CA-View Security Securing Reports in CA-View r11.

CA-View SecuritySecuring Reports in CA-View r11

Copyright © 2006 CA. All rights reserved. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.2

Topics

- CA-View Security Overview- External Security Enhancements in CA-View r11- Internal Security Parameters- External Security Parameters- Activating FASTAUTH support- What Resources are protected?- Class/Resource Format- Required Access Levels- Securing Database Utilities- Security Related User Exits- Converting View 2.0 Security Rules- Troubleshooting Security Problems- Resource Names


CA-View Security Overview

Internal Security External Security

•Verify Mode•All Mode•SARO Mode•SAR Mode•EXPO mode•EXP mode

•Init Parms•DEFMODE•DELETE•PWBATCH

•DEF USER TABLE

•Verify Logon Credentials•Verify Report Function Authority•Verify Command Line Authority•Verify DATABASE Authority•Init Parms

•SECID•SECURITY•SECLIST


CA-View Security Overview

- Internal Security does not require an External Security product- Access to reports is defined within CA-View (SAR mode) or CA-

DELIVER (EXP mode)- Can be enhanced by coding user exits

- SARATHUX – Controls access to database utilities- SARSECUX – Controls access to database objects- SARUSxUX – Called to verify logon and logoff

- External Security interfaces to your External Security Product- Optional – works in conjunction with Internal Security- Access is defined via Class/Resource rules - Access to protected resources can be logged- Resource Class and access levels can be altered via SARSECUX

- Internal Security CANNOT override External Security- When External Security is active, either system can deny the

access request.


External Security Enhancements

- External Security is NOT a new feature

- Previous releases used Dataset level security to control report access

- R11 increased the sized of the Report ID to 32 characters- Dataset names are limited to 44 characters

- R11 uses Class/Resource rules to overcome this limitation

- Uses an External Security CLASS (CHA1VIEW)

- Much more than the older Report level Security model

- Index report segments can now be secured

- Logical Views, Filters, Users, Devices, Panels, Banners, …

- Security calls are now part of the base product

- Exits are no longer needed for security checks

- Security calls were removed from user exits (SARUSxUX and SARSECUX)


Internal Security Parameters

- SECURITY=INIT- NO External Security- Full access to any report in ALL mode- Limited access to reports in SAR, SARO, EXP, EXPO mode- DEF USER password is not verified

- SECURITY=INTERNAL- ALMOST the same as INIT- DEF USER password is verified at entry

- SECURITY=LOGON- ALMOST the same as INIT- EXTERNAL password is verified at entry

- DEFMODE=NNNNN- New users must be manually added to the USER TABLE- Users cannot logon until they are added to the USER TABLE


Internal Security Parameters

- DELETE=NO

- Online users cannot delete reports

- PWBATCH=database password

- This password must be specified in all batch control statements that access this database.

- Batch jobs submitted from the online interface will automatically include this password.

- Not printed on any listing

- Prevents users from submitting their own SARBCH jobs

- Should be changed at regular intervals


External Security Parameters

- SECURITY=EXTERNAL

- RACROUTE calls verify Userid/Password

- RACROUTE calls verify access to resources- Reports, Views, Filters, Bookmarks, Annotations, …

- RACROUT calls verify access to command line functions- DEF USER, DEF SYS, DEF DIST, DISPLAY, …

- SECID=secid

- High Level Qualifier (HLQ) for all resources in the database.

- SECID=VIEW (Default)

- SECLIST=NONE

- Turns off “List Level” security

- SECLIST=ALL

- Activates RACROUTE calls for REPORT, INDEX, and DEFINE

- Users only see a list of items they are authorized to access


External Security Parameters

- SECLIST=REPORT,INDEX,DEFINE

- Activates RACROUTE calls for each item in the list(s)- REPORT security filters the Report (SYSOUT) selection list

- INDEX security filters a report index list

- DEFINE security filters DEF USER, DEF SYS, DEF DIST, and DEF VIEW list

- Specify any combination of these options

- Users only see a list of items they are authorized to access.

- INDEX security can cause 1000’s of RACROUTE calls- Response time will be increased

- Consider making these Resource Rules resident in your security package.

- SECLIST security NOT a requirement for INDEX level security- Without SECLIST security users see a list of all index values

- When a user selects a list entry, it is still validated for user access


Activating FASTAUTH support

- Improves response time when using SECLIST=INDEX

- Verifies access for resource profiles brought into main storage

- Does not issue SVC’s

- Rules must be resident

- Supported by:

- CA-Top Secret

- CA-ACF2

- RACF

- FEATURE #4 invokes FASTAUTH calls


What Resources Are Protected?

Resource Type Protected Resources

BANR Banner page members (DISP Banner)

DBAS SARDBASE functions (SARDBASE, SARINIT, SARBCH)

DEV Device definition (DEF DEV command)

DIST Distribution definition (DEF DIST command)

FILT Filter definitions (DEF FILTER command)

IDXN Index names

IDXV Index value

NOTE Annotations and bookmarks

PANL Online panel members (DISP Online)


What Resources Are Protected?

External security applies to Online, Batch, Cooperative processing, and SARSAM!

Resource Type

Protected Resources

REPT Sysouts/Reports

RAPS All pages of a Sysout/Report

SYS Sysout definition (DEF SYS command)

USER User IDs (DEF USER command)

VIEW Logical Views


Class/Resource Format

- Need to be defined to your External Security Product- Single security class: CHA1VIEW- Resource Name

- SECID=secid- Resource types

- 14 resource types- Resource types correspond to data within View database

- Entity name

- Imbedded blanks are converted to underscore (_)- Imbedded asterisks are converted to plus sign (+)

- Access Level- READ, UPDATE, CONTROL, ALTER

- Sample Resource Name- secid.REPT.reportid- VIEW.REPT.GENERAL_LEDGER


Required Access Levels

Description RACF TSS ACF2

Read access READ READ READ

Update access (L, P, J, /CHANGE, UNLOAD)

UPDATE UPDATE UPDATE

Elite access (ADDDS, K, I, …) CONTROL CONTROL DELETE

Delete or Rename ALTER ALL ADD


Securing Database Utilities

- “DBAS” resource type controls access to database utilities

- SARDBASE

- SARINIT

- SARBCH

- “DBAS” security is DEACTIVATED by default

- Install SARATHU1 to activate DBAS security calls

- SARATHU1 is found in the PPOPTION install library

- SECID is not used with this resource type

- Resource type is DBAS

- Entity name is the database high level qualifier (HLQ)

- Example

- DBAS.SARP.SYSTEM1

HLQ of View Database


Security and Cross Memory Services- LGNSEC=YES

- Activates external security for XMS regions

- Userid validation

- No Prompting for Userid (except VTAM)- Inherits the USERID from the CICS, IMS, or TSO session

- LGNSEC=YESP

- Activates external security for XMS regions

- Userid and Password validation

- Forces the user to enter USERID and PASSWORD- These values are then validated with your external security product

- LGNPROP=YES

- SESSION Userid passed to MVS during submit processing- LGNSEC=NO passes the XMS region USERID rather the session USERID

- Only valid with LGNSEC=YES or YESP


Security Related User Exits

- Logon User Exits

- SARUSAUX* - VTAM LOGON EXIT

- SARUSXUX* - XMS LOGON EXIT

- SARUSDUX* - DRAS LOGON EXIT

- SARUSRUS - ROSCOE LOGON EXIT

- SARUSTUX - TSO / ISPF LOGON EXIT* In View 2.0, these exits were used to verify userid and

password. This functionality is now performed in CA-View if the SECURITY parameter is set to EXTERNAL or LOGON.



- SARSECUX - CA-View Security exit

- Major changes from View 2.0

- All RACROUTE calls have been removed.

- Allows for Class/Resource modification before RACROUT- External Security CLASS (CHA1VIEW)

- Standard resource name (Secid.Resource Type.Resource Name)

- Access Level (Read, Update, Control, Alter)

- Always called regardless of the SECURITY setting

- Return Codes:- 0 Exit has granted access – Do not call External Security

- 4 Exit has denied access – Do not call External Security

- 8 CA-View should determine access based on the SECURITY parameter



- SARATHUX – Database Utility Exit

- Controls access to database utility functions- SARDBASE, SARINIT, SARBCH

- Default exit allows access to all utility functions

- You must install SARATHU1 to activate security for database utility functions

- Allows for Class/Resource modification before RACROUT- External Security CLASS (CHA1VIEW)

- Standard resource name (DBAS.db high level qualifier)

- Access Level (Read, Update, Control, Alter)

- Always called regardless of the SECURITY setting

- Return Codes:- 0 Exit has granted access – Do not call External Security

- 4 Exit has denied access – Do not call External Security

- 8 CA-View should determine access based on the SECURITY parameter


Converting View 2.0 Security Rules

- Documented procedures for converting CA-View 2.0 dataset rules

- CA-View System Reference Manual – Chapter 13- Converting Unicenter CA-View 2.0 eTrust CA-Top Secret

Permissions

- Converting CA-ACF2 View Access Rule into CA-ACF2 View Resource Rule

- Don’t delete your old View 2.0 access rules

- You will need them in case of a fallback

- Temporary solution until CA-View r11 rules are in place

- APAR QO90562 will allow you to use your View 2.0 access rules with View r11- Set SECID to the same value used in the old RACF or ACF2 parameter

- Report ID must not be greater than 12 characters

- New r11 resources will not be protected- Views, Filters, Index Level Security, Command Line Functions, …


Troubleshooting Security Problems

- Why was “Access Denied”

- Verify that the correct values have been set in SARINIT- SECURITY=EXTERNAL

- SECID=secid

- SECLIST=

- Only having a problem with XMS users?- Verify that LGNSEC is set to YES or YESP

- Verify that LGNPROP is set to YES

- Activate CA-View Security WTOs to see what is failing- SARINIT Parm: FEATURE=1,xx,xx,xx

- Diagnostic security WTOs will be produced for all users on this database- All security calls are traced

- SARATH92 messages document “failures”

- “Failures” are normal when we are filtering a selection list (SECLIST)

- Turn tracing off when you finish: FEATURE=xx,xx,xx



- SARATH92 AUTHORIZATION FAILED userid UNDER ISPF RC=0.20.0

- SARATH92 CLASS=CHA1VIEW ENTITY=VIEWR11.VIEW.000.P.GLREPORT

- IBM Security Server RACROUTE Macro Reference documents RC

SAF RC

RACF RC

RACF Reason Description

0 20 XX XX is the users highest authority to this resource00 – No Authority04 – Read Authority08 – Update Authority12 – Control Authority16 – Alter Authority

4 4 0 RACF is not protecting the resourceClass CHA1VIEW is probably not defined to RACF

8 8 0 User does not have authority to access resource



- Accessing a report - Normal diagnostic messages- FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A

- Can the user access the report called XXXXX02A? (yes)

- FUNC=CPLFVACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.VIEW.000.P.XXXXX02A

- Can the user access Public View 0 for the XXXXX02A report? (yes)- FUNC=CPLFAPGS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.RAPS.XXXXX02A

- Can the user access ALL PAGES of the XXXXX02A report? (yes)

- Accessing a report – Abnormal diagnostic messages- FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A

- Can the user access the report called XXXXX02A?- TSS7250E 136 J=XXXXX02 A=XXXXX02 TYPE=CHA1VIEW

RESOURCE=VIEW.REPT.XXXXX02A

- Top Secret reports a security violation

- TSS7251E Access Denied to CHA1VIEW <VIEW.REPT.XXXXX02A>

- SARATH92 AUTHORIZATION FAILED XXXXX02 UNDER ISPF RC=8.8.0

- SARATH92 CLASS=CHA1VIEW ENTITY=VIEW.REPT.XXXXX02A

- CA-VIEW Reports an access failure

- User does not have authority to access this resource (8.8.0)



- Browsing a report requires at least 3 security rules

1. The user needs READ access to the Report Resource

2. The user needs READ access to the logical view resource

3. The user needs READ access to the pages within a report- The ALL PAGES resource (RAPS) allows the user to view the entire report

- If a user does not have access to the all pages resource, they can only browse an Indexed segment (IDXV) of the report.

- Printing a report requires at least 3 security rules

1. The user needs WRITE access to the Report Resource

2. The user needs READ access to the logical view resource

3. The user needs READ access to the pages within a report- The ALL PAGES resource (RAPS) allows the user to print the entire report

- If a user does not have access to the all pages resource, they can only print an Indexed segment (IDXV) of the report.


Resource Names

Resource Type: REPT (Sysouts / Reports)FUNC=CPLFBRS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.REPT.GLREPORT

Resource Type: RAPS (All Pages)FUNC=CPLFAPGS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.RAPS.GLREPORT

Resource Type: VIEW (DEF VIEW)FUNC=CPLFVACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.VIEW.001.P.GLREPORT

FUNC=CPLFVSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.VIEW.001.P.GLREPORT


Resource Names

Resource Type: IDXN (Access Index Name)FUNC=CPLFIFS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.IDXN.DEPTFUNC=CPLFIFS ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.IDNX.UNNAMEDA default of “UNNAMED” will be used if an index name is not defined.

Resource Type: IDXV (Access Index Value)FUNC=CPLFISL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.IDXV.DEPT.Dept001

Resource Type: BANR (Access Banner Page)FUNC=CPLFBACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.BANR FUNC=CPLFBSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.BANR.DEFAULT


Resource Names

Resource Type: PANL (Access Panel Member)FUNC=CPLFPACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.PANL FUNC=CPLFPSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.PANL.SARAFPBR

Resource Type: SYS (DEF SYS command)FUNC=CPLFYACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.SYS FUNC=CPLFYSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.SYS.GLREPORT

Resource Type: USER (DEF USER command)FUNC=CPLFUACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.USER FUNC=CPLFUSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.USER.XXXXX02


Resource Names

Resource Type: DEV (DEF DEV command)FUNC=CPLFCACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DEV FUNC=CPLFCSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DEV.PRT2

Resource Type: DIST (DEF DIST command)FUNC=CPLFDACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DIST FUNC=CPLFDSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.DIST.USERDST


Resource Names

Resource Type: FILT (DEF FILT command)FUNC=CPLFFACC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.FILT FUNC=CPLFFSL ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.FILT.SECFILT

Resource Type: NOTE (NOTE command)FUNC=CPLFNCSC ACCESS=WRITE CLASS=CHA1VIEW ENTITY=VIEWR11.NOTE.A.U.GLREPORT.FUNCTBL

FUNC=CPLFNASC ACCESS=READ CLASS=CHA1VIEW ENTITY=VIEWR11.NOTE.A.U.GLREPORT.FUNCTBL


Resource Names

Resource Type: DBAS (Utility Functions)SARATHU1 implements DBAS securityDBAS.dbhlq

SARDBA15 Authorization failed (SARDBASE)

SARINI19 Job/User not authorized to access data base (SARINIT)

SARBCH02 Job/User not authorized to access database (SARBCH)

CA-View Security Securing Reports in CA-View r11.

Documents

Transcript of CA-View Security Securing Reports in CA-View r11.