IDMS

 View Only
  • 1.  how works process creating user under IDMS

    Posted Jan 13, 2021 07:22 AM
    Hello,
    I should start care about user administration under IDMS ( creating users, grant ... ). It is absolutely new for me. I try create one user according manual I change dictname to system and go to OCF.
    There I put commands for creating user, assign profile to him, grant signon, grant execute on category.
    exampl:

    CREATE USER xxxx name ' Abc Abc' profile NULL;
    ALTER USER xxxx PROFILE yyyy;
    GRANT SIGNON ON SYSTEM zzzz PROFILE yyyy TO xxxx;
    GRANT EXECUTE ON CATEGORY CAT_aaa TO xxxx;


    But it not works immediately. This works next day, but IDMS wasn't restarted. Do you know how it works , it is mystery for my. I don't know if any process was running at night. 
    Is this process described in detail anywhere? In techdocs I found only info about this commands not process itself.


  • 2.  RE: how works process creating user under IDMS

    Posted Jan 13, 2021 08:50 AM
    Hi Jan,

    I found this document that may help understanding on the Signon processing.
    https://techdocs.broadcom.com/us/en/ca-mainframe-software/database-management/ca-idms/19-0/administrating/administrating-security-for-idms/signon-processing-ca-idms/what-is-signon-processing.html

    With regard to your question on why the settings do not work until thn next day:


    Perhaps you were trying to modify a user who was already signed onto the CV?
    If a user is already signed onto the CV, some security credentials and privileges are retained from the first time the user signed on. Therefore if you try to sign on again, the security settings for the user are not refreshed until there are no more users with that userid signed onto the CV.

    Also you could have a setting in Security resource table (SRTT) of SGNRETN = <nn minutes>
    I have pasted from the manual below.

    manual can be found here:
    https://techdocs.broadcom.com/us/en/ca-mainframe-software/database-management/ca-idms/19-0/administrating/administrating-security-for-idms/syntax-for-assembler-macros/secrtt.html


    If your userid is not signing on from OCF or VTAM you could be retaining the user signon details for <nn> minutes.

     

    SGNRETN


    Specifies whether CA IDMS should retain signon information originating from external request units (ERUs). This option will provide performance improvements in environments which process large numbers of short-lived ERUs and external security systems.
    time-interval
    Specifies the time in minutes that CA IDMS should retain signon information for external request units after the last session has been ended by signoff.
    You can specify the CA IDMS command, DCUF SHOW USERS ALL, to show the retained users signons with an LTERMID of *NONE*.
    Note: If a user signs on to the CA IDMS CV through a VTAM or TSO UCF connection and this is the last (or only) session, a FULL signoff will be performed and the retained signon information and control blocks will be freed from the CA IDMS CV.

    OFF


    Specifies that a full signoff, which frees all retained control blocks, will be performed at the end of the last (or only) session for the user. OFF is the default.


    Hope this helps

    Steve Rundle
    Lead IDMS DBA @ BT
    GTS, Infrastructure Services
    +44 117 929 5600 Desk
    +44 7768 400019  Mobile
    steve.rundle@ibm.com

    IBM





  • 3.  RE: how works process creating user under IDMS

    Posted Jan 18, 2021 06:22 AM
    thanks, for links. I read those and now I have better image how it works. But problem were same where else. In SRTT table for signon resource was those definition

    RESTYPE=SGON,
    EXTCLS='GRPIDMS'',
    EXTNAME=(RESNAME)'
    SECBY=EXTERNAL

    so for signon is responsible external security ( top secret ), so all definition in IDMS for user was right and works immediately, but user was added to group GRPIDMS in top secrete next day ( by security team ). That caused that logon works for user next day.