Setting up the security environment by using HFMSECUR
A security exit is provided for security control from within Z Data Tools if you do not use RACF® or equivalent security product, or if SAF is not active at your installation. This exit is called HFMSECUR and is distributed in HFM.SHFMSAM1. You use HFMSECUR to protect selected Z Data Tools functions from unauthorized users.
If you want to use HFMSECUR for security, customize it as described below and install it using the usermod HFMUMODS. For information on installing HFMUMODS, see Installing HFMSECUR using HFMUMODS.
- Give or deny some users (or all users) access to one of the following
groups of Z Data Tools functions:
- FILEM.DISK.INPUT
- Disk input functions
- FILEM.DISK.UPDATE
- Disk update functions
- FILEM.TAPE.INPUT
- Tape input functions
- FILEM.TAPE.OUTPUT
- Tape output functions
- FILEM.TAPE.DUPLICATE
- Tape copy functions
- FILEM.TAPE.UPDATE
- Tape update functions
- FILEM.VSAM.UPDATE
- VSAM update functions
- FILEM.OAM.OUTPUT
- OAM output functions
- FILEM.OAM.UPDATE
- OAM update functions
- FILEM.LOADMOD.UPDATE
- Load module update functions
- FILEM.OTHER.ALL
- All other functions
- FILEM.TAPE.BLP
- See Controlling Bypass Label Processing (BLP)
- FILEM.DISK.FULLPACK
- See Controlling fullpack access to DASD volumes
For more information about these groups, see Z Data Tools function to profile name cross-reference.
- Give or deny some users (or all users) access to an individual Z Data Tools function.
Controlling access
- FILEM.CICS.BASE
- Access to Z Data Tools base function
- FILEM.CICS.IMS
- Access to ZDT/IMS
- FILEM.CICS.DB2
- Access to ZDT/Db2
If a user ID running ZDT/CICS has read access to any of these groups, then the associated function (HFM, ZDT/IMS or ZDT/Db2) will appear on the ZDT/CICS primary option menu and the user can invoke these functions, if they are installed.
If you have installed and customized the ZDT/CICS component, you should review your requirement for this access.
For more information about ZDT/CICS, see Customizing Z Data Tools CICS Component, and also the Z Data Tools User’s Guide and Reference for CICS.
Protecting update functions
- FILEM.BASE.UPDATE
- Protect update functions in Z Data Tools base
- FILEM.DB2.UPDATE
- Protect update functions in ZDT/CICS
- FILEM.CICS.UPDATE
- Protect update functions in ZDT/CICS
(This aspect of security is handled differently for ZDT/IMS, see IMS subsystems and ZDT/IMS functions access control facility.)
These facility classes also require the option SEC=YES to be specified in HFM0POPT (for Z Data Tools base), HFM2POPT (for ZDT/Db2), and HFM3POPT (for ZDT/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see Z Data Tools unprotected functions, Customizing to protect update functions in ZDT/Db2, and Customizing to protect update functions in ZDT/CICS.
If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.
You modify HFMSECUR for your requirements by supplying HFMS macro statements to provide the control you want. Refer to the prolog in the supplied sample HFMSECUR for information about how HFMSECUR processes the HFMS macro statements, and where to insert the statements in the HFMSECUR source. The syntax of the HFMS macro is described in Syntax of the HFMS macro.
Examples of giving or denying access
The following examples show how to use HFMSECUR to give or deny a user access to a group of functions or a specific function.
- To give a user access to a group of functions (for example, tape
output functions), add statements similar to this to HFMSECUR:
HFMS CLASS=FACILITY, ENTITY=FILEM.TAPE.INPUT, ACCESS=READ, USERID=userid
Similarly, to deny a user access to tape output functions, add statements similar to this:HFMS CLASS=FACILITY, ENTITY=FILEM.TAPE.INPUT, ACCESS=NONE, USERID=userid
- To give a user access to a specific function (for example, the
VSAM to Tape function), add statements similar to this:
HFMS CLASS=FACILITY, ENTITY=FILEM.FUNCTION.VT, ACCESS=READ, USERID=userid
Similarly, to deny a user access to the VT function, add statements similar to this:HFMS CLASS=FACILITY, ENTITY=FILEM.FUNCTION.VT, ACCESS=NONE, USERID=userid
When a user tries to use a Z Data Tools function, HFMSECUR is called (once) with both the profile name shown in Z Data Tools function to profile name cross-reference (in the form FILEM.group.name) and the function code. HFMSECUR reads through the list of HFMS macros until a match is found for the user name or job name, and either the profile name or the function code. The first match found is used.
This means that each HFMS macro effectively overrides any HFMS macro that appears after it in the file. If you want HFMSECUR to have the same behaviour as SAF (where function code specifications override profile name specifications), put all of your function code specifications before your profile name specifications.