IDMS

IDMS tasks are internally secured via Resource category names. Those resource categories are then granted to groups.

If you want to secure the IDMS tasks externally, it is not possible to bring the resource category external since there is no entry for CATE in the SRTT.

Are there ideas to bring the resource category name externally?

Currently we brought  the TASK code externally via the SRTT entry TASK. In RACF, we created then groups which have an access list to the tasks.

The problem  is the group name in RACF which has a limitation of 8 characters.

Can we see a resource category as RACF grouping Classes?

Some clarification.

Working with Grouping classes in RACF has the advantage to define entities names in these grouping classes which are comparable to the Resource categories within IDMS internal security.

The path would be in that case

1. The SRTT table contains the following entry

#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=EXTERNAL,               *

      EXTCLS='$IDMS',                                         *

      EXTNAME=(SYSTEM,RESTYPE,RESNAME)                        

1. The resource type TASK is externally secured, the racf class is $IDMS and external name is SYSTEMnn.TASK.taskname
2. The RACF Class $IDMS  have a CDTINFO: GROUP=$GIDMS
3. The RACF class $IDMS has n number profiles which contains the IDMS tasks with extname as attribute.
4. The RACF Group Class $GIDMS have a CDTINFO: MEMBER=$IDMS
5. The RACF Group Class $GIDMS contains n numbers of members (name is) which can be the resource category IDMS name
6. Add The RACF Profiles to the RACF group classes names (add the IDMS tasks to the IDMS resource category with the ADD MEMBER statement.
7. Permits can be given on RACF grouping classes to RACF groups
8. RACF users resides within RACF groups

Some questions.

IS there some experience available in the Group?

Can a task be member of more RACF Group Names?

Performance issues for IDMS resource Program when defined secby external?

Can such a member of a resource category be non-discrete (wildcard on task ex.SYSTEMnn.TASK.ABCD*) ?

We have used RACF for our external security for many years - for Signon as well as for Applications and Functions. TASK security is SECBY Internal for our shop - but all the same concepts apply - which basically requires a superficial level understanding of RACF terms - I hope the picture below helps to explain all the terms you will need. As long as you understand that IDMS-DC TASKs are RACF RESOURCEs - you will probably be able to understand most of the questions that you have.

We do not give individual USERs access to RESOURCEs - this is always done through GROUP Connections and then the GROUP Access List. We have a Security application that greatly simplifies this - hiding all the RACF/IDMS concepts from the end Users who actually manage IDMS Security implicitly through a Human Resources application.

So to try to answer your questions:

  IS there some experience available in the Group? Yes - contact Justice Technology Services

  Can a task be member of more RACF Group Names? Any number of RACF Groups can be GRANTed Access to a Resource (eg. an IDMS TASK)

  Performance issues for IDMS resource Program when defined secby external? Extremely efficient

  Can such a member of a resource category be non-discrete (wildcard on task ex.SYSTEMnn.TASK.ABCD*) ? I have not tried this - but it ought to be possible - as this functionality is available in both IDMS Security and in RACF!

HTH - cheers - GaryC

We tried to use generic in RACF:

It's not possible to use generic on grouping classes in RACF. To do so we must use member classes in RACF and permit this generic profile to a RACF group.

Jan