Question:
Is there a provided facility for reporting on IDMS internal security definitions and monitoring changes? We need to track the SYSADMIN privilege in particular. There does not appear to be a Utility or any Reports for this.
Answer:
It is true that the IDMS Internal security has no facility other than OCF/IDMSBCF, JREPORT8 or database access tools or user-written programs using subschemas IDMSSECS or IDMSSECU for reporting on security definitions and changes. No canned reports were created for this.
Many of our clients have most if not all resources secured externally, and external security managers such as TopSecret, ACF2 or RACF have such reporting and auditing capabilities.
There are several tools you can use to get the info you need but you would have to create one or more custom jobs and run them periodically or schedule them to run periodically.
Here are a few ideas:
1, OCF/BCF display commands.
A user who holds SYSADMIN privilege, when issuing a DISPLAY USER/GROUP will see all internal security privileges granted to the User/Group.
A user who holds SYSADMIN privilege can issue DISPLAY PRIVILEGES commands to show all privileges granted to Users/Groups for a given resource
DISPLAY SYSADMIN PRIVILEGES;
DISPLAY PRIVILEGES ON RESOURCE restype resname;
2. OLQ/DMLO/SQL/programs
It is true that the security records are not described in the Dictionary Data Structure Diagram, but we do deliver the schemas in SYSDIRL as well as the subschema load mods in CAGJLOAD for IDMSSECS and IDMSSECU.
OLQ/DMLO/DBOL/programs can use these to obtain security records but you do have to know the data structures to know what to look up.
The Schema Mapper product can be used to create a data structure diagram from IDMSSECS and IDMSSECU schemas.
If you have the SQL option you can
CREATE SCHEMA ********* FOR NONSQL SCHEMA SYSDIRL.IDMSSECU DBNAME SYSUSER;
CREATE SCHEMA ********* FOR NONSQL SCHEMA SYSDIRL.IDMSSECS DBNAME SYSTEM;
Then in OCF/BCF you can issue SQL SELECTs from these, but again you have to familiarize yourself with the data structures and how they are used.
With respect specifically to SYSADMIN, the SYSUSER.DDLSEC area will have a RESOURCE record (recid 1025) that represents the SYSADMIN resource.
For every User or Group who has been granted SYSADMIN there will be a RESOURCEAUTH record (recid 1026) that represents the granted privilege and will contain the AUTHID (User or Group) as well as the Restype and Resname of the resource that has been granted.
3. JREPORT8
If a User or Group is granted SYSADMIN, a RESOURCEAUTH record (recid 1026) will be stored and if SYSADMIN is revoked, a RESOURCEAUTH record will be erased and the data for the RESOURCEAUTH contains the AUTHID, Restype and Resname, all of which can be seen in the JREPORT8 report.
You will certainly need to play around with these to find what you need and decide how often to run your custom reports.