ca.portal.admin

Re:Re: IDMS-L Digest - 28 Oct 2008 to 29 Oct 2008 (#2008-182)

Discussion created by ca.portal.admin on Oct 30, 2008
Lutz,

This is how we implemented #UTABGEN in our site.


** SETUP FOR 4 SEC CODES 1 = DEVELOPER **
** 2 = HOUSEKEEPING **
** 3 = DBD AND DBA FUNCTION **
** 4 = EDS DBA FUNCTION **
** **
** ----- --------------- -------------------------- **
** CLASS CODE UTILITY COMMAND **
** ----- --------------- -------------------------- **
** ====== DEVELOPER FUNCTIONS ======================== **
** **
** 1 SETOPTIONS SET BCF/OCF OPTIONS **
** 1 PRINTSPACE REPORT AREA/SEG SPACE UTILIZATION **
** **
** ====== HOUSEKEEPING FUNCTIONS ===================== **
** **
** 2 ARCHIVELOG ARCHIVE DCLOG * BCF ONLY * **
** 2 CLEANUP ERASE LOGICALLY DELETED RECORDS **
** 2 PRINTINDEX REPORT INDEX STRUCTURE **
** 2 PRINTJOURNAL REPORT TRANS CHECKPOINT BCF ONLY **
** 2 PRINTLOG PRINT DCLOG OR ARCHIVE LOG **
** 2 PRINTPAGE PRINT CONTENT OF DATABASE PAGE **
** 2 UPDATESTATISTICS UPDATE TABLE STATISTICS **
** **
** ====== DBD AND DBA FUNCTIONS =================== **
** **
** 3 ARCHIVEJOURNAL ARCHIVE JOURNAL * BCF ONLY * **
** 3 BACKUP BACKUP DATABASE AREAS **
** 3 BUILD BUILD INDEX,REFERENTIAL CONSTRAINT **
** 3 CONVERTPAGE CHANGE PAGE RANGE OR MAX RECORDS **
** 3 EXPANDPAGE INCREASE AREA PAGE SIZE **
** 3 FASTLOAD LOAD NON-SQL DATABASE * BCF ONLY * **
** 3 FIXPAGE MODIFY CONTENT OF DATABASE PAGE **
** 3 FORMAT FORMAT AREA/SEGMENT/FILE **
** 3 INSTALLSTAMPS INSTALL STAMPS FOR SQL DATABASE **
** 3 LOAD LOAD SQL DATABASE **
** 3 LOCK LOCK AREA/SEGMENT **
** 3 MAINTAININDEX MAINTAIN INDEX FOR NON-SQL DATABASE**
** 3 PUNCHLOADMODULE PUNCH DMCL, DBTABLE LOAD MODULE **
** 3 RELOAD RELOAD DATABASE * BCF ONLY * **
** 3 RESTORE RESTORE DATABASE **
** 3 RESTRUCTURE MODIFY RECORD TO MATCH SCHEMA **
** 3 RESTRUCTURECONNECT CONNECT POINTERS TO SETS **
** 3 ROLLBACK ROLLBACK DATABASE **
** 3 ROLLFORWARD ROLLFORWARD + EXTRACT JOURNAL **
** 3 SYNCHRONIZESTAMPS SYNCHRONIZE STAMP FOR SQL DATABASE **
** 3 TUNEINDEX ADOPT ORPHANED INDEXED RECORDS **
** 3 UNLOAD UNLOAD DATABASE AREA **
** 3 UNLOCK UNLOCK AREA/SEGMENT **
** 3 VALIDATE VALIDATE SQL TABLE **
** **
** ====== EDS DBA FUNCTIONS =================== **
** **
** 4 CONVERTCATALOG CONVERT CATALOG **
** 4 FIXARCHIVE REWRITE JOURNAL FOR ROLLBACK BCF **
** 4 MAINTAINASF MAINTAIN ASF **
** 4 MERGEARCHIVE MERGE ARCHIVE **
** **
** ================================================ **
** THE FOLLOWING CODES COVER BOTH - IF YOU CAN DO IT IN OCF YOU **
** SHOULD BE ABLE TO DO IT IN BCF - WITH THIS CHANGE YOU WILL **
** NEED TO ADD STATEMENTS FOR EACH CV **
** CREATE RESOURCE ACTIVITY OCF.ACT_001 NUMBER 1; **
** CREATE RESOURCE ACTIVITY OCF.ACT_002 NUMBER 2; **
** CREATE RESOURCE ACTIVITY OCF.ACT_003 NUMBER 3; **
** CREATE RESOURCE ACTIVITY OCF.ACT_004 NUMBER 4; **
** **
** CREATE RESOURCE ACTIVITY BCF.ACT_001 NUMBER 1; **
** CREATE RESOURCE ACTIVITY BCF.ACT_002 NUMBER 2; **
** CREATE RESOURCE ACTIVITY BCF.ACT_003 NUMBER 3; **
** CREATE RESOURCE ACTIVITY BCF.ACT_004 NUMBER 4; **
** **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_001 TO DBA; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_002 TO DBA; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_003 TO DBA; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_004 TO DBA; **
** **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO DBA; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO DBA; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_003 TO DBA; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_004 TO DBA; **
** **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_001 TO DBD; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_002 TO DBD; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_003 TO DBD; **
** **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO DBD; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO DBD; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_003 TO DBD; **
** **
** GRANT EXECUTE ON CATEGORY CAT_OCF TO DEV; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_001 TO DEV; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO DEV; **
** **
** GRANT EXECUTE ON CATEGORY CAT_OCF TO MIG; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_001 TO MIG; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_002 TO MIG; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO MIG; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO MIG; **
** **
** GRANT EXECUTE ON CATEGORY CAT_OCF TO HELP_DESK; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_001 TO HELP_DESK; **
** GRANT EXECUTE ON ACTIVITY OCF.ACT_002 TO HELP_DESK; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO HELP_DESK; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO HELP_DESK; **
** **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO IDMSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO IDMSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_003 TO IDMSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_004 TO IDMSSTC; **
** **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_001 TO EDSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_002 TO EDSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_003 TO EDSSTC; **
** GRANT EXECUTE ON ACTIVITY BCF.ACT_004 TO EDSSTC; **
** **
*******************************************************************
#UTABGEN (A,1,B,2,C,3,D,4), X
(PRINTSPACE,A,SETOPTIONS,A), X
(ARCHIVELOG,B,CLEANUP,B,PRINTINDEX,B, X
PRINTJOURNAL,B,PRINTPAGE,B, X
PRINTLOG,B,UPDATESTATISTICS,B), X
(ARCHIVEJOURNAL,C,BACKUP,C,BUILD,C, X
CONVERTPAGE,C,EXPANDPAGE,C,FASTLOAD,C,FIXPAGE,C, X
FORMAT,C,INSTALLSTAMPS,C,LOAD,C,LOCK,C, X
MAINTAININDEX,C,PUNCHLOADMODULE,C, X
RELOAD,C,RESTORE,C), X
(RESTRUCTURE,C,RESTRUCTURECONNECT,C, X
ROLLBACK,C,ROLLFORWARD,C,SYNCHRONIZESTAMPS,C, X
TUNEINDEX,C,UNLOAD,C,UNLOCK,C, X
VALIDATE,C), X
(CONVERTCATALOG,D,FIXARCHIVE,D, X
MAINTAINASF,D,MERGEARCHIVE,D)
END

There are three utility commands (BUILD, EXTRACT JOURNAL, PRINT LOG) mentioned in the IDMS Utilities Manual that are not specified as parameters in #UTABGEN in the IDMS Security Administration Manual. EXTRACT JOURNAL is implemented as part of the ROLLFORWARD command. The other two are implemented as BUILD and PRINTLOG parameters in #UTABGEN

When running IDMSBCF as Batch to CV job, it is checking the OCF Execute Privilege and not the BCF Execute Privilege for Resource Activity associated with the Activity Classes defined in the #UTABGEN. It works fine when IDMSBCF is running in local mode, i.e. it uses the BCF Execute Privilege.

In response to this issue raised with CA, a DOCUP has been created for this matter of securing the individual BCF/OCF utility commands. Bottom line is that the term BCF applies to local mode batch only, while the term OCF applies both to OCF and batch to CV (i.e. central mode batch).

The following DOCUP is for:
1. The ""Advantage CA-IDMS Release 16.0 Release Summary"" guide
Topic 5.0 Utility and Sysgen Enhancements
Subtopic 5.9 Security Enhancements
5.9.3 #UTABGEN
5.9.3.3 Parameters (<= insert A)
5.9.3.5 Example (<= insert B)
2. The ""Advantage CA-IDMS Security Administration"" guide
Chapter 10. Syntax for Assembler Macros
Subtopic 10.2 #UTABGEN
10.2.3 Parameters (<= insert A)
10.2.5 Examples (<= insert B)
-----------------------------------------------------------------------------
1. Part A
======
Add the following note at the end of the ""BOTH,BCF,OCF""-clause and just before the ""command-code""-clause:

Note: The terms BCF and OCF are used to distinguish between operations processed inside the CV from those processed in the batch address space. This means that the term BCF applies to local mode batch only, while the term OCF applies to both OCF and batch to CV (i.e. central mode batch).

2. Part B
======
Add the following to the end of the sentence that begins with ""OCF
indicates (that) the commands ...."" :

... running in the online command facility OCF => or as part of the batch command facility: IDMSBCF running in central mode.

Add the following to the end of the sentence that begins with ""BCF
indicates that the commands ...."" :

... of the batch command facility: IDMSBCF
ð running in local mode only.

The intention was to distinguish between OCF & BCF, i.e. between operations processed inside the CV (OCF and batch to CV) and those processed in the batch address space (local mode batch). The reason for that is that in local mode batch, external security can be used to protect DB files from illegal attempts to update them, while under the CV, no such protection exists. There is indeed some confusion about the terms OCF & BCF, while it would perhaps been better to call them 'online' (OCF & batch to CV) and 'batch' (local mode batch).

I inquire with CA that if we restore an old copy of IDMSDDAM (to back out the changes in #UTABGEN) and no resource activity numbers are assigned in the old IDMSDDAM, can we leave the resource activities defined in the SYSTEM catalog?

The CA response is:

We do the security calls based on what's in #UTABGEN, and if there's nothing in #UTABGEN we don't do the calls, so it doesn't matter what's in the system catalog. If you revert to an old idmsddam with a different idmsutab module linked (or none at all), an activity code of 0 is assumed for those entities that are not coded. Activity code 0 represents no security. So you can leave the resource activities defined in the SYSTEM catalog?

Regards,
Paul Mak
Database Administrator - IDMS

EDS, an HP company

Applications Services, Data Engineering Capability - Sydney Level 3, 36-46 George Street, Burwood, NSW 2134, AUSTRALIA

Tel: +61 2 90125434
Fax: +61 2 90126612
Mobile: +61 419 398 116
E-mail: paul.mak@eds.com

We deliver on our commitments so you can deliver on yours.

Outcomes