByDomainName FindBySteplibName
USERS	PWRUSR DEVnn BUSER	Execute Web services developed using the services supplied in the DEMO domain.	Full access to the DEMO domain.
DEMOUSRS	USER01 USER02 USER03 USER04 USER05	Training activities. Notes: Trainees do not automatically belong to the DEMOUSRS group; you must add each trainee to the group. To allow a trainee to run or test a newly created business service in a training domain, the trainee must be a member of the DEMOUSRS group. To allow trainees to develop and run services in the DEMO domain, they also belong to the DEVS and USERS groups.	Full access to the DEMO01-DEMO05 domains. Tip: When you assign a user to the DEMOUSRS group, the user will have access to all DEMOnn domains. To restrict the user to one domain, you can create a group that only has access to that domain and then assign the user to that group.

If Natural Security (NSC) is being used, you must add the following groups to Natural Security and assign the appropriate user IDs to each group:

• ADMIN

• DEVS

• USERS

Users in these groups must belong to the appropriate groups. For example:

• To perform administration functions (for example, to view audit trails), the user must belong to the ADMIN group.

• To develop a Natural business service, the user must belong to the DEVS group.

• To use the demo application, the user must belong to the USERS group.

The remainder of this section describes how to define groups and users, using only Natural Security or Natural Business Services security.

Define Groups

All users of a business service that employs servers must be known to the Business Service Administration subsystem through their associations with groups. To access the business service services, a user must be a member of at least one group that is linked to a domain containing the service. A user can belong to a maximum of 10 groups.

Groups are used to collect users into larger entities so that security settings can be defined and verified at a higher level. This eliminates the need to define security settings for each user.

Natural Business Services allows users and groups to be defined either within the business service system files or by linking to the Natural Security user and group definitions.

This section covers the following topics:

• Under Natural Business Services Security

• Under Natural Security

Under Natural Business Services Security

Use the Maintain Group Table panel in the Business Service Administration subsystem to define groups. Each user can belong to one or more of these groups.

To define a group under Natural Business Services security

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function on the System Administration main menu.

   The System Administration Maintenance menu is displayed.

3. Enter "GR" in Function on the System Administration Maintenance menu.

   The Maintain Group Table panel is displayed. For example:

   BSGR__MP ***** Business Service Administration Subsystem ***** BSGR__11 Feb 14 - Maintain Group Table - 9:02 PM Action (A,B,C,D,M,N,P) _ Group ID................: ________________________________ Group Name..............: __________________________________________________ Command: ____________________________________________________________ Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- confm help retrn quit flip pref main

4. Type "A" in Action.

5. Type the group identifier in Group ID.

6. Type the name of the group in Group Name.

7. Press Enter to confirm the information.

After adding all required groups, you can use the group identifiers when defining users.

Under Natural Security

When Natural Security is enabled in the Business Service Administration subsystem, use the Maintain Group Profile window instead of the Maintain Group Table panel supplied with Natural Business Services to define groups.

To define a group under Natural Security

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function on the System Administration main menu.

   The System Administration Maintenance menu is displayed.

3. Enter "GR" in Function on the System Administration Maintenance menu.

   The Maintain Group Profile window is displayed. For example:

   Maintain Group Profile (Natural Security) Function ........................... __ User ID ............................ ________ User Type .......................... G Library ID or copied from user ..... ________ Press any PF-key to stop

4. Type "AD" in Function.

   AD is the code for the Add action. Other codes for this field are:

   Code	Description
   CO	Performs the Copy action.
   DI	Performs the Display action.
   MO	Performs the Modify action.

5. Type the name of the new group in User ID.

   Each group ID must be unique among all user IDs and library IDs defined to Natural Security.

6. Type "G" in User Type.

7. Press Enter.

   The Add User panel is displayed. For example:

   15:35:15 *** NATURAL SECURITY *** 2006-03-06 - Add User - Modified .. by User ID ...... NEWUSER User Name .... ________________________________ User Type .... G (Group) Members Libraries Batch User ID ..... ________ -------- ------------------- ________ Default .. ________ Time Differential . + __ h 30 min ________ Zone ________________________________ ________ ________ Language .......... _0 ________ Logon recorded .... N No. members Additional Options ... N Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- Help PrevM Exit AddOp Flip Canc

8. Use this panel to add the group.

   A group is distinguished from an individual user by its User Type value: G.

Notes:

1. You must define all required group and domain combinations using the Maintain Service Security by Group panel. For information, see Add a Domain/Group Combination.
2. For more information on using the Add User panel, refer to the Natural Security documentation for mainframes.

Define Users

Business service administrators define users so that their passwords can be verified when they attempt to perform actions in the business services supported by the Business Service Administration subsystem.

• If Natural Security is not enabled, use the Maintain User Table panel to identify each user, specify the debug library and file for the user, specify the preferred language for the user, and list the groups to which the user belongs.

• If Natural Security is enabled, use the Maintain User Profile window and Add User panel to define users. To associate users with groups, use the Maintain User's Groups window. You can also link users to protected libraries using the Library Maintenance/Link Users window. If you are using Natural Security, the user's debug library and file name default to the user ID. By default, the preferred language is English.

Under Natural Business Services Security

To define a user using Natural Business Services security

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function.

   The System Administration Maintenance menu is displayed.

3. Enter "US" in Function.

   The Maintain User Table panel is displayed. For example:

   BSUS__MP ***** Business Service Administration Subsystem ***** BSUS__11 Feb 14 - Maintain User Table - 9:08 PM Action (A,B,C,D,M,N,P) _ Userid/Passw must be in upper case and <= 8 chars for Mainframe and/or NSC___ User ID.................: ________________________________ Password................: Name....................: __________________________________________________ Debug Library...........: ________ Debug Filename..........: _ ('T'imestamp; 'U'ser ID) Preferred Language......: __ Groups...: ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ ________________________________ Direct Command: ____________________________________________________________ Add Browse Clear Display Modify Next Purge Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- confm help retrn quit flip pref main

   Use this panel to specify a user's debug library and file. The Debug Library value defaults to your user ID.

   Note:
   Using Trace-Option(1), you can store data transmitted between the client and server in the debug file.

4. Type the code for how the debug file is named in Debug Filename.

   Valid codes are:

   Code	Option	Description
   T	Timestamp	Current time value is the file name. This allows multiple copies of debug data to exist; later copies do not overwrite earlier ones. Each file is assigned a name of "T" followed by a time value of HHMMSST. For example, files generated at 12:23:54.7 and 18:12:51.9 have the names "T1223547" and "T1812519", respectively.
   U	User	User ID is the file name. This option is the default. Each request from the client overwrites the contents of the debug file.

5. Type the name of at least one group in Groups.

   Each user must be associated with at least one group. If a user does not belong to a group, Natural Business Services rejects all access requests made by the user. When defining security settings, associate groups and domains to specify which users have access to which services. Each user must belong a group that has been associated with the domain containing the services the user needs to use. You can specify group(s) when adding a new user or modifying the profile of an existing user.

6. Press Enter to define the user.

Under Natural Security

When Natural Security is enabled in the Business Service Administration subsystem, use the Maintain User Profile window instead of the Maintain User Table panel supplied with Natural Business Services to define users. To associate users with groups, use the Maintain User's Groups window. You can also link users to protected libraries using the Library Maintenance / Link Users window.

To define a user using Natural Security

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function.

   The System Administration Maintenance menu is displayed.

3. Enter "US" in Function.

   The Maintain User Profile window is displayed. For example:

   Maintain User Profile (Natural Security) Function ........................... __ User ID ............................ ________ User Type .......................... _ Library ID or copied from user ..... ________ Copy with links (CO function only).. N ('Y' or 'N') Press any PF-key to stop

4. Type "AD" in Function.

   AD is the code for the Add action. Other codes for this field are:

   Code	Description
   CO	Performs the Copy action.
   DI	Performs the Display action.
   MO	Performs the Modify action.

5. Type the name of the new user in User ID.

   Each user ID must be unique among all user IDs and library IDs defined to Natural Security.

6. Type the code for the type of user in User Type.

   Valid codes for this field are:

   Code	Description
   A	User is an administrator.
   M	User is a member of a group.
   P	User is a person who is not an administrator or a member of a group.

7. Press Enter.

   The Add User panel is displayed. For example:

   14:29:10 *** Natural Security *** 2006-03-13 - Add User - Modified .. 13-10-21 by DEVEX User ID ...... NEWUSER User Name .... ________________________________ User Type .... P (A=Administrator, P=Person, M=Member) Privil. Groups Libraries Password -------------- ------------------- ---------------------- ________ Default .. ________ New Password ________ Last ..... ________ Change after ___ days ________ ________ ETID Batch User ID ..... ________ ________ ------------------- Language .......... _0 Default .. _9993 G Private Library ... Y No. groups 3 Last ..... ________ Logon recorded .... N Additional Options ... N Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- Help Exit AddOp Flip Canc

8. Use this panel to specify information about the user.

   Note:
   For a description of this panel, refer to the Natural Security documentation for mainframes.

Associate Users with Groups

Each user must be associated with at least one group. If a user does not belong to a group, Natural Business Services rejects all access requests made by the user. When defining security settings, associate groups and domains to specify which users have access to which services. Each user must belong to a group that has been associated with the domain containing the services the user needs to use.

To associate a user with a group

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function.

   The System Administration Maintenance menu is displayed.

3. Enter "UG" in Function.

   The Maintain User's Groups window is displayed. For example:

   Maintain User's Groups (Natural Security) Group ID ........................... ________ ADd / DElete / LIst members ........ Start value for list function ...... ________ Members 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ 9 ________ 10 ________ 11 ________ 12 ________ 13 ________ 14 ________ 15 ________ 16 ________ 17 ________ 18 ________ 19 ________ 20 ________ 21 ________ 22 ________ 23 ________ 24 ________ 25 ________ 26 ________ 27 ________ 28 ________ 29 ________ 30 ________ Press any PF-key to stop

4. Type the group name in Group ID.

5. Type "LI" in ADd / DElete / LIst members.

6. Press Enter.

   The group's members are listed in the Members columns.

7. Type "AD" in ADd / DElete / LIst members.

8. Type the user ID you want to add in an empty field in Members.

9. Press Enter.

   The user is added to the group.

Link Users to Libraries

Use the library Link function to associate users with protected libraries. The Business Service Administration subsystem uses the link definitions found in Natural Security to determine whether or not a user can access a Natural library. Each library must be linked to the user in Natural Security. The libraries include:

• Each protected library in a steplib

• The current execution library, if protected

• The SYSTEM (or *STEPLIB library), if protected

To link a user to a protected library

1. Enter "SA" in Function on the Business Service Administration Subsystem main menu.

   The System Administration main menu is displayed.

2. Enter "MM" in Function.

   The System Administration Maintenance menu is displayed.

3. Enter "LI" in Function.

   The Library Maintenance/Link Users window is displayed. For example:

   Library Maintenance / Link Users (Natural Security) Function ........................... LK Library ID ......................... ________ Library/private library ............ L User ID (for link functions)........ ________ Press any PF-key to stop

4. Type the library name in Library ID.

5. Type the user ID in User ID.

6. Press Enter.

   The link is created.