Introduction
Who Should Read This Guide
This guide is written primarily for use by those persons who will be using the MAGEC software to specify and maintain security parameters for applications.
Copies of this guide should be distributed to:
Application Developers
Database Administrators
System Analysts
Security Officers
Auditors
This book is not intended to replace the Online Documentation but to augment it. This book will introduce the reader to the basic process used to control security for online applications. In order to demonstrate the tasks most effectively, it uses a tutorial to define security parameters for the newly developed Vacation application (refer to the "Application Developer" and "Customization" Tutorials).
Supplemental Reading
This guide is written assuming that the reader is familiar with the overall MAGEC philosophy. It presumes that you understand how the "standard set of nine" functions work and that you are familiar with the standard screen formats of MAGEC. You may wish to browse through this book first to gain an initial understanding of the security definition process.
While doing the sample project it would also be useful for you to have several other MAGEC manual sections handy:
MAGEC "Security" (Programmer's Reference Guide)
Application User's Guide
This tutorial may be used as an introductory course without requiring you to have read the other material listed above since brief explanations are included for all features necessary.
This project assumes that you have completed the Application Developer Tutorial and Customization Tutorial projects.
How to Use This Tutorial
Throughout this book you will find explicit commands telling you exactly what to do. You will also notice quite a bit of explanation and background information to help you to understand what is happening.
In order to allow you to "skim" over the background information the first pass through the book we have inserted "markers" pointing to the explicit commands. They look like this:
DO THIS:
The commands will be inside a box like this.
|
You may wish to go through the tutorial actually doing the project as you read, then re-read it for more complete explanation. This technique seems to facilitate faster learning for many people.
Using PC MAGEC
For a variety of reasons it is preferrable that you do this project on a PC (or PS/2) using the PC version of MAGEC.
First, since you will be altering security parameters you will eliminate the risk of creating problems for someone else if you are working on a standalone PC workstation.
Second, we recommend that you use the MAGEC installer logon ID of 18, password of ALEE. This ID will likely be removed from your mainframe installation of MAGEC by your security officers once MAGEC has been completely installed -- certainly once there are MAGEC applications in "production" status.
Third, this project has you define a new logical application, 01 Employee Relations. There is the distinct possiblility that your mainframe system will already have logical application 01 defined (by your security officers) for some other application developed at your installation.
Fourth, you can easily undo all your work to start over fresh (on a PC) by simply re-installing MAGEC using the initial installation procedure.
NOTE:
-
Re-installing MAGEC using the initial installation procedure un-does all of the work you have done, including the application developer tutorial projects and any applications you might have developed. It involves a complete overlay of the MAGEC dictionary from the installation disks. A different procedure, the upgrade procedure, using a different set of disks can be done to upgrade your MAGEC software to a newer version without destroying your own work.
Getting Started
Deleting Previous Student's Work
You might not be the first one in your shop to do this project; therefore, you might need to delete the previous student's work before you begin. To do so:
DO THIS:
Follow instructions in Appendix A of this tutorial, if necessary.
|
The Project
In this tutorial we will define (or modify) the security parameters for the Vacation Application which was developed in the "Application Developer" Tutorial project. The Vacation application consists of nine online functions:
The definition of security parameters affects several things: 1) who may do each function, 2) automatic menus generated from security parameters, 3) audit trails produced showing who has done these functions. The audit trails may show (optionally), for each record on the file, who has updated it, from which terminal, using which program, at what time and date. They may also give you the ability to report activity showing who has done any function between certain dates, times-of-day, at certain terminals, and so forth. The security parameters may control access by operator, terminal, location, dates, times-of-day, and so forth.
This project will not demonstrate every aspect of the security facilities built into MAGEC. It will give you a good working knowledge to enable you to begin using MAGEC's security features. An in-depth knowledge will come from experience and from reading the "Security" chapter of the MAGEC Programmer's Reference Guide.
All security parameters are entered online through MAGEC.
DO THIS:
Use the TS01 TransID to enter MAGEC, log on as usual. Use Employee number 18, Password ALEE.
|
Logical Applications
LAPxxx Functions
To list the Logical Applications currently defined to the dictionary:
DO THIS:
Key in the command: LAPLOC 1, press ENTER.
|
The screen will return showing a list of defined LAP's, as shown on opposite page.
A list of Logical Applications will be displayed to you. If you wished to modify one of these definitions you could position the cursor down to the line on which it is displayed and press PF4 (F4, on a PC) to be transferred to the LAPCHG screen for the selected item.
Logical Applications are groupings of online functions. You can define up to fifty-one (51) Logical Applications to the MAGEC dictionary. The four (4) shown on the opposite page are the standard ones provided with MAGEC; they control the MAGEC "system" functions.
Logical Applications are identified by a two-digit number from 00 through 50. Numbers 00, 48, 49, and 50 are predefined by MAGEC; numbers 01 through 47 are available for your use.
Some examples of Logical Applications you might define are:
Each Logical Application (LAP) can include an unlimited number of online function codes (i.e. VACSEE, VACCHG, CUSLOC, etc.).
Each Function code must belong to one, and only one, LAP.
The various function codes supported by one MMP (program) need not belong to the same LAP; therefore, VACADD may belong to LAP 01 while VACCHG may belong to LAP 05, and so forth.
The defined LAP codes are used to build the high level menu for an operator when it is requested.
The defined function codes are used to build the low level menu for the operator.
Only those LAPS and Functions for which a given operator is authorized appears on his/her menus.
LAPLOC 1
END OF LIST PF5 = Restart/PF7=Backward
LAP-NBR SHORT-NAME LONG-NAME
00 MISC Miscellaneous Functions
48 SPLR MAGEC Spooler Functions
49 SEC. MAGEC Security System
50 PROG MAGEC Developemnt/Testing/DBA
++++ 04 Records Scanned, 04 Displayed so far - Page 1 ++++
KEY 1 = MAGEC LAP FILE MASTER KEY Press PF13 for Hardcopy
You may Position the CURSOR on an item and Press ENTER to "SEE" it
(Browsing Forward) or Press PF4 to "CHG" it
|
Figure 01 -- Logical Application "Locate" Screen
Now, let us add a new LAP. We must define it to the MAGEC dictionary. The new LAP will be number 01; it will be defined as the Employee Relations system.
DO THIS:
Key the command LAPADD 01, press ENTER.
|
The screen will be returned to you in the format for entering the definition for a new Logical Application.
LOGICAL APPLICATION NUMBER is the 2-digit identifier, this field is not enterable since you have already given the LAP number above in the SKEY area of the screen (top line).
SHORT NAME is a 4-character abbreviated description. It is used in places where there is not room for the long name.
LONG NAME is the 30-character name of this Logical Application. It will be used in the high level menu screen and other places where there is sufficient space to show it, rather than the short name.
LAPADD 01 Enter data to be ADDED
M A G E C
LOGICAL APPLICATION DEFINITION
LOGICAL APPLICATION NUMBER= 01
SHORT NAME: ____
LONG NAME: ______________________________
|
Figure 02 -- Logical Application "Add" Screen
DO THIS:
Key in data as shown. Press ENTER.
|
The message in the top right corner of the screen will tell you: "Data ADDED to database."
Since MAGEC's dynamically-generated menus are driven by dictionary definitions, the long description you enter here should be one which will be useful to an operator on the high-level (main) menu.
The short description will appear on other screens where space will not permit the long name
it should be as mnemonic as you can make it so that it is clearly understood. Short names such as "AP01" and "AP02" would not be very helpful.
LAPADD 01
M A G E C
LOGICAL APPLICATION DEFINITION
LOGICAL APPLICATION NUMBER= 01
SHORT NAME: Empl
LONG NAME: Employee Relations / Vacation
|
Figure 03 -- Logical Application Screen
Main Menu
**MENU Function
Now let's look at the main menu.
DO THIS:
Key in the command **MENU. Press ENTER.
|
Notice that your new LAP appears on the main menu. It will appear there for any employee who is authorized to do LAP 01's functions. Since you are logged on as the MAGEC installer, employee 18, you are authorized for all functions. For other persons you will need to explicitly specify authorization levels in each LAP for each person as you add operator profiles to the dictionary. We will do that later on in this project.
The MAGEC menu screens are dynamically generated at the time they are requested by the operator. They are driven by the dictionary's definitions for what functions and logical applications exist, what security authorization levels are required by them, who is logged on to this terminal, and what authorization levels the operator and terminal possess.
This means that the menus:
-
are never out of step with security
-
are available at any time
-
can be bypassed by experienced operators
MAGEC's menus are controlled by the dictionary security parameters, they do not control security (as other menu schemes usually do).
The operator can move the cursor down to the line on which the desired logical application appears and press ENTER. This will result in an intermediate-level menu for the selected logical application (showing only those functions or groups-of-functions which the operator is authorized to do).
The operator can cursor-select one of the functions or groups-of-functions from the intermediate level menu. If the item selected was an individual function, then he/she will be transferred directly to the application screen for that function. If it was a group, he/she will be presented a low-level menu for that group. Selecting from the low-level menu will transfer directly to a function's application screen.
ENU END OF DATA Reached
M A G E C User View TS01
MAIN MENU
01 Employee Relations / Vacation
48 MAGEC Spooler Functions
49 MAGEC Security System
50 MAGEC Development/Testing/DBA
** END OF MENU **
To select a Logical Application move the CURSOR down to its line - Press ENTER
PF15 = exit MAGEC, PF9 = swap windows, PF1 = HELP PF5 = RESTART
|
Figure 04 -- Main Menu Screen
Function Codes
FCDxxx Functions
Next we will modify the function codes for the vacation application.
When we originally generated the vacation application, MAGEC automatically generated defintions for all nine standard functions in the FCD file. When MAGEC generated them, it set default parameters such that the VAC... functions could be accessed from any test user view but from no production user views. MAGEC also defaulted each of the functions to belong to Logical Application (LAP) 50 - development/ testing/ debugging.
Now we will alter them to assign them to our new LAP (01 - Employee Relations.)
DO THIS:
Key in the command: FCDLOC VAC, press ENTER.
|
The FCDLOC VAC command will list function codes beginning with the first one equal to or greater than the key argument given. In this example the key argument is "VAC ".
The VACTOT function shown in the display is the one created in the third "Customization" Tutorial project. It is actually a tenth function code for the Vacation application.
The screen display continues listing function codes beyond the last VAC. . . function since it is a simple browse. You could alternately have used a scan or find command to show only function codes starting with VAC, for example:
or>
If you had done either of these "programmerless queries", you could then take advantage of the Short-List facility to select each of the VAC. . . functions from a pop-up window. The Short-List is invoked by pressing PF24 from the maintenance screen after having done a browse or query.
In this project we are having you use the less elegant, more basic, method of executing a browse, selecting an item for update, updating the item, and re-executing the browse to enable you to select the next item.
FCDLOC VAC END OF LIST PF5=Restart/PF7=Backward
FUNCT. LAP DESC T-MMP LVL HLD P-MMP LVL HLD
VACADD 50 VAC MAINT 600 1 N 600 9 N
VACCHG 50 VAC MAINT 600 1 N 600 9 N
VACDEL 50 VAC MAINT 600 1 N 600 9 N
VACDUP 50 VAC MAINT 600 1 N 600 9 N
VACFND 50 VAC MAINT 600 1 N 600 9 N
VACLOC 50 VAC MAINT 600 1 N 600 9 N
VACNXT 50 VAC MAINT 600 1 N 600 9 N
VACSCN 50 VAC MAINT 600 1 N 600 9 N
VACSEE 50 VAC MAINT 600 1 N 600 9 N
VACTOT 50 VAC MAINT 600 1 N 600 9 N
VERZUN 50 PGM/MSK VERSION VERIFICATION 652 1 N 652 1 N
WHOMAY 49 Show Authorized Users for Func 665 1 N 665 1 N
WHOSON 49 List who is logged on 665 8 N 665 8 N
WINDOW 00 Swap Windows 652 0 N 652 0 N
++++ 14 Records Scanned, 14 Displayed so far - Page 1 ++++
KEY 1 = FUNCTION CODE
Press PF13 for Hardcopy
You may Position the CURSOR on an item and Press ENTER to "SEE" it
(Browsing Forward) or Press PF4 to "CHG" it
|
Figure 05 -- Function Code "Locate" Screen
DO THIS:
Position the cursor to the line where VACADD is displayed, press PF4.
|
By positioning the cursor to a line and pressing PF4, you have selected that item for change.
The full-screen FCDCHG screen will appear with the definition for the selected function (VACADD) filled in.
This shows you the current values specified - they are the default values generated by the MMPCREAT process at the time the Vacation Application was initially generated.
Desc is a 30-character description which will appear on the automatically-generated menus, it should be one which will be helpful to an operator requesting a menu.
Logical Application is the 2-digit (01 through 50) LAP number. LAP 50 is for Development/Testing/ and Database Administration functions -- it is the default LAP which MAGEC uses when it automatically creates the FCD entries; you can change it to any valid LAP number.
Separate TEST and PRODUCTION profiles are supported for many of the parameters. This enables you to conduct production processing, development, and testing on one MAGEC system. You can separate programs, files, and security parameters to prevent end-users from accessing test data and to prevent developers and prototypers from accessing production files and programs.
User Views are the sixteen (16) MAGEC user views (TS01 through TS08 and PR01 through PR08). You specify (Y or N) whether this function may be executed from each of the user views.
MMP Number is the 3-character identification for the program which is executed to handle this function.
Auth Level is the authorization level (0 through 9) which is required to access this function. You should interpret this as meaning the authorization level within the specified logical application. A level of 0 indicates "no authorization", a level of 9 indicates the highest possible authorization.
Hold is a Y or N indicator which specifies whether this function is temporarily suspended, Y indicates "on hold."
This Function Invokes Auto Edit (Y or N) is a Y or N indicator which specifies whether this is an updating function (i.e add, change, duplicate) which requires MAGEC to perform the automatic screen field edits to validate the data entered. Functions ending in ADD, CHG, or DUP will automatically be treated as updating functions, regardless of the setting of this indicator -- other functions will not be considered as updating functions unless the setting is Y.
FCDCHG VACADD
M A G E C
FUNCTION CODE DEFINITION
FUNCTION CODE= VACADD DESC: VACATION/SICK/COMP DAYS
LOGICAL APPLICATION NUMBER: 50 MAGEC Development/Testing/DBA
TEST PRODUCTION
87654321 87654321
USER VIEWS: YYYYYYYY USER VIEWS:
MMP NUMBER: 600 MMP NUMBER: 600
AUTH LEVEL: 1 AUTH LEVEL: 9
HOLD: N HOLD: N
THIS FUNCTION WILL INVOKE AUTO EDIT (Y OR N): Y
Press PF4 for browse (LOC) screen
Press PF13 for Hardcopy
Press PF16 to Copy field to buffer Press PF17 to Paste data from buffer
Press PF2 for field-level HELP Press PF24 for Pop-Up Short-List
|
Figure 06 -- Function Code Definition Screen
NOTE:
-
There is a "global change" function, FCDGBL, which will enable you to alter a set of function code definitions in one transaction. You could use FCDGBL to change all the VAC... function codes instead of using FCDCHG on each one individually. In this exercise we are having you use the more tedious, but more instructive, individual method. In real-life you would probably often choose to use the global change facility instead to save time. FCDGBL is described in more detail in the Programmer's Reference Guide in the "Security" chapter.
DO THIS:
Key in changes as shown. Press ENTER.
|
You are entering the description which will be used on the lower level menu. When MAGEC automatically generated the FCD records, it used a default description of VAC MAINT. You are overkeying it with one which will be more pleasing on the menu. You are also overkeying the default logical application number (50) with 01, specifying Y (yes) for all eight production user views, and changing the production authorization level to 1.
The description for the logical application which appears on the screen will change to reflect the change you have made to the logical application number after you have pressed ENTER.
Now, you must repeat these changes for each of the VAC... functions.
NOTE:
-
A message at the bottom of the screen will remind you that you must do the **LOAD fucntion in order to make your changes take effect immediately. It is not necessary to do **LOAD after each individual update when you are going to do several updates; you should do **LOAD after you have completed all your updates.
-
When MAGEC is first initialized, at the time your TP Monitor (CICS, Westi, etc.) is started up, it loads the security and data definition parameters from the disk-resident dictionary into main memory. This greatly improves efficiency for your applications, avoiding many run-time I/O's. If you alter the disk-resident dictionary parameters and wish the changes to become effective before the next time that your TP Monitor is brought down and back up, you must do the **LOAD function which tells MAGEC to re-load its main memory images of the dictionary data. Of course, the next time the TP Monitor is brought down and back up they will be re-loaded automatically.
FCDCHG VACADD
M A G E C
FUNCTION CODE DEFINITION
FUNCTION CODE= VACADD DESC: Vacation data
LOGICAL APPLICATION NUMBER: 01 MAGEC Development/Testing/DBA
TEST PRODUCTION
87654321 87654321
USER VIEWS: YYYYYYYY USER VIEWS: yyyyyyyy
MMP NUMBER: 600 MMP NUMBER: 600
AUTH LEVEL: 1 AUTH LEVEL: 1
HOLD: N HOLD: N
THIS FUNCTION WILL INVOKE AUTO EDIT (Y OR N): Y
Press PF4 for browse (LOC) screen Press PF13 for Hardcopy
Press PF16 to Copy field to buffer Press PF17 to Paste data from buffer
Press PF2 for field-level HELP Press PF24 for Pop-Up Short-List
|
Figure 07 -- Function Code Defintion Screen
After changing the definitions for each of the VAC. . . functions you will return to the list of function codes (the Locate screen) so that you can select the next one to change it.
DO THIS:
After you have successfully updated the record -- Press PF3.
|
Pressing the PF3 key (called the Escape Back key in SAA terminology) will return you to the FCDLOC screen as you left it, pressing PF4 instead of PF3 would return to the FCDLOC screen with the item you just changed at the top of the list.
DO THIS:
Cursor-select the next VAC... function using PF4, make the changes to it. Press ENTER.
|
DO THIS:
Repeat the steps on this page for all of the VAC... functions.
|
When you are finished updating the function code definitions for the Vacation application you will need to tell MAGEC to re-load its main memory images.
DO THIS:
After updating all the VAC... functions -- Enter the **LOAD command (at top left of the screen) and press ENTER.
|
The **LOAD command will cause MAGEC to re-load its main memory images of the dictionary data. You will be notified of its successful completion with a message in the top-right of the screen telling you the number of function codes loaded.
FCDLOC VAC END OF LIST PF5=Restart/PF7=Backward
FUNCT. LAP DESC T-MMP LVL HLD P-MMP LVL HLD
VACADD 01 Vacation data 600 1 N 600 1 N
VACCHG 50 VAC MAINT 600 1 N 600 9 N
VACDEL 50 VAC MAINT 600 1 N 600 9 N
VACDUP 50 VAC MAINT 600 1 N 600 9 N
VACFND 50 VAC MAINT 600 1 N 600 9 N
VACLOC 50 VAC MAINT 600 1 N 600 9 N
VACNXT 50 VAC MAINT 600 1 N 600 9 N
VACSCN 50 VAC MAINT 600 1 N 600 9 N
VACSEE 50 VAC MAINT 600 1 N 600 9 N
VACTOT 50 VAC MAINT 600 1 N 600 9 N
VERZUN 50 PGM/MSK VERSION VERIFICATION 652 1 N 652 1 N
WHOMAY 49 Show Authorized Users for Func 665 1 N 665 1 N
WHOSON 49 List who is logged on 665 8 N 665 8 N
WINDOW 00 Swap Windows 652 0 N 652 0 N
++++ 14 Records Scanned, 14 Displayed so far - Page 1 ++++
KEY 1 = FUNCTION CODE
Press PF13 for Hardcopy
You may Position the CURSOR on an item and Press ENTER to "SEE" it
(Browsing Forward) or Press PF4 to "CHG" it
|
Figure 08 -- Function Code Browse Screen
Low-Level Menus
$$MENU Function
Now let's look at the low-level menu for LAP 01.
DO THIS:
Key in the command $$MENU 01. Press ENTER.
|
You can see the low-level menu by keying in the $$MENU command or by starting from the high-level menu and cursor-selecting the desired LAP. Another way, as you will see, is to set a session option which equates the CLEAR or PA1 key to the $$MENU command.
The low-level menu is driven by the function code definitions from the dictionary. You can control the descriptions which appear on this menu by controlling the descriptions for the individual function codes in the FCD definition.
The most usual way for an operator to get to the low-level menu is from a higher menu. MAGEC automatically supports three levels of menus. The highest is the main menu (**MENU), showing Logical Applications. The intermediate level menu (++MENU) shows groups of functions (they are grouped by the first three characters of the function code). The $$MENU is the lowest level menu.
Another way of getting to the low-level menu is by simply typing in the command $$MENU nn (as we have done here). (nn = any valid logical application number.)
NOTE:
-
There are several miscellaneous function codes which appear on every low-level menu, for any logical application, even though they are not actually part of that logical application. These are general purpose functions which are available for anyone at any time. For example, OPTION, WINDOW, and PRINTS (set session option, swap windows, and print screen, respectively).
$$MENU 01 END OF DATA Reached
User View TS01
MENU FOR: M A G E C Employee Relations / Vacation
Function Key Entry Action Description
OPTION ____________________________________ SET SESSION OPTIONS
PRINTS ____________________________________ MAGEC SCREEN PRINT
VACADD ____________________________________ ADD Vacation data
VACCHG ____________________________________ CHANGE Vacation data
VACDEL ____________________________________ DELETE Vacation data
VACDUP ____________________________________ COPY Vacation data
VACFND ____________________________________ FIND Vacation data
VACLOC ____________________________________ LOCATE Vacation data
VACNXT ____________________________________ NEXT Vacation data
VACSCN ____________________________________ SCAN Vacation data
VACSEE ____________________________________ DISPLAY Vacation data
VACTOT ____________________________________ Vacation total
WINDOW ____________________________________ Swap Window
** END OF MENU *
To SELECT a Function, Position the CURSOR down to the line on which it is shown,
Enter the KEY VALUE beside it if appropriate, Press ENTER
-or- Press PF2 for HELP Instructions for the selected Function
|
Figure 09 -- Menu Screen
Session Options
Using the OPTION function an operator can customize the functionality of the CLEAR and PA1 keys and can also set a Stack Option which determines the action of the Attach/Detach function when the stack is exceeded.
Special Keys Option
For convenience, an operator can set a Special Keys Option to equate the CLEAR and PA1 keys to various MAGEC functions.
The "E" option would result in the high-level menu (**MENU) being displayed when the CLEAR key is pressed and the low-level menu when the PA1 key is pressed. The PA1 key, in that case, would be used to return from any application screen to the low-level menu.
Stack Option
The Stack Option controls the stack feature of Attach/Detach. For more detailed information regarding Attach/Detach, refer to the "Customization" Tutorial, Appendix R.
Setting the Stack Option to 'P' pushes the oldest entry off the stack and replaces it with the current screen.
The 'C' option clears the stack, then saves the current screen as the first entry in a new stack.
The 'F' option transfers the screen without adding to the stack by using the FTH-FUNCT.
If the Stack Option is left blank, a pop-up window will be displayed to the operator whenever the fourth screen (the limit is three) is added to the stack. When the window is displayed, the operator must choose one of the above-mentioned option codes.
To view or change your Session Options:
DO THIS:
Key in the command OPTION. Press ENTER.
|
You can change your session options either temporarily (for this session only) or permanently (until you again change it to something else), by pressing either PF4 or ENTER, respectively. If you press ENTER the new option is stored in your security profile and applied each subsequent time you log on to MAGEC.
At this time you may wish to experiment with different session options, setting different values and then pressing CLEAR and PA1 to see what happens. Most MAGEC users find that option B or C is the best suited to their usage patterns since MAGEC is structured to steer operators away from menus and toward entering direct mnemonic commands. Application developers sometimes prefer the D option.
OPTION 000000018
Date 05/11/92 M A G E C User View TS01
Time 11:48:09 SESSION OPTIONS
Operator Name BOBBIE LLOYD
Special Keys Option: C Option A == PA1 = $$MENU, CLEAR = CLEARS
Option B == PA1 = **MENU, CLEAR = CLEARS
Option C == PA1 = VERZUN, CLEAR = CLEARS
Option D == PA1 = MSKDEF, CLEAR = TSKLST
Option E == PA1 = $$MENU, CLEAR = **MENU
Stack Option: P Option P == PUSH oldest entry from stack and
add this entry before doing attach
Option C == CLEAR all entries from stack
Option F == FETCH instead of attach--stack remains
Blank == Present pop-up window for stack options
Enter desired Option Codes; press PF4 for temporary setting
ENTER for permanent setting
|
NOTE:
-
There is no need to enter a key value with the OPTION function code since the onlu Operator ID uou are allowed to set options for is your own and MAGEC wil automatically insert your ID into the SKEY screen field, regardless waht you may, or may not, have typed there.
Figure 10 -- Session Options Screen
Operator Profile
SIFxxx Functions
DO THIS:
Enter the command : SIFSEE 18
|
The Security Information File screen will be displayed showing the profile for employee 18, Bobbie Lloyd. Let's review the parameters from this screen:
Employee # is the 9-digit number (usually Social Security or Social Insurance number) which identifies this operator uniquely. This is a protected field since you have already entered the employee number on the top line of the screen as the key.
Password is a 4-character password which may be alpha-numeric.
Location is a 3-character code defining which location(s) this operator may log on to MAGEC from. the dot (.) is a "wildcard"; hence, a location of ". . ." means "any location."
Days defines (with Y or N flags) which days of the week this operator may log on, the eighth position (H) means Holidays.
U-Views (user-views) specifies which of the sixteen MAGEC user-views this operator may access MAGEC through. The user-views are TS01 thru TS08 (test), and PR01 thru PR08 (production).
Last Name & First are the name of the operator.
On Hold is a Y or N indicator, Y means this operator is suspended - "on hold."
Term Date is the date (MM/DD/CCYY) that this operator is terminated. MAGEC will automatically suspend him/her on that date.
Max # Unauth Funct is the number (000 through 999) of times the operator may attempt to do a function he/she is not authorized to do before MAGEC automaticallly suspends him/her.
Logon Attempts is the number of attempts this operator may make to get his/her password correct (when logging on) before MAGEC automatically suspends him/her. Zeros (or '999') means infinite.
Time Out is the number of minutes (000 thru 999) this operator may leave the terminal idle (fail to press any transmit keys), before he/she is automatically logged off. Zeros means never.
Multi-Term Logon is a Y or N indicator specifying whether this operator may be logged on to more than one terminal at a time.
Group Identifier is any 10-character "code" which you may wish to use to identify operators belonging to any grouping, i.e. "TEMP" for temporary help, or "MIS" for MIS employees. You can alter the profiles for an entire group in one transaction if necessary, i.e.. the project that the TEMP's were working on is cancelled.
Last Logon indicates the date and terminal this operator last logged on.
SIFSEE 18 ++ CENTRAL SECURITY OFFICER ++
M A G E C OPERATOR SECURITY INFORMATION
EMPLOYEE # 000000018 B L TEST PROD
PASSWORD: ALEE SMTWTFSH 87654321 87654321
LOCATION: ... DAYS: YYYYYYYY U-VIEWS: YYYYYYYY YYYYYYYY
LAST NAME: LLOYD FIRST: BOBBIE ON HOLD: N
TERM DATE: 12/31/1999 MAX # UNAUTH FUNCT: 999 LOGON ATTEMPTS: 999
TIME OUT: 999 MIN. GROUP IDENTIFIER: ALA Inc. MULTI-TRM LOGON: Y
LAST LOGON: PC01 ON 04/16/1991 SUSPEND AFTER: 999 INACTIVE DAYS
PSWD CHNGD: 11/03/1990 ,GOOD FOR 999 DAYS AUTHORIZED HOURS: 00 00 TO 24 00
....................AUTHORIZATION LEVELS BY APPLICATION........................
Empl(01): 9
SPLR(48): 9 SEC.(49): 9 PROG(50): 9
Press PF4 for browse (LOC) screen
Press PF13 for Hardcopy
Press PF16 to Copy field to buffer Press PF17 to Paste data from buffer
Press PF2 for field-level HELP
|
Figure 11 -- Operator Security Information Screen
Suspend After indicates the number of days of inactivity (failure to log on to MAGEC) which may pass before MAGEC will automatically suspend the operator, assuming him/her to be terminated, deceased, or just dis-interested.
Pswd Changed indicates the last date this operator changed his/her password (at logon time).
Good For ____ Days is the number of days (000 through 999) which the operator may go without changing his/her password. After that number of days MAGEC will not allow the operator to log on without changing the password. It automatically prevents the use of "trivial" passwords (too easy to guess) and the re-use of the same passwords by the same operator. A value of zeros (or '999') means infinity.
Authorized Hours is the range of hours-of-the-day (24-hour clock) during which this operator may log on. A range of 00 00 thru 24 00 means "any time of day."
Authorization Levels by Application specifies the levels (0 through 9) of authorization that this operator posesses in each of the defined logical applications (LAP's). The short name for each LAP is shown along with the LAP number. The LAP's 48, 49, and 50 are pre-defined by MAGEC and must always retain their original meanings (Spooler functions, Security functions, and Developer function, respectively). Other LAP's are defined by you as you need them. The new LAP (01) is shown on the screen. If you add other new LAP's they will also appear. A level of zero means a minimum (or no) authorization, a level of nine indicates the highest possible authorization, for each LAP.
NOTE:
-
There are some special meanings associated with certain authorization levels in the three MAGEC-defined LAP's. For example: a level 9 in Security (49) designates the operator as a "central security officer", a level 8 designates him/her as a "local security officer" -- a level 9 in Programming (50) designates the operator as a supervisor-level developer who can access other developer's library members without having to know the passwords, etc.
NOTE:
-
Your developers can associate certain levels of authorization in certain LAP's with special meanings. MAGEC always presents (in the TWA area) all of the security data (read-only access) for the current session; your programmers can interrogate that data and allow or disallow certain operations based upon operator, terminal, location, date, time, group-id, or any other criteria. This is in addition to the standard automatic security verifications done by MAGEC.
DO THIS:
Define yourself to the MAGEC security system. Enter the command:
SIFADD nnnnnnnnn (where nnnnnnnnn is your employee ID or social security number).
Fill in the fields on the screen and press ENTER.
|
If you have successfully added the new record defining yourself to the security system you will receive the message at the top left corner of the screen saying: Data ADDED to Database. You could immediately use your new ID and password to log on to MAGEC, there are no other steps necessary (i.e. no assemblies, no re-cycling of the online system, no "new copy" command).
SIFADD 123456789
M A G E C OPERATOR SECURITY INFORMATION
EMPLOYEE # TEST PROD
PASSWORD: ____ SMTWTFSH 87654321 87654321
LOCATION: ___ DAYS: ________ U-VIEWS: ________ ________
LAST NAME: ___________________ FIRST: ______________ ON HOLD: _
TERM DATE: __________ MAX # UNAUTH FUNCT: ___ LOGON ATTEMPTS: ___
TIME OUT: ___ MIN. GROUP IDENTIFIER: __________MULTI-TRM LOGON: _
LAST LOGON: ON SUSPEND AFTER: ___ INACTIVE DAYS
PSWD CHNGD: ,GOOD FOR ___ DAYS AUTHORIZED HOURS: __ __ TO __ __
....................AUTHORIZATION LEVELS BY APPLICATION........................
Empl(01): _
SPLR(48): _ SEC.(49): _ PROG(50): _
|
Figure 12 -- Operator Security Information Screen
Terminal Profile
DVCxxx Functions
Now let us look at the definition for a terminal in the MAGEC security system.
DO THIS:
Enter the command: DVCSEE
*
-- press ENTER.
|
The definition for your terminal will be displayed. The asterisk is interpreted as meaning "this terminal", as a convenience for you. MAGEC will substitute your terminal ID for the asterisk. You could have entered the command:
where xxxx is any valid terminal ID, your own or anyone else's. The specified terminal's profile would be shown.
The profile for a terminal is similar to the profile for an operator. When an operator logs on to a terminal MAGEC compares the authorization levels for the terminal and the operator (in each individual category) and applies the more restrictive of the two. This means that an operator's authorization at one terminal may be lower than at another. If any of his/her authorizations have been reduced, a message will warn him/her at log on time. The reduction applies only to this session, it does not alter the operator's profile.
An exception to this automatic authorization reduction is when a central security officer logs on. MAGEC automaticaly gives central security officers full access to all functions from all terminals. This is necessary in order to rescue local security officers who have somehow locked themselves out of the system or otherwise woven a tangled web from which they cannot escape. Needless to say, there should be only a few select individuals with central security officer authorization.
Location is the 3-character (no wildcards here) designation for the location of this terminal. Location codes are defined by you in MAGEC Table number 252. You can refer to the "Database Administration" chapter for explanations on how to update MAGEC Tables.
Buf Size is the size of the terminal's buffer (normally 1,920). It is used by the Spooler, not by the Security system.
Type is the terminal device type, i.e. 3278, 3279, etc. L/R is the line connection type: Local Remote, Dialup, or logial Unit (the uppercase letter is the one-character abbreviation you can enter). 7-Color is a Y or N indicator to specify whether this terminal has 7-color support. Form is the 4-character designation for the type of paper mounted in this device
if it is a printer, not a CRT. Active Report also applies only to printers. These fields are not used for Security, but for other MAGEC subsystems.
Desc is a 30-character free-form text field, a brief description for this terminal.
Status indicates whether this terminal is in service or not, valid values are Available or Disabled (the uppercase letter may be used as an abbreviation when entering).
DVCSEE PC01
M A G E C DEVICE DEFINITION (CRT/PRINTER)
ID= PC01 Home Gateway: ................
Location: SYS ( COMPUTER ROOM (SYSTEM PRINTERS) ) Buf Size: 1,920
Type: 3279 L/R: LOCAL 7-Color (Y/N) : N --TEST-- --PROD--
Desc: MAGEC Software - AT Portable 87654321 87654321
Status AVAILABLE Form: User Views: YYYYYYYY YYYYYYYY
Active Report Time Out: 999 min.
Print Classes: A SMTWTFSH
Authorized Hours : 00 00 to 24 00 Days: YYYYYYYY
...............MAXIMUM AUTHORIZATION LEVELS BY APPLICATION......................
Empl(01) : 0
SPLR(48): 9 SEC.(49): 9 PROG(50): 9
Press PF4 for browse (LOC) screen
Press PF13 for Hardcopy
Press PF16 to Copy field to buffer Press PF17 to Paste data from buffer
Press PF2 for field-level HELP
|
Figure 13 -- Device Definition Screen
Print Classes specifies the class (one character) to be assigned to reports generated from this terminal via the MAGEC Spooler.
Authorized Hours and Authorization Levels by Application are similar to those specifications for the operator.
If you wished to define another terminal to the MAGEC dictionary you would use the DVCADD command as:
NOTE:
-
Since terminal-level security is optional in MAGEC it is not necessary to define your terminals to the dictionary. If a terminal is not defined, MAGEC assumes that it has unlimited access (subject, of course, to the operator's authorizations). It is necessary to define terminals in order to take advantage of some Spooler functions or 7-Color extended attribute support; however.
Home Gateway is the Gateway name of this computer as defined on MAGEC Lookup Table #248. This entry must be a valid name, as defined on the table, or it must be left blank. An entry in this field is needed only if this computer is used as a Host and also as a Client machine using MAGEC's intrinsic TCP/IP networking facility. The purpose for this entry is to tell MAGEC's I/O module that any Data Classes which are defined as being at this Gateway name are actually local to this machine. This machine, it is assumed, also serves a Host so that other machines (Clients) can access Data Classes which are local to this machine.
If this machine never serves as a Host, then it is not necessary for it to be defined to Table #248 and it is correct to leave this Home Gateway specification blank.
DVCADD tttt Enter data to be ADDED
M A G E C DEVICE DEFINITION (CRT/PRINTER)
ID= TTTT Home Gateway: ................
Location: ___ ( ) Buf Size: ______
Type: ____ L/R: ______ 7-Color (Y/N) : _ --TEST-- --PROD--
Desc: ____________________________ 87654321 87654321
Status _________ Form: ____ User Views: ________ ________
Active Report Time Out: ___ min.
Print Classes: _________________________________________ SMTWTFSH
Authorized Hours : __ __ to __ __ Days: ________
...............MAXIMUM AUTHORIZATION LEVELS BY APPLICATION......................
Empl(01) : 9
SPLR(48): 9 SEC.(49): 9 PROG(50): 9
|
Figure 14 -- Device Definition Screen
Review
What You Have Learned
As you can readily see, the security authorization profiles for operators and terminals combine to form the authorizations for any given session. The authorizations consist primarily of one-digit codes where 0 is the lowest possible and 9 is the highest, for each of up to 50 logical applications.
You can define the logical applications via the MAGEC dictionary. Every function code must belong to one logical application, it may not belong to more than one. The various functions handled by a given MMP (program) may, however, each belong to a different logical application from one another.
As the operator attempts to do any given function, MAGEC compares his/her authorization (for the logical applications to which that function belongs) against the authorization level required to do that function. If the operator is not authorized, MAGEC never even invokes the application program; instead, a message is sent telling him/her "Unauthorized".
MAGEC's menu system is driven by the dictionary security parameters and definitions. It can never be out of "sync" with security. It requires no coding, no maintenance, and no unnecessary overhead. Operators who do not desire a menu simply do not request one; they can "fast path" directly to any function/screen for which they are authorized. In order to retain the advantages of a fully dictionary-driven system without the usual I/O overhead involved with such an architecture, MAGEC loads the active security and data definition specifications into main memory. You can (if you are authorized to do so) tell MAGEC to re-load the data at any time in order to make recent changes effective immediately.
The security system helps control separation of test and production environments. This enables you, in one MAGEC system, to conduct production work, development, and testing (prototyping) without interfering with one another.
Other Interesting Functions
There are several query functions which are useful to a security officer on a day-to-day basis. Refer to the "Security" section of the Programmer's Reference Guide for more details.
WHOMAY xxxxxx
(where xxxxxx is a valid function code)
WHODID xxxxxx
(where xxxxxx is a valid function code)
WHOSON )
OPRACT nnnnnnnnn
(where nnnnnnnnn is an employee#)
MALLOC 1
There are also "global change" functions for security profiles and definitions. They ask you for selection criteria to select which items are to be changed and to specify which parameters are to be changed and to what values within the selected items. The functions are:
SIFGBL
DVCGBL
FCDGBL
Appendix A -- Starting Fresh
On a PC
If you are doing the tutorial projects on a PC or PS/2, rather than on a mainframe computer, you have the advantage of being the only user of the system. In such an environment, the simplest way to ensure that you are starting fresh is to re-install MAGEC from the initial installation diskettes before beginning the tutorials. You should do this only if you are running MAGEC from your local disk, not from a shared network server--unless you coordinate your actions with the other users of MAGEC on your network. You can also do the procedure described below for maniframe users, if you prefer.
On a Mainframe
Because it is most likely that you will interfere with other users on your multi-user mainframe system, we suggest strongly that you try to do these tutorials on a PC instead. If however, you must (or prefer) to do them on the mainframe, you should be especially careful to coordinate your activities with any other users.
At the time MAGEC is initially installed, and periodically thereafter, we strongly recommend(ed) that you backup and reorganize you MAGEC dictionary using the IDCAMS (or AMSERV) REPRO facility. If you have done (been doing) that, you can restore the FCDK1, SIFK1, and LAPK1 VSAM files to un-do the dictionary changes made in this (and the other) tutorials. This process must be done with careful consideration as to how it might affect other work which is being done at the same time. It is necessary to close the MAGEC dictionary files to your TP Monitor (CICS, Westi, etc.) while you are restoring them
therefore, MAGEC would be inactive during the process.
Manually
You could, in any environment, un-do the changes made in this tutorial by manually deleting and updating the effected dictionary records, i.e.:
LAPDEL 01