AnsweredAssumed Answered

IDMS Record Level security

Question asked by frank_vanderveken on Jun 27, 2013
Latest reply on Jun 27, 2013 by ChuckHardee
Our security policies make it mandatory for us to secure database access at record level.
The only thing that makes a record unique from a security point of view is the combination
of : DBNAME.SUBSCHEMA.RECORD, i.e a subschema can be used for different dbnames and a record
can be defined for different dbnames.

Security validation at my company is entirely done externally, using CA ACF2.
Nowadays we do have record security enforced by an own written assembler routine, called FCHIDMS,
that is linked together with the IDMS routine. This stub is implemented as a 'front-end' to
our IDMS interface. In case it's called for a BIND RECORD, security checking is done (call ACF2).
If all is OK, or for other DML calls, we forward the call to our IDMS module.
Since this is not really a supported way of working, and on every upgrade to a new IDMS release
there is the risc of incompatibility, we would like to get rid of this front end stub and
replace it by a "standard way" of securing IDMS.

Currently IDMS security implementation through the RHDCSRTT does not contain the option to
secure on RECORD level.
On the other hand, IDMS has the option to secure on TABLE level for SQL defined schemas/database.
Why shouldn't it be done/possible for non-sql defined schema records?

The alternative (solution provided by CA) is the use of a database procedure that issues
a #SECHECK for a user-defined resource type. To me this seems not to be the most optimal
way to implement it, rather complex, and I see some pitfalls (enforcement that db proc is
set for every record in the schema, security check should be done only once per record
within a run unit, etc.).
Furthermore the use of database procedure has its disadvantages, namely the execution of
database procedures is not zIIP eligible. This means that calling db procedures
can/will create overhead concerning the TCB/SRB swap that will happen.

I asked CA to open a DAR (already some time ago) to enhance the IDMS security system to
allow record level security by means of SRTT definitions.The enhancement request has been
reviewed by CA Technologies Product Management Team. They believe it is worthy of further
consideration for potential inclusion in future roadmap planning for CA IDMS/DB (anno 2012).

Are there other IDMS users that face the same problem and/or are interested in this option ?

Best regards, Frank