BIM-ALERT/VSE provides comprehensive security for your z/vse batch environment

Transcription

1 BIM-ALERT/VSE VSE External Resource Security Manager Security Administrator s Guide Release 5.1 BIM-ALERT/VSE provides comprehensive security for your z/vse batch environment BIM-ALERT/VSE allows you to control user access to datasets, programs, libraries, sublibraries, JCL keywords, ICCF pseudo partitions, and other resources without changes to JCL. Use the BIM-ALERT/VSE online, menu-driven facility to define secured resources. As each job begins execution, BIM-ALERT/VSE determines the scope of access the job is permitted. BIM-ALERT/VSE facilities include A complete monitor mode and test facility Security for job submittal from BIM-EDIT, CMS, ICCF, and other online systems Interface with many other vendors' products and other CSI products Auditing and violation log file reporting and archival utilities Advantages of using BIM-ALERT/VSE include low overhead with no penalties for operation, comprehensive z/vse resource security, security system auditability, and ease of use. BIM-ALERT/VSE is unsurpassed in operating efficiency and ease of use for non-technical auditors, security administrators, and other personnel.

2 This documentation applies to Release 5.1 of the program product BIM-ALERT. Original Printing...03/14/2000 Last Revised...12/15/2000

3 Contents Trademark Information... ix Related Publications... x Chapter 1 System Overview About BIM-ALERT What Is BIM-ALERT/VSE? BIM-ALERT/VSE Components About This Manual Chapter 2 Understanding Rules Processing Introduction About This Chapter What Resources Can BIM-ALERT Protect? How Is Security Enforced? Security Definition Introduction User Profiles Defining Resource Information Summary The Authorization Process Introduction Step 1: User Authentication Step 2: Assigns the Security ID Step 3: Checks Authorization for Controlled Library Activity Step 4: Checks If the Program Is Loaded From a Controlled Library Step 5: Checks the Action Code of the Group Rule Step 6: Checks Resource For Controlled Library Activity Step 7: Searches for an Applicable Ruleset Step 8: Searches For an Applicable Program Rule Step 9: Locates the Applicable Rule within the Ruleset Summary Sample Authorization Inquiry Extended ALXP Functions Chapter 3 Introduction to the Online Rules Definition Facility Introduction About the Online Rules Definition Facility Types of Rules Using the Online Rules Definition Facility Accessing the Online Rules Definition Facility Panels Accessed From the Online Rules Definition Facility Action Codes Equal Comparison Operators Special Node Name Status Codes Chapter 4 Creating and Maintaining User Profiles Using the User Profile Panel Contents iii

4 Introduction SECID Development Adding a User Profile Updating a User Profile Displaying a User Profile Searching for User Profiles Fields on the User Profile Panel Fields on the IUI Profile Information Panel Defining Security for Jobs from Remote Sites Introduction Security During ASI Processing Introduction Enforcing Security During ASI BIM-ALERT/VSE Submittal Monitor Defining Logon Sources Using the User Profile Panel Internally Generated User IDs Internally Generated Security IDs AXPU4 Program Introduction BIM-ALERT Authorization Call for Program AXPU Preventing AXPU4 Access by Default Chapter 5 Controlling Access to Resources About This Chapter Using the Ruleset Panels Determining the Components of the Ruleset Name Accessing Ruleset Panels Adding Rulesets Updating Rules and Rulesets DASD and Tape Dataset Panels Introduction Sample Panels Fields on the DASD and Tape Dataset Panels The Resource Information Panel Introduction Sample Panel Fields on the Resource Information Panel Accessing TAPELBL and ULTAPE Rulesets Securing ULTAPE Resources Securing DITTO Commands Securing Environment (ENVRES) Resources Securing JCL Resources Terminating Jobstreams that Violate Security Using the BIM-ALERT/VSE Security Exit for CA-XCOM How CA-XCOM Obtains the Requestor's User ID How CA-XCOM User IDs Affect BIM-ALERT Rules Accessing CA-XCOM Resource Panels Fields on the XCOMSEND and XCOMRECV Panels Examples Using the VIOLATN Resource Using the CA-FLEE Security Exit iv BIM-ALERT/VSE Security Administrator's Guide

5 Using the CA-FAVER Security Exit Using the CA-MASTERCAT Security Exit Using the BIM-FAQS/PCS Security Exit Using the CA-EXPLORE for VSE Security Exit Using the CA-EXPLORE for CICS-VSE Security Exit The Library, Sublibrary, and Library Member Panels Introduction VSE Librarian Naming Conventions How BIM-ALERT Processes Librarian Component Names Using the Library Panel Sample Library Panel Fields on the Library Panel Using the Sublibrary Panel Fields on the Sublibrary Panel Using the Library Member Panel Fields on the Library Member Panel Chapter 6 Security Administrator Control Functions Using the CALR Panel Introduction Using CALR to Put New Security Requirements into Effect Fields on the CALR panel Output from the Rules Conversion and Assembly Run Manual Generation of CALR Jobs Using the System Options Menu Introduction System Options Panels Fields on the System Options Menu Performing SCFL Control Operations Fields on the System Options Menu for Control Operations Controlling Network Submittals Controlling Monitor Mode for Dynamic Partitions Using SCFL to Control Monitor Mode for Dynamic Partitions Fields on the JECL/JCL Panel Manual Generation of SCFL Jobs Introduction Using AXPI1, AXPI3, and AXPI3E Using AXPI13 to Control Monitoring of Dynamic Partitions Using the Online Rules Test Panel Introduction Performing User Verification Performing Resource Authorization Performing a Combined Simulation Verifying Your Rules Table Simulation Response Display Fields Continuing an AXPT Session Ending an AXPT Session Changing Access Levels Using Program AXPHD Introduction AXPHD3's Process Using the HD3TAB Macro Contents v

6 Rules Test Program AXPS Introduction AXPS3 Parameters AXPS3 Jobstream AXPS3 Output Emergency Override Jobname Processing Using Emergency Override Mode Emergency Override Parameters Disabling Emergency Override Chapter 7 Batch Maintenance of the Security File Introduction Specifying Control Statements to AXPU Assigning a Description to a Logical Table Displaying Statistics Modeling a New Logical Table after an Existing One Removing a Logical Table Renaming a Logical Table Removing or Reactivating Disabled Records Modeling a SECID after an Existing SECID Removing all Rules for a SECID Changing the SECID Referred to by Rules Combining Logical Tables into a New One Chapter 8 Online Auditing Introduction About This Chapter For Information About Batch Auditing DAUD Panels Overview Audit Information Selection Criteria Panel Display BIM-ALERT Audit Information Panel Using the DLOG Transaction Introduction Display Log Records Panel Display Log File Panel Using the Print Log Records Panel Using S1U100, the Audit Trail Backup/Archive Utility Introduction Sample JCL Sample BIM-ALERT/CICS Audit Report Appendix A BIM-ALERT/VSE Extended Security Functions... A-1 Introduction... A-3 About Extended Functions... A-3 About This Appendix... A-5 SECID Rules... A-6 SECID Development... A-6 About SECID Rules... A-8 Adding SECID Rules... A-11 Displaying and Updating SECID Rules... A-14 vi BIM-ALERT/VSE Security Administrator's Guide

7 USER Rules... A-15 Introduction... A-15 Internally Generated USER IDs... A-15 Adding USER Rules... A-16 Displaying and Updating USER Rules... A-21 Sequencing USER Rules... A-22 Displaying or Changing the Sequence of USER Rules... A-23 JOBMASK Rules... A-24 Introduction... A-24 Adding JOBMASK Rules... A-25 Displaying JOBMASK Rules... A-27 Updating JOBMASK Rules... A-28 Example... A-30 Introduction... A-30 Step 1: Define the USER Rule... A-31 Step 2: Define the JOBMASK Rule... A-32 Step 3: Define the SECID Rule... A-33 Appendix B Batch Coding and Assembly of Rules... B-1 Introduction... B-2 About This Appendix... B-2 About Coding Your Own Rules... B-2 General Rules and Notation Conventions... B-3 Statements... B-8 Introduction... B-8 GROUP Statement... B-13 JOBMASK Statement... B-17 SECID Statement... B-19 DASDDS and TAPEDS Statements... B-25 LIBMEM Statement... B-29 RESOURCE Statement... B-31 SUBLIB Statement... B-35 Execution Parameters... B-37 Assembling the Rules Table... B-39 The Assembly Jobstream... B-39 AXPR1 Printer Output... B-40 Loading a New Rules Table... B-41 Procedure... B-41 Testing Before You Load... B-42 Appendix C Callable Interfaces... C-1 About This Appendix... C-2 AXP Macro... C-3 Introduction... C-3 Specifying Parameters... C-3 MF=MFGA... C-4 MF=INQ... C-4 MF=USER... C-5 MF=AUTH... C-9 Linkage Conventions for the AXP Macro... C-11 Return Values in Monitor Mode... C-12 Contents vii

8 Assembly Example... C-13 Callable Interfaces Using ID Statement Encryption... C-17 Introduction... C-17 Program AXPHJ5A... C-18 Programs AXPHJ5E and AXPHJ5F... C-21 Program AXPHJ5B... C-24 Index... 2 viii BIM-ALERT/VSE Security Administrator's Guide

9 Trademark Information This manual refers to the following brand or product names, registered trademarks, and trademarks which are listed according to their respective owners. Platinum Software: ZEKE Computer Associates International, Inc.: CA-DRIVER CA-EXPLORE for CICS CA-EXPLORE For VSE CA-EZ/KEY CA-FAVER CA-FLEE CA-LIBRARIAN CA-SCHEDULER CA-VOLLIE International Business Machines: AS400 CICS CICS/VSE IBM IDCAMS MVS/ESA VM/ESA VSE/ESA VSE/POWER VSE/SP VTAM Phoenix Software Company: CONDOR X/Open Company Ltd.: UNIX Trademark Information ix

10 Related Publications Overview This section lists the documentation that deals with BIM-ALERT/VSE and BIM- ALERT/CICS. BIM-ALERT/VSE Manuals Subject Installation Using BIM- ALERT Reports Messages Manual The BIM-ALERT Installation and Operations Guide explains how to install and maintain BIM-ALERT/VSE. The BIM-ALERT/VSE Security Administrator's Guide explains how to use BIM-ALERT/VSE to set up and maintain security. The BIM-ALERT Auditing and Report Writing Guide explains how to use the BIM-ALERT batch report writer. The BIM-ALERT Messages Guide contains explanations of all messages issued by BIM-ALERT/VSE. BIM-ALERT/CICS Manuals Subject Installation Using BIM- ALERT Reports Messages Manual The BIM-ALERT Installation and Operations Guide explains how to install BIM-ALERT/CICS. The BIM-ALERT/CICS Security Administrator's Guide explains how to use BIM-ALERT/CICS to set up and maintain security. The BIM-ALERT Auditing and Report Writing Guide explains how to use the BIM-ALERT batch report writer. The BIM-ALERT Messages Guide contains explanations of all messages issued by BIM-ALERT/CICS. x BIM-ALERT/VSE Security Administrator's Guide

11 1 System Overview This chapter describes the features of the BIM-ALERT/VSE product and its components. It also outlines compatibility issues between this version of the product and previous versions. About BIM-ALERT What Is BIM-ALERT/VSE? BIM-ALERT/VSE Components About This Manual

12 What Is BIM-ALERT/VSE? About BIM-ALERT About BIM-ALERT What Is BIM-ALERT/VSE? Description BIM-ALERT/VSE is a security product designed to control access to datasets, programs and other library members, libraries, and sublibraries in a VSE batch environment. The Security Process Using an online, menu-driven facility, the security administrator defines secured resources and the required security ID that a job must have to access specific resources. As each job begins execution, BIM-ALERT/VSE assigns it a security ID, which determines the scope of access the job is permitted. A job's security ID is usually based on the identity of the user who submitted the job. However, other JCL parameters, such as POWER password or job accounting information, can also be used to develop the security ID. You can choose which JCL items to use to develop a job's security ID. Controls BIM- ALERT Provides BIM-ALERT/VSE helps you maintain control of the batch computing environment by doing the following: Monitoring the online job SUBMIT process performed through CMS, ICCF, BIM- EDIT, and several other facilities. This helps maintain accountability for jobs entering the system. Controlling entry of jobs from remote locations. Controlling access to any program retrieved from a VSE library. This control includes access using program execution (EXEC) and LOAD and FETCH. Logging each program execution that occurs. This data can help you track unauthorized executions of programs. Controlling access to VSE libraries. This control includes full READ, WRITE, DELETE, and DEFINE protection at the library, sublibrary, and library member levels. Controlling access to any VSAM dataset. This control includes full READ, WRITE, DELETE, and DEFINE protection. Controlling access to non-vsam DASD datasets that are allocated using standard VSE data management facilities. BIM-ALERT/VSE also controls access to files allocated using DASD space management facilities, including (but not limited to) SAM-managed VSAM files. Controlling access to tape datasets. 1-2 BIM-ALERT/VSE Security Administrator's Guide

13 About BIM-ALERT What Is BIM-ALERT/VSE? Controlling access to several sensitive VSAM catalog management functions. Controlling access to functions of the VSE DITTO utility program at the command level. Controlling usage of sensitive JCL commands, such as commands to erase data stored on tape volumes. Enforcing or tracking usage of standards for JCL and JECL job statements. Chapter 1. System Overview 1-3

14 BIM-ALERT/VSE Components About BIM-ALERT BIM-ALERT/VSE Components Overview BIM-ALERT/VSE's components fall roughly into the following functional areas: Component Job Submit Monitor Facility Security Check Initiators Authorization Checking Routine Description These routines get control whenever an online facility (CMS, ICCF, BIM-EDIT, and so on) is invoked to submit a job to batch. They ensure that the identity of the user who is submitting the job is carried into the job control statements. These routines get control when a job requests access to a resource. They invoke the authorization checking routine. These tasks access a rules table to determine the following: Whether a job is authorized to access a resource At what level (read, write, or execute) a job is authorized to access a resource Online Rules Definition Facility Batch Rules Assembler System Startup Logging Rules File Management Reporting and Archiving The online rules definition facility runs as a CICS transaction. This transaction enables the security administrator to define protected resources and to define what security ID a job must have to access them. This facility includes an audit trail to keep track of all security definition activity. The rules assembler runs as a batch job. It accepts data produced by the online rules definition facility, interprets this data, and places it in a form (the rules table) that the authorization checking routine can use. The system startup routines establish BIM-ALERT/VSE's security check initiators as the VSE security interface. System startup also makes available the specific rules table designated by the security administrator. The logger runs either as a subtask in the POWER partition or standalone in its own partition. It accepts requests to write data to the log file and the operator console. These requests come primarily from the authorization checking routine. Several batch programs assist in managing the data produced by the online rules definition facility. These programs provide reporting and archiving for the log file data and the BIM-ALERT audit file. 1-4 BIM-ALERT/VSE Security Administrator's Guide

15 About BIM-ALERT BIM-ALERT/VSE Components Security Check Initiators Batch jobs gain access to resources such as datasets (files) and programs through high-level operating system interfaces. For example, access to a dataset is gained through an OPEN macro and access to a program is gained through a FETCH or LOAD macro. These operating system interfaces, as well as certain other operating system components such as the VSE Librarian, request security checks using the standard VSE security interface. Because the BIM-ALERT/VSE startup has established BIM-ALERT/VSE as the VSE security interface, BIM-ALERT/VSE's authorization checking routine is invoked automatically on any such requests for security checking. To provide security for additional resources, BIM-ALERT/VSE's security check initiators "front-end" several other points where access to a resource may be requested, and invoke the authorization checking routine. In addition, you can incorporate security checks into your own programs by using the AXP macro. This macro invokes the BIM-ALERT authorization routine and checks authorization based on rules defined by the security administrator. The macro can be useful in programs that circumvent the normal operating system services to gain access to resources and in situations in which you want to check security for resources other than those pre-defined by BIM-ALERT (libraries, datasets, and so on). For detailed information about the AXP macro, refer to Appendix C, "Callable Interfaces". Whether the check is initiated by one of BIM-ALERT's built-in security check initiators or by the AXP macro, the authorization checking routine gets control before the requestor is actually given access to the resource. BIM-ALERT/VSE can be directed to cancel a job that requests access to an unauthorized resource. Authorization Checking Routine The authorization checking routine is invoked when a job requests access to a resource. The routine that invokes the authorization checking routine provides a description of the resource. The checking routine searches the rules table for a rule that covers the resource. If the resource is covered by a rule, it indicates what security ID is required to permit access to the resource. The rule also specifies at what level a security ID is permitted access, such as read, write, or execute. If the job's security ID does not permit it to access the resource, the checking routine denies access. The authorization checking routine is also responsible for developing a job's security ID. This is done when the job begins to execute, by assembling various items of job entry data that are included in the job's JCL. A job's security ID is usually based on the identity of the submittor, which is contained in a JCL or JECL statement, or an internal VSE control block. Rules Table Definition BIM-ALERT/VSE's menu-driven online system makes it easy to define rules to the BIM- ALERT/VSE system. The online rules definition facility runs as a CICS transaction, with a main menu containing all the functions, and a series of panels used to add, display, update, or change the sequence of the different types of rules to be assembled. A VSAM database holds the rules definitions, and because you can assign a table number to each rule, multiple logical rules tables can be contained in the same physical VSAM file. Chapter 1. System Overview 1-5

16 BIM-ALERT/VSE Components About BIM-ALERT This online rules definition process establishes the parameters of the batch security environment. It defines what job entry items are used to form a job's security ID, and it defines what security ID is required to access each secured resource. An audit facility keeps track of all online security definition activity in a separate file. This file is shared by BIM-ALERT/VSE and BIM-ALERT/CICS and both types of security definitions are recorded in this file. Batch Rules Assembler The rules file conversion program runs as a batch program and produces a file suitable for input to the rules assembler program. The rules assembler program interprets this file, changes it into a form suitable to the authorization checking routine (a rules table), and finally invokes the linkage editor to place the table into a library. (You can initiate this batch process with an online transaction.) The rules table assembly process produces a table with a phase name specified by the administrator. A specific rules table may be connected to the authorization checking routine in one of two ways: At system startup, the rules table named in the BIM-ALERT/VSE control file is retrieved from a library and loaded into main storage. The startup JCL may optionally override the name specified in the control file. After the system has been started, a different rules table, previously placed in a library by the rules assembler, may be connected to the authorization checking routine. This is done by executing the startup program in the MODIFY mode, and specifying the phase name of the rules table. System Startup The system startup program establishes BIM-ALERT/VSE as the VSE security interface. It also loads the rules table. Normally the startup program is executed as part of the ASI process (that is, at IPL). The startup program is designed to accept input parameters from two sources: The BIM-ALERT/VSE control file. The security administrator places the desired startup parameter values into this file using a control file load program. Parameters not specified at that time assume default values. The control file load program executes in a batch job that you can initiate from the online facility. Control statements from the startup jobstream. The startup job is normally cataloged as part of the ASI procedure. Statements in this jobstream override values from the control file. However, the security administrator can place a parameter in the control file that specifies that overriding control statements in the jobstream are not permitted. At System Startup, specify the name of the rules table and indicate whether the system is to run in monitor mode. During initial system implementation, you can specify a parameter to direct BIM-ALERT/VSE to operate in monitor-only mode. In monitor-only mode, BIM- ALERT/VSE monitors jobs entering the system and tracks access to resources, but does not deny access to any resource or cancel any job. 1-6 BIM-ALERT/VSE Security Administrator's Guide

17 About BIM-ALERT BIM-ALERT/VSE Components Logging The logger can run as a subtask in the same partition as POWER or in a dedicated partition or in any partition capable of attaching a subtask. It accepts requests for logging and writes records to a VSAM file. The logger is also responsible for writing messages to the operator console. Tasks requesting logging (primarily the authorization checking routine) place log data in a log queue, which is defined in the system GETVIS area. If you run the logger in a POWER partition, the logger starts when the POWER partition is started. The logger generally starts during the ASI process, that is, at IPL. If the logger startup is executed before the BIM-ALERT/VSE system startup program, however, the logger waits until the BIM-ALERT/VSE system startup program has finished before it begins its initialization procedure. The logger automatically enters an IDLE state when BIM-ALERT/VSE is shut down. It also terminates whenever the POWER partition terminates, that is, when a PEND is issued. If you run the logger in a dedicated partition, the logger runs as a batch job in that partition and starts when the jobstream starts. To stop the logger, you must execute a batch utility to force an end-of-job. Rules File Management Several batch utilities help manage and report on the file maintained by the online rules definition facility. Some of the utilities are mandatory in order to use the online system, while others are optional utilities designed to report upon the file, or to assist in making mass changes to the file. The following utilities are provided: Utility AXPU001 AXPU002 AXPU004 Description Runs after the file has been defined using IDCAMS. AXPU001 adds records to the file which will be used by the online system for control information when new rules are added. This program must be run before using the online system. Converts the online rules file to a format readable by the rules assembler. Any time a change is made to the online file, the rules must be reassembled before the change can influence the security environment. AXPU002 must be run to convert the online file before the new changes can be assembled into the rules. Performs mass maintenance to the online file. You can perform the following operations with AXPU004: Assign a description to a logical table Display statistical information about the entire file Model a new logical table after an existing one Remove a logical table Rename a logical table Remove disabled records from a logical table Reactivate disabled records in a logical table Model a SECID after an existing SECID within a logical table Remove all rules for a SECID from a logical table Combine logical tables into a new logical table Chapter 1. System Overview 1-7

18 BIM-ALERT/VSE Components About BIM-ALERT AXPB001 Produces a listing of all the resources a security ID can access in a particular table. It is a reporting facility only, and it is optional. Reporting and Archiving BIM-ALERT/VSE includes an online transaction for viewing the log file data and a batch program to produce printed reports from the log file data. The batch program accepts input from either the current log file data (on disk) or an archive tape. You can also direct it to merge the current log file data with a "to date" archive tape. A batch report program and an online transaction are provided to display the data in the BIM-ALERT audit file. 1-8 BIM-ALERT/VSE Security Administrator's Guide

19 About This Manual About This Manual Organization The following table shows where to find information in this manual: For Information About The resources BIM-ALERT can protect and how security is defined and enforced. Using the online rules definition facility. Using the User Profile panel to create, display, and change user profiles. User profiles define the security ID to be assigned to users based on their individual logon information. Refer To Chapter 2, "Understanding Rules Processing" Chapter 3, "Introduction to the Online Rules Definition Facility" Chapter 4, "Creating and Maintaining User Profiles" The BIM-ALERT/VSE submittal monitor. The AXPU4 program. Controlling access to DASD and tape datasets; libraries, sublibraries, and library members; and to other resources such as ULTAPE resources and DITTO commands. Chapter 5, "Controlling Access to Resources" Using the security exits. Using the CALR, SCFL, and AXPT panels to perform security administrator control functions, such as putting new security into effect, reloading the control file, and performing simulations to test your rules. Chapter 6, "Security Administrator Control Functions" Emergency override jobname processing. Rules test program AXPS3. Batch maintenance of the security file. Online auditing facilities. Extended security functions, which provide an alternate method for SECID development to cover situations where using the submittor's identity is not appropriate. Chapter 7, "Batch Maintenance of the Security File" Chapter 8, "Online Auditing" Appendix A, "BIM-ALERT/VSE Extended Security Functions" (continued) Chapter 1. System Overview 1-9

20 About This Manual For Information About How to create and assemble rules without using the online rules definition facility. How to use the following: The AXP macro to perform an authorization check for pre-defined and user-defined resources. Refer To Appendix B, "Batch Coding and Assembly of Rules" Appendix C, "Callable Interfaces" Programs AXPHJ5A, AXPHJ5E, AXPHJ5F, and AXPHJ5B to secure submittal processes not covered by a submittal monitor BIM-ALERT/VSE Security Administrator's Guide

21 2 Understanding Rules Processing This chapter describes rule processing for BIM-ALERT/VSE and is directed toward the security administrator. Introduction About This Chapter What Resources Can BIM-ALERT Protect? How Is Security Enforced? Security Definition Introduction User Profiles Defining Resource Information Summary The Authorization Process Introduction Step 1: User Authentication Step 2: Assigns the Security ID Step 3: Checks Authorization for Controlled Library Activity Step 4: Checks If the Program Is Loaded From a Controlled Library Step 5: Checks the Action Code of the Group Rule Step 6: Checks Resource For Controlled Library Activity Step 7: Searches for an Applicable Ruleset Step 8: Searches For an Applicable Program Rule Step 9: Locates the Applicable Rule within the Ruleset Summary Sample Authorization Inquiry

22 2-2 BIM-ALERT/VSE Security Administrator's Guide Extended ALXP Functions

23 Introduction About This Chapter Introduction About This Chapter This chapter describes rule processing for BIM-ALERT/VSE and is directed toward the security administrator. Familiarity with basic VSE concepts (such as libraries, sublibraries, datasets, and job processing) is required, but no detailed knowledge of programming, VSE internals or VSE JCL is required. Chapter 2. Understanding Rules Processing 2-3

24 What Resources Can BIM-ALERT Protect? Introduction What Resources Can BIM-ALERT Protect? BIM-ALERT/VSE provides security for VSE resources that are accessed by batch jobs. These resources include VSE datasets, libraries, sublibraries, and library members (including executable programs). BIM-ALERT/VSE does not provide security for online processes such as CICS and ICCF. The following types of control are provided: You Can Control Job execution Access to datasets Access to VSE libraries, sublibraries, and library members VSAM catalog functions JCL commands DITTO commands CA-XCOM resources Description You can control which users can execute batch jobs. In this context, a user is someone who can be identified by an online user ID, such as a CMS user ID or an ICCF user ID or by a user ID and password from a // ID job control statement or a VSE POWER job card. You can control which users' jobs can access specific datasets at specific levels: read, update, and alter. Included here are tape datasets, disk datasets controlled by VSAM, and disk datasets controlled by VSE LIOCS. (Alter access applies only to datasets controlled by VSAM.) You can control which users' jobs can access specific VSE libraries, sublibraries, and library members. This control can be applied at specific levels: execute, read, update, and alter. You can control which users' jobs can perform the following operations: Delete and define VSAM catalogs Delete and define VSAM space Obtain a listing of all the information in a VSAM catalog You can control which users' jobs can execute certain sensitive JCL commands. You can control which users' jobs can execute DITTO commands. You can control send and receive requests from CA s XCOM product. 2-4 BIM-ALERT/VSE Security Administrator's Guide

25 Introduction How Is Security Enforced? How Is Security Enforced? Overview BIM-ALERT/VSE consists of the following components: Security definition Authorization Logging and reporting A description of each of these components follows. Security Definition The security definition component consists of a CICS transaction (ALXP) and several batch programs. With ALXP, you can define your security requirements online. The batch programs transform your security requirements into a format that is suitable for the authorization component. Authorization The authorization component enforces the security requirements that you define. Resource authorization requests come from VSE components (such as the librarian) and from BIM- ALERT/VSE modules that "hook" strategic VSE processes (such as the VSAM delete and define process). Also included in the authorization component are the job submittal monitors. Those modules monitor job submittal processes in various online environments (such as CMS, CICS, and ICCF). The job submittal monitors put information in the jobstream that identifies the submittor. Logging and Reporting The logging and reporting component keeps track of violations and auditing information in disk files, and it produces messages on the operator console when a violation occurs. It includes report programs that produce printed output from either the audit file or the log file data, and online transactions that display information from either the audit file or the log file. Chapter 2. Understanding Rules Processing 2-5

26 Introduction Security Definition Security Definition Introduction How Is Security Definition Information Entered? You use the ALXP transaction to enter information that is used by the authorization component to enforce your security requirements. This section describes the individual elements of that information, and shows how those elements fit together. Where Is Security Definition Information Stored? ALXP stores your security information in a VSAM file known as the online security definition file. Batch programs transform the information in the online security definition file into another format and catalog it into a VSE library member. That VSE library member is called a rules table. The authorization component retrieves your security information from the rules table, not directly from the online security definition file. The rules table includes two types of information: User profile Resource information Both types of rules table information are described in the following sections. 2-6 BIM-ALERT/VSE Security Administrator's Guide

27 Security Definition User Profiles User Profiles Introduction User information identifies users who submit jobstreams to batch partitions. The authorization component uses this information to assign a security ID (SECID) to a jobstream. All the information for one user is known collectively as a user profile. A user profile consists of the following types of information, each of which is discussed below: Descriptive information An action code A security ID (SECID) Logon identification An expiration date Descriptive Information You can associate descriptive data with each user through fields on the User Profile panel. The descriptive data, such as user name and department, has no direct impact on security enforcement (it is not even present in the rules table), but it is shown whenever you use ALXP to display a user profile. For a complete list of fields on the User Profile panel, see page Action Codes You can associate one of the following action codes with each user profile: Code Actions Taken * Allow access without any special logging or console display. L Allow access Write a record into the BIM-ALERT/VSE log file W C Allow access Display a message on the system operator's console Write a record into the BIM-ALERT/VSE log file Deny access. Refer to page 2-7 for more information. Whenever BIM-ALERT/VSE processes a jobstream, it retrieves the action code from the submittor's user profile and performs the specified actions. Security ID The security ID is a one- to eight-character name designated for an individual user or a group of users with similar security authorization. Each user profile specifies the security ID for that user. Any job submitted by the user is assigned that security ID. When you define security for a resource, you identify authorized users of that resource by security ID, not by individual user. Chapter 2. Understanding Rules Processing 2-7

28 User Profiles Security Definition Logon Identification The user profile contains the following two types of logon identification information: One type describes information for jobs submitted from a process that already validated the user. That information and the logon ID form the basis for assigning a SECID to the jobstream. The other type of logon identification information is for jobs that are not submitted from an online session or that are submitted from a type of online session not supported by one of BIM-ALERT's submittal monitors. This type of information is referred to as EXT (external) on the User Profile panel, and it consists of two items: A user ID, which corresponds to the USERID parameter in a // ID statement or JECL SEC parameter in the jobstream A password, which describes a password value that BIM-ALERT compares against the PWD parameter of the // ID statement or JECL SEC parameter When you submit a jobstream using a process that is not monitored by BIM-ALERT, you place a // ID statement or JECL SEC parameter in the jobstream. The // ID statement or JECL SEC parameter contains a USERID and PWD to identify you to BIM-ALERT as the submittor of the jobstream. That information forms the basis for assigning a SECID to the jobstream. A user profile describes a single user, but it can include several logon ID/logon source entries and an EXT/PW entry. Whenever a user has more than one logon ID or EXT/PW, the user profile consists of multiple logon ID/logon source entries. Expire Date The expire date defines when the user profile expires. After that date, jobs submitted by the user are not permitted to run. Group Rules So far, this discussion of user profile information has focused on the external view, the one you see when you display a user profile with the ALXP transaction. Internally, the user profile information is represented a little differently. Each logon ID/logon source entry contains the action code, the expire date, and the security ID from the user profile. Each of these internal entries (logon ID, logon source, action code, expire date, and security ID) is known as a group rule. Each entry defines the group (security ID) that the associated logon ID/logon source belongs to. The authorization component searches these group rules to determine what security ID to assign to a jobstream. This process is described on page BIM-ALERT/VSE Security Administrator's Guide

29 Security Definition User Profiles Sample User Profile Panel DAUP ** BIM-ALERT USER PROFILE ** DISPLAY USERID NAME MODEL UP-STAT _ ADMIN USER CLASS _ CICS _ BATCH _ DATA / BATCH >>>>>>>>> PWS _ REM _ ACT _ MON _ CON _ CLB _ EXPIRE DATE / / SUBMIT USERIDS: EXT/PW / TABLES/SECIDS: CICS >>>>>>>>>> OPID IUI ID/PW / EXT SEC / PASSWORD PRM _ TRM GRP 1 COMP STATUS _ ISSUE DATE / / PRIM/GRP2 DIV PROC TYPE _ NEW PSWD ALT1/GRP3 DEPT MSG SUFFIX EFF DATE / / ALT2/GRP4 SECT INACTIVE HRS MINS..SCHED TIMES.. MON / TUE / WED / THU / FRI / SAT / SUN /...TEMP TIMES.....EFF DATE......EXP DATE... MON / / / / / TUE / / / / / WED / / / / / THU / / / / / FRI / / / / / SAT / / / / / SUN / / / / / GK714 ENTER OPERATOR TO BE DISPLAYED (OR) PRESS -PF8- TO BROWSE For More Information For detailed information about using the User Profile panel, see Chapter 4, "Creating and Maintaining User Profiles". Chapter 2. Understanding Rules Processing 2-9

30 Defining Resource Information Security Definition Defining Resource Information Introduction The second type of information in the rules table is resource information, which identifies protected resources and specifies the security IDs or authorized programs that can access each resource. Resource Classes When you enter resource information with ALXP, you assign it to a resource class. A resource class describes a category of similar types of resources. BIM-ALERT/VSE uses a one- to eight-character resource name to identify each resource class. The following are predefined resource class names: Resource Class Name CATALOG DASDDS DITTO ENVRES JCxxxxxx LIBMEM LIBRARY SUBLIB TAPEDS TAPELBL ULTAPE XCOMRECV XCOMSEND Resource VSAM catalog manipulation DASD datasets DITTO utility CPUID and partition ID JCL commands VSE library members VSE libraries VSE sublibraries Tape datasets Unlabeled and non-standard-labeled tapes Special tape operations CA-XCOM receive requests CA-XCOM send requests (continued) 2-10 BIM-ALERT/VSE Security Administrator's Guide

31 Security Definition Defining Resource Information ALXP provides a separate panel for each predefined resource class. It also provides an OTHER panel, where you can define other resources. By assigning resources to classes, BIM-ALERT/VSE can deal with duplicate resource names. Consider the name DITTO. DITTO can be the name of an executable program, the name of a VSE library, and the name of a dataset. Because BIM-ALERT/VSE allows the resource name DITTO to be assigned to a resource class, you can define separate security for LIBMEM:DITTO, LIBRARY:DITTO, and DASDDS:DITTO. This manual uses the notation just shown, class:name, to refer to a specific item of resource information. It uses the term resource to mean a resource name within a specific resource class. Elements of Resource Information Each item of resource information consists of the following: A name specification A list of security ID and authorized program entries, each with an access level and an action code A security ID or program entry, with its associated access level and action code, is known as a rule. A rule does not stand on its own; it has meaning only in connection with a resource name specification. A name specification and all the rules associated with it are referred to collectively as a ruleset. Ruleset Name Specification A ruleset's name specification defines the resources to which you want the individual rules within the ruleset to apply. You can define generic rulesets and specific rulesets. A generic ruleset's name specification includes the special masking characters equal-sign (=) and asterisk (*). It applies to an entire group of resources that have similar names. These generic characters are explained on page For library, sublibrary, library member, and dataset resources, you can also use the reserved node name +USERID to define ruleset names that apply only when the name of the resource matches the requesting user ID, as explained on page A specific ruleset applies only to a single resource. In the following example, the first line is a generic ruleset that applies to all datasets whose names start with the characters PAYROLL. The second line is a specific ruleset that applies only to the single dataset named PAYROLL.EXECUTIV.MASTER. DASDDS:PAYROLL.= (generic) DASDDS:PAYROLL.EXECUTIV.MASTER (specific) Action Code You can associate an action code with each rule within a ruleset. The codes are the same as those described for user profiles on page 2-7. Chapter 2. Understanding Rules Processing 2-11

32 Defining Resource Information Security Definition Access Levels Each rule has an access level that designates the type of operations covered by the rule. The following table shows the valid access levels from lowest to highest. When a rule covers a given access level, it also covers the lower levels. Access Level Function Levels Covered EXECUTE Executing a program EXECUTE READ UPDATE ALTER Retrieving records from a dataset Retrieving members from a sublibrary Modifying records in a dataset Adding or replacing members in a sublibrary Defining or deleting the following: Datasets Libraries Library members Sublibraries EXECUTE READ EXECUTE READ UPDATE EXECUTE READ UPDATE ALTER Although a rule covers all levels below the specified access level, you can allow one specific level of access and deny the lower levels by defining several rules. For an example that allows a security ID one level of access and denies it the lower levels, see page Sample Panel The following sample DASD Dataset Information panel illustrates most of the resource information described here. In this example, jobs from SYSPROG can delete and define PAYROLL.= datasets, but cannot read or update them. Jobs from PROD can read and update those datasets, but cannot delete and define them. DDDS ** BIM-ALERT/VSE DASD Dataset Information ** Display Table Number: 51 Dataset Name: PAYROLL.= VOLSER: SECID/PGM Access Level Action Comments Status RD UPD ALT PROD _ X _ * PRODUCTION JOBS - READ/UPDATE A SYSPROG _ X _ C SYSPROG - NOT READ/UPDATE A SYSPROG X * SYSPROG - DELETE/DEFINE A 2-12 BIM-ALERT/VSE Security Administrator's Guide

33 Security Definition Summary Summary The security information that you define with ALXP (the online transaction) consists of user information and resource information. Information for an individual user, called a user profile, lists all of the user's logon IDs and assigns the user a security ID. The user profile lets BIM-ALERT/VSE associate a security ID with the jobs that a user submits. (Several users normally share a security ID.) Resource information identifies protected resources and specifies the security IDs that can access each one. Resource information is assigned to classes of similar types of resources (such as LIBMEM and LIBRARY). Resource information is organized into rulesets. A ruleset consists of a name specification and a list of rules. A ruleset's name specification defines the resources to which the ruleset applies. Each rule consists of a security ID or an authorized program, an access level, and an action code. The rules within a ruleset determine the security IDs that can access the resources to which the ruleset applies. All the rulesets are known collectively as a rules table. Chapter 2. Understanding Rules Processing 2-13

34 Introduction The Authorization Process The Authorization Process Introduction About This Section This section explains how BIM-ALERT/VSE's authorization routine uses your rules table to determine whether a job can access resources. The authorization routine gains control either from an operating system routine (such as program FETCH or file OPEN) or from one of BIM-ALERT/VSE's "hook" routines. The authorization routine is invoked to determine whether a job can access the resources that it requests. This process of invoking the BIM-ALERT/VSE authorization routine is called an authorization inquiry in the following discussion. Monitor Mode The authorization process described in this section is affected by the monitor mode options. When monitor mode is applied to an access authorization request, the authorization process does not cancel jobs that request access to resources they are not authorized to use, but merely logs or monitors such requests. You can specify monitor mode for one or more individual rules, for a user, for an entire partition, or for the entire system. For example, when you first implement BIM-ALERT, you might want to test the rules you have created by having BIM-ALERT keep a log of which jobs your rules would allow and which jobs they would cancel, without actually denying access to any resource or canceling any job. In this case, you would specify monitor mode for the entire system. On the other hand, you might be generally satisfied with the rules you have created, but want to temporarily give a particular operator or group of operators more access to certain resources. In that case, you could specify monitor mode for a particular rule, thereby allowing the operators the increased access but tracking which resources they use. Using Monitor Mode To specify monitor mode for a particular rule, enter the status code M in the STATUS field on the appropriate panel, as described in Chapter 5, "Controlling Access to Resources". For example, to specify monitor mode for a dataset rule, use the STATUS field on the DASD Dataset Information panel. To specify monitor mode for a user profile, enter the status code M in the STATUS field on the User Profile panel, as described in Chapter 4, "Creating and Maintaining User Profiles". To put one or more partitions into monitor mode, use the MONITOR parameters of the System Options menu, as described on page BIM-ALERT/VSE Security Administrator's Guide

35 The Authorization Process Introduction Overview of the Authorization Process The issuer of the authorization inquiry provides BIM-ALERT/VSE with the following information about the requested resource: Resource class Resource name Level of access desired Using this information and the rules table, the authorization routine proceeds as follows: Step Authorization Routine's Action 1 Performs user authentication. 2 Assigns the job a security ID. 3 Checks whether the submittor is authorized for controlled library activity. 4 For each program executed within a job, checks whether the program is loaded from a controlled library. 5 Checks the action code of the group rule. If it is C, the job is canceled. Otherwise, the job continues; proceed to step 6. 6 Determines whether the requested resource is related to deleting or defining an object in a controlled library. If so, does one of the following: If the submittor is authorized for these controlled library operations, proceeds to step 7. If the submittor is not authorized for these controlled library operations, denies access to the requested resource. 7 Searches the rulesets that apply to the requested resource class for a ruleset that applies to the requested resource name. Does one of the following: If a ruleset is found, proceeds to step 8. If no ruleset applies to the requested resource, it is considered to be unprotected. Access is allowed. (continued) Chapter 2. Understanding Rules Processing 2-15