Who Should Read This Guide

This guide is written primarily for use by those persons who will be using the MAGEC software to specify and maintain security parameters for applications.

Copies of this guide should be distributed to:

  • Application Developers
  • Database Administrators
  • System Analysts
  • Security Officers
  • Auditors
  • This book is not intended to replace the Online Documentation but to augment it. This book will introduce the reader to the basic process used to control security for online applications. In order to demonstrate the tasks most effectively, it uses a tutorial to define security parameters for the newly developed Vacation application (refer to the "Application Developer" and "Customization" Tutorials).

    Supplemental Reading

    This guide is written assuming that the reader is familiar with the overall MAGEC philosophy. It presumes that you understand how the "standard set of nine" functions work and that you are familiar with the standard screen formats of MAGEC. You may wish to browse through this book first to gain an initial understanding of the security definition process.

    While doing the sample project it would also be useful for you to have several other MAGEC manual sections handy:

  • MAGEC "Security" (Programmer's Reference Guide)
  • Application User's Guide
  • This tutorial may be used as an introductory course without requiring you to have read the other material listed above since brief explanations are included for all features necessary. This project assumes that you have completed the Application Developer Tutorial and Customization Tutorial projects.

    How to Use This Tutorial

    Throughout this book you will find explicit commands telling you exactly what to do. You will also notice quite a bit of explanation and background information to help you to understand what is happening.

    In order to allow you to "skim" over the background information the first pass through the book we have inserted "markers" pointing to the explicit commands. They look like this:

         DO THIS:
    The commands will be inside a box like this.

    You may wish to go through the tutorial actually doing the project as you read, then re-read it for more complete explanation. This technique seems to facilitate faster learning for many people.

    Using PC MAGEC

    For a variety of reasons it is preferrable that you do this project on a PC (or PS/2) using the PC version of MAGEC.

    First, since you will be altering security parameters you will eliminate the risk of creating problems for someone else if you are working on a standalone PC workstation.

    Second, we recommend that you use the MAGEC installer logon ID of 18, password of ALEE. This ID will likely be removed from your mainframe installation of MAGEC by your security officers once MAGEC has been completely installed -- certainly once there are MAGEC applications in "production" status.

    Third, this project has you define a new logical application, 01 Employee Relations. There is the distinct possiblility that your mainframe system will already have logical application 01 defined (by your security officers) for some other application developed at your installation.

    Fourth, you can easily undo all your work to start over fresh (on a PC) by simply re-installing MAGEC using the initial installation procedure.


    Getting Started

    Deleting Previous Student's Work

    You might not be the first one in your shop to do this project; therefore, you might need to delete the previous student's work before you begin. To do so:

         DO THIS:
    Follow instructions in Appendix A of this tutorial, if necessary.

    The Project

    In this tutorial we will define (or modify) the security parameters for the Vacation Application which was developed in the "Application Developer" Tutorial project. The Vacation application consists of nine online functions:

    VACADD add vacation data

    VACCHG change vacation data

    VACDEL delete vacation data

    VACSEE see vacation data

    VACNXT see next employee's vacation data

    VACDUP duplicate vacation data

    VACLOC locate (browse) vacation data

    VACSCN scan (query-by-example) vacation data

    VACFND find (compound boolean selection) vacation data

    The definition of security parameters affects several things:  1) who may do each function, 2) automatic menus generated from security parameters, 3) audit trails produced showing who has done these functions. The audit trails may show (optionally), for each record on the file, who has updated it, from which terminal, using which program, at what time and date. They may also give you the ability to report activity showing who has done any function between certain dates, times-of-day, at certain terminals, and so forth. The security parameters may control access by operator, terminal, location, dates, times-of-day, and so forth.

    This project will not demonstrate every aspect of the security facilities built into MAGEC. It will give you a good working knowledge to enable you to begin using MAGEC's security features. An in-depth knowledge will come from experience and from reading the "Security" chapter of the MAGEC Programmer's Reference Guide.

    All security parameters are entered online through MAGEC.

         DO THIS:
    Use the TS01 TransID to enter MAGEC, log on as usual.  Use Employee number 18, Password ALEE.

    Logical Applications

    LAPxxx Functions

    To list the Logical Applications currently defined to the dictionary:

         DO THIS:
    Key in the command:  LAPLOC 1,  press ENTER.

    The screen will return showing a list of defined LAP's, as shown on opposite page.

    A list of Logical Applications will be displayed to you. If you wished to modify one of these definitions you could position the cursor down to the line on which it is displayed and press PF4 (F4, on a PC) to be transferred to the LAPCHG screen for the selected item.

    Logical Applications are groupings of online functions. You can define up to fifty-one (51) Logical Applications to the MAGEC dictionary. The four (4) shown on the opposite page are the standard ones provided with MAGEC; they control the MAGEC "system" functions.

    Logical Applications are identified by a two-digit number from 00 through 50. Numbers 00, 48, 49, and 50 are predefined by MAGEC; numbers 01 through 47 are available for your use.

    Some examples of Logical Applications you might define are:

    General Ledger

    Personnel & Payroll

    Inventory System

    . . . etc.

    Each Logical Application (LAP) can include an unlimited number of online function codes (i.e. VACSEE, VACCHG, CUSLOC, etc.).

    Each Function code must belong to one, and only one, LAP.

    The various function codes supported by one MMP (program) need not belong to the same LAP; therefore, VACADD may belong to LAP 01 while VACCHG may belong to LAP 05, and so forth.

    The defined LAP codes are used to build the high level menu for an operator when it is requested.

    The defined function codes are used to build the low level menu for the operator.

    Only those LAPS and Functions for which a given operator is authorized appears on his/her menus.

     LAPLOC  1
    END OF LIST PF5 = Restart/PF7=Backward
    00  MISC  Miscellaneous Functions
    48  SPLR  MAGEC Spooler Functions
    49  SEC.  MAGEC Security System
    50  PROG  MAGEC Developemnt/Testing/DBA
      ++++ 04 Records Scanned, 04 Displayed so far - Page 1 ++++

     KEY 1 = MAGEC LAP FILE MASTER KEY  Press PF13 for Hardcopy
      You may Position the CURSOR on an item and Press ENTER to "SEE" it
     (Browsing Forward)  or Press PF4 to "CHG" it

    Figure 01 -- Logical Application "Locate" Screen

    Now, let us add a new LAP. We must define it to the MAGEC dictionary. The new LAP will be number 01; it will be defined as the Employee Relations system.

         DO THIS:
    Key  the command  LAPADD 01, press ENTER.

    The screen will be returned to you in the format for entering the definition for a new Logical Application.

    LOGICAL APPLICATION NUMBER is the 2-digit identifier, this field is not enterable since you have already given the LAP number above in the SKEY area of the screen (top line).

    SHORT NAME is a 4-character abbreviated description. It is used in places where there is not room for the long name.

    LONG NAME is the 30-character name of this Logical Application. It will be used in the high level menu screen and other places where there is sufficient space to show it, rather than the short name.

      LAPADD  01                                   Enter data to be ADDED
      M A G E C 


      SHORT NAME: ____

      LONG NAME: ______________________________

    Figure 02 -- Logical Application "Add" Screen

         DO THIS:
    Key in data as shown.  Press ENTER.

    The message in the top right corner of the screen will tell you: "Data ADDED to database."

    Since MAGEC's dynamically-generated menus are driven by dictionary definitions, the long description you enter here should be one which will be useful to an operator on the high-level (main) menu.

    The short description will appear on other screens where space will not permit the long name it should be as mnemonic as you can make it so that it is clearly understood. Short names such as "AP01" and "AP02" would not be very helpful.

      LAPADD  01
      M A G E C 


      SHORT NAME:  Empl

      LONG NAME:  Employee Relations / Vacation

    Figure 03 -- Logical Application Screen

    Main Menu

    **MENU Function

    Now let's look at the main menu.

         DO THIS:
    Key in the command **MENU.  Press ENTER.

    Notice that your new LAP appears on the main menu. It will appear there for any employee who is authorized to do LAP 01's functions. Since you are logged on as the MAGEC installer, employee 18, you are authorized for all functions. For other persons you will need to explicitly specify authorization levels in each LAP for each person as you add operator profiles to the dictionary. We will do that later on in this project.

    The MAGEC menu screens are dynamically generated at the time they are requested by the operator. They are driven by the dictionary's definitions for what functions and logical applications exist, what security authorization levels are required by them, who is logged on to this terminal, and what authorization levels the operator and terminal possess.

    This means that the menus:

    MAGEC's menus are controlled by the dictionary security parameters, they do not control security (as other menu schemes usually do).

    The operator can move the cursor down to the line on which the desired logical application appears and press ENTER. This will result in an intermediate-level menu for the selected logical application (showing only those functions or groups-of-functions which the operator is authorized to do).

    The operator can cursor-select one of the functions or groups-of-functions from the intermediate level menu. If the item selected was an individual function, then he/she will be transferred directly to the application screen for that function. If it was a group, he/she will be presented a low-level menu for that group. Selecting from the low-level menu will transfer directly to a function's application screen.

    ENU                                    END OF DATA Reached

      M A G E C  User View TS01
      01  Employee Relations / Vacation
      48  MAGEC Spooler Functions
      49  MAGEC Security System
      50  MAGEC Development/Testing/DBA
      ** END OF MENU **

     To select a Logical Application move the CURSOR down to its line - Press ENTER

     PF15 = exit MAGEC, PF9 = swap windows, PF1 = HELP  PF5 = RESTART

    Figure 04 -- Main Menu Screen

    Function Codes

    FCDxxx Functions

    Next we will modify the function codes for the vacation application.

    When we originally generated the vacation application, MAGEC automatically generated defintions for all nine standard functions in the FCD file. When MAGEC generated them, it set default parameters such that the VAC... functions could be accessed from any test user view but from no production user views. MAGEC also defaulted each of the functions to belong to Logical Application (LAP) 50 - development/ testing/ debugging.

    Now we will alter them to assign them to our new LAP (01 - Employee Relations.)

         DO THIS:
    Key in the command:  FCDLOC VAC, press ENTER.

    The FCDLOC VAC command will list function codes beginning with the first one equal to or greater than the key argument given. In this example the key argument is "VAC  ".

    The VACTOT function shown in the display is the one created in the third "Customization" Tutorial project. It is actually a tenth function code for the Vacation application.

    The screen display continues listing function codes beyond the last VAC. . . function since it is a simple browse. You could alternately have used a scan or find command to show only function codes starting with VAC, for example:

    FCDSCN 1
    (with a selection mask having VAC in the corresponding display positions)


    FCDFND 1
    (with a search argument of "VAC")

    If you had done either of these "programmerless queries", you could then take advantage of the Short-List facility to select each of the VAC. . . functions from a pop-up window. The Short-List is invoked by pressing PF24 from the maintenance screen after having done a browse or query.

    In this project we are having you use the less elegant, more basic, method of executing a browse, selecting an item for update, updating the item, and re-executing the browse to enable you to select the next item.

     FCDLOC VAC                               END OF LIST  PF5=Restart/PF7=Backward


    VACADD  50 VAC MAINT  600  1  N  600  9  N
    VACCHG  50 VAC MAINT  600  1  N  600  9  N
    VACDEL  50 VAC MAINT  600  1  N  600  9  N
    VACDUP  50 VAC MAINT  600  1  N  600  9  N
    VACFND  50 VAC MAINT  600  1  N  600  9  N
    VACLOC  50 VAC MAINT  600  1  N  600  9  N
    VACNXT  50 VAC MAINT  600  1  N  600  9  N
    VACSCN  50 VAC MAINT  600  1  N  600  9  N
    VACSEE  50 VAC MAINT  600  1  N  600  9  N
    VACTOT  50 VAC MAINT  600  1  N  600  9  N
    VERZUN  50  PGM/MSK VERSION VERIFICATION  652  1  N  652  1  N
    WHOMAY  49  Show Authorized Users for Func 665  1  N  665  1  N
    WHOSON  49  List who is logged on  665  8  N  665  8  N
    WINDOW  00  Swap Windows  652  0  N  652  0  N
      ++++ 14 Records Scanned, 14 Displayed so far - Page 1 ++++

    KEY 1 = FUNCTION CODE   Press PF13 for Hardcopy
     You may Position the CURSOR on an item and Press ENTER to "SEE" it
    (Browsing Forward)  or Press PF4 to "CHG" it

    Figure 05 -- Function Code "Locate" Screen

         DO THIS:
    Position the cursor to the line where VACADD is displayed, press PF4.

    By positioning the cursor to a line and pressing PF4, you have selected that item for change.

    The full-screen FCDCHG screen will appear with the definition for the selected function (VACADD) filled in.

    This shows you the current values specified - they are the default values generated by the MMPCREAT process at the time the Vacation Application was initially generated.

    Desc is a 30-character description which will appear on the automatically-generated menus, it should be one which will be helpful to an operator requesting a menu.

    Logical Application is the 2-digit (01 through 50) LAP number. LAP 50 is for Development/Testing/ and Database Administration functions -- it is the default LAP which MAGEC uses when it automatically creates the FCD entries; you can change it to any valid LAP number.

    Separate TEST and PRODUCTION profiles are supported for many of the parameters. This enables you to conduct production processing, development, and testing on one MAGEC system. You can separate programs, files, and security parameters to prevent end-users from accessing test data and to prevent developers and prototypers from accessing production files and programs.

    User Views are the sixteen (16) MAGEC user views (TS01 through TS08 and PR01 through PR08). You specify (Y or N) whether this function may be executed from each of the user views.

    MMP Number is the 3-character identification for the program which is executed to handle this function.

    Auth Level is the authorization level (0 through 9) which is required to access this function. You should interpret this as meaning the authorization level within the specified logical application. A level of 0 indicates "no authorization", a level of 9 indicates the highest possible authorization.

    Hold is a Y or N indicator which specifies whether this function is temporarily suspended, Y indicates "on hold."

    This Function Invokes Auto Edit (Y or N) is a Y or N indicator which specifies whether this is an updating function (i.e add, change, duplicate) which requires MAGEC to perform the automatic screen field edits to validate the data entered. Functions ending in ADD, CHG, or DUP will automatically be treated as updating functions, regardless of the setting of this indicator -- other functions will not be considered as updating functions unless the setting is Y.


      M A G E C


      87654321  87654321

     MMP NUMBER: 600  MMP NUMBER: 600


      HOLD: N  HOLD: N


    Press PF4 for browse (LOC) screen   Press PF13 for Hardcopy
    Press PF16 to Copy field to buffer  Press PF17 to Paste data from buffer
    Press PF2 for field-level HELP  Press PF24 for Pop-Up Short-List

    Figure 06 -- Function Code Definition Screen


         DO THIS:
    Key in changes as shown.  Press ENTER.

    You are entering the description which will be used on the lower level menu. When MAGEC automatically generated the FCD records, it used a default description of VAC MAINT. You are overkeying it with one which will be more pleasing on the menu. You are also overkeying the default logical application number (50) with 01, specifying Y (yes) for all eight production user views, and changing the production authorization level to 1.

    The description for the logical application which appears on the screen will change to reflect the change you have made to the logical application number after you have pressed ENTER.

    Now, you must repeat these changes for each of the VAC... functions.



    M A G E C


    87654321 87654321





    Press PF4 for browse (LOC) screen Press PF13 for Hardcopy
    Press PF16 to Copy field to buffer Press PF17 to Paste data from buffer
    Press PF2 for field-level HELP Press PF24 for Pop-Up Short-List

    Figure 07 -- Function Code Defintion Screen

    After changing the definitions for each of the VAC. . . functions you will return to the list of function codes (the Locate screen) so that you can select the next one to change it.

         DO THIS:
    After you have successfully updated the record -- Press PF3.

    Pressing the PF3 key (called the Escape Back key in SAA terminology) will return you to the FCDLOC screen as you left it, pressing PF4 instead of PF3 would return to the FCDLOC screen with the item you just changed at the top of the list.

         DO THIS:
    Cursor-select the next VAC... function using PF4, make the changes to it.  Press ENTER.

         DO THIS:
    Repeat the steps on this page for all of the VAC... functions.

    When you are finished updating the function code definitions for the Vacation application you will need to tell MAGEC to re-load its main memory images.

         DO THIS:
    After updating all the VAC... functions -- Enter the **LOAD command (at top left of the screen) and press ENTER.

    The **LOAD command will cause MAGEC to re-load its main memory images of the dictionary data. You will be notified of its successful completion with a message in the top-right of the screen telling you the number of function codes loaded.

     FCDLOC VAC                               END OF LIST  PF5=Restart/PF7=Backward


    VACADD  01  Vacation data  600  1  N  600  1  N
    VACCHG  50  VAC MAINT  600  1  N  600  9  N
    VACDEL  50  VAC MAINT  600  1  N  600  9  N
    VACDUP  50  VAC MAINT  600  1  N  600  9  N
    VACFND  50  VAC MAINT  600  1  N  600  9  N
    VACLOC  50  VAC MAINT  600  1  N  600  9  N
    VACNXT  50  VAC MAINT  600  1  N  600  9  N
    VACSCN  50  VAC MAINT  600  1  N  600  9  N
    VACSEE  50  VAC MAINT  600  1  N  600  9  N
    VACTOT  50  VAC MAINT  600  1  N  600  9  N
    VERZUN  50  PGM/MSK VERSION VERIFICATION  652  1  N  652  1  N
    WHOMAY  49  Show Authorized Users for Func 665  1  N  665  1  N
    WHOSON  49  List who is logged on  665  8  N  665  8  N
    WINDOW  00  Swap Windows  652  0  N  652  0  N
      ++++ 14 Records Scanned, 14 Displayed so far - Page 1 ++++

    KEY 1 = FUNCTION CODE   Press PF13 for Hardcopy
     You may Position the CURSOR on an item and Press ENTER to "SEE" it
    (Browsing Forward)  or Press PF4 to "CHG" it

    Figure 08 -- Function Code Browse Screen

    Low-Level Menus

    $$MENU Function

    Now let's look at the low-level menu for LAP 01.

         DO THIS:
    Key in the command $$MENU 01.  Press ENTER.

    You can see the low-level menu by keying in the $$MENU command or by starting from the high-level menu and cursor-selecting the desired LAP. Another way, as you will see, is to set a session option which equates the CLEAR or PA1 key to the $$MENU command.

    The low-level menu is driven by the function code definitions from the dictionary. You can control the descriptions which appear on this menu by controlling the descriptions for the individual function codes in the FCD definition.

    The most usual way for an operator to get to the low-level menu is from a higher menu. MAGEC automatically supports three levels of menus. The highest is the main menu (**MENU), showing Logical Applications. The intermediate level menu (++MENU) shows groups of functions (they are grouped by the first three characters of the function code). The $$MENU is the lowest level menu.

    Another way of getting to the low-level menu is by simply typing in the command $$MENU nn (as we have done here). (nn = any valid logical application number.)


     $$MENU 01                               END OF DATA Reached
      User View TS01
      MENU FOR: M A G E C Employee Relations / Vacation
     Function  Key Entry  Action  Description
     OPTION  ____________________________________  SET SESSION OPTIONS
     PRINTS  ____________________________________  MAGEC SCREEN PRINT
     VACADD  ____________________________________  ADD  Vacation data
     VACCHG  ____________________________________  CHANGE  Vacation data
     VACDEL  ____________________________________  DELETE  Vacation data
     VACDUP  ____________________________________  COPY  Vacation data
     VACFND  ____________________________________  FIND  Vacation data
     VACLOC  ____________________________________  LOCATE  Vacation data
     VACNXT  ____________________________________  NEXT  Vacation data
     VACSCN  ____________________________________  SCAN  Vacation data
     VACSEE  ____________________________________  DISPLAY  Vacation data
     VACTOT  ____________________________________  Vacation total
     WINDOW  ____________________________________  Swap Window

      ** END OF MENU *
    To SELECT a Function, Position the CURSOR down to the line on which it is shown,
    Enter the KEY VALUE beside it if appropriate, Press ENTER
      -or-  Press PF2 for HELP Instructions for the selected Function

    Figure 09 -- Menu Screen

    Session Options

    Using the OPTION function an operator can customize the functionality of the CLEAR and PA1 keys and can also set a Stack Option which determines the action of the Attach/Detach function when the stack is exceeded.

    Special Keys Option

    For convenience, an operator can set a Special Keys Option to equate the CLEAR and PA1 keys to various MAGEC functions.

    The "E" option would result in the high-level menu (**MENU) being displayed when the CLEAR key is pressed and the low-level menu when the PA1 key is pressed. The PA1 key, in that case, would be used to return from any application screen to the low-level menu.

    Stack Option

    The Stack Option controls the stack feature of Attach/Detach. For more detailed information regarding Attach/Detach, refer to the "Customization" Tutorial, Appendix R.

    Setting the Stack Option to 'P' pushes the oldest entry off the stack and replaces it with the current screen.

    The 'C' option clears the stack, then saves the current screen as the first entry in a new stack.

    The 'F' option transfers the screen without adding to the stack by using the FTH-FUNCT.

    If the Stack Option is left blank, a pop-up window will be displayed to the operator whenever the fourth screen (the limit is three) is added to the stack. When the window is displayed, the operator must choose one of the above-mentioned option codes.

    To view or change your Session Options:

         DO THIS:
    Key in the command OPTION.  Press ENTER.

    You can change your session options either temporarily (for this session only) or permanently (until you again change it to something else), by pressing either PF4 or ENTER, respectively. If you press ENTER the new option is stored in your security profile and applied each subsequent time you log on to MAGEC.

    At this time you may wish to experiment with different session options, setting different values and then pressing CLEAR and PA1 to see what happens. Most MAGEC users find that option B or C is the best suited to their usage patterns since MAGEC is structured to steer operators away from menus and toward entering direct mnemonic commands. Application developers sometimes prefer the D option.

     OPTION 000000018
    Date 05/11/92 M A G E C User View TS01
    Time 11:48:09 SESSION OPTIONS

    Operator Name BOBBIE  LLOYD

    Special Keys Option: C Option A == PA1 = $$MENU, CLEAR = CLEARS
    Option B == PA1 = **MENU, CLEAR = CLEARS
    Option C == PA1 = VERZUN, CLEAR = CLEARS
    Option D == PA1 = MSKDEF, CLEAR = TSKLST
    Option E == PA1 = $$MENU, CLEAR = **MENU

    Stack Option: P Option P == PUSH oldest entry from stack and
    add this entry before doing attach
    Option C == CLEAR all entries from stack
    Option F == FETCH instead of attach--stack remains
    Blank == Present pop-up window for stack options

    Enter desired Option Codes; press PF4 for temporary setting
    ENTER for permanent setting


    Figure 10 -- Session Options Screen

    Operator Profile

    SIFxxx Functions

         DO THIS:
    Enter the command : SIFSEE 18

    The Security Information File screen will be displayed showing the profile for employee 18, Bobbie Lloyd. Let's review the parameters from this screen:

    Employee # is the 9-digit number (usually Social Security or Social Insurance number) which identifies this operator uniquely. This is a protected field since you have already entered the employee number on the top line of the screen as the key.

    Password is a 4-character password which may be alpha-numeric.

    Location is a 3-character code defining which location(s) this operator may log on to MAGEC from. the dot (.) is a "wildcard"; hence, a location of ". . ." means "any location."

    Days defines (with Y or N flags) which days of the week this operator may log on, the eighth position (H) means Holidays.

    U-Views (user-views) specifies which of the sixteen MAGEC user-views this operator may access MAGEC through. The user-views are TS01 thru TS08 (test), and PR01 thru PR08 (production).

    Last Name & First are the name of the operator.

    On Hold is a Y or N indicator, Y means this operator is suspended - "on hold."

    Term Date is the date (MM/DD/CCYY) that this operator is terminated. MAGEC will automatically suspend him/her on that date.

    Max # Unauth Funct is the number (000 through 999) of times the operator may attempt to do a function he/she is not authorized to do before MAGEC automaticallly suspends him/her.

    Logon Attempts is the number of attempts this operator may make to get his/her password correct (when logging on) before MAGEC automatically suspends him/her. Zeros (or '999') means infinite.

    Time Out is the number of minutes (000 thru 999) this operator may leave the terminal idle (fail to press any transmit keys), before he/she is automatically logged off. Zeros means never.

    Multi-Term Logon is a Y or N indicator specifying whether this operator may be logged on to more than one terminal at a time.

    Group Identifier is any 10-character "code" which you may wish to use to identify operators belonging to any grouping, i.e. "TEMP" for temporary help, or "MIS" for MIS employees. You can alter the profiles for an entire group in one transaction if necessary, i.e.. the project that the TEMP's were working on is cancelled.

    Last Logon indicates the date and terminal this operator last logged on.

     SIFSEE 18                              ++ CENTRAL SECURITY OFFICER ++
      EMPLOYEE # 000000018  B L  TEST  PROD
      PASSWORD: ALEE  SMTWTFSH  87654321  87654321
     TERM DATE: 12/31/1999  MAX # UNAUTH FUNCT: 999  LOGON ATTEMPTS: 999
    PSWD CHNGD: 11/03/1990 ,GOOD FOR 999 DAYS  AUTHORIZED HOURS: 00 00 TO 24 00
    ....................AUTHORIZATION LEVELS BY APPLICATION........................
      Empl(01): 9

      SPLR(48): 9  SEC.(49): 9  PROG(50): 9
    Press PF4 for browse (LOC) screen   Press PF13 for Hardcopy
    Press PF16 to Copy field to buffer  Press PF17 to Paste data from buffer
    Press PF2 for field-level HELP

    Figure 11 -- Operator Security Information Screen

    Suspend After indicates the number of days of inactivity (failure to log on to MAGEC) which may pass before MAGEC will automatically suspend the operator, assuming him/her to be terminated, deceased, or just dis-interested.

    Pswd Changed indicates the last date this operator changed his/her password (at logon time).

    Good For ____ Days is the number of days (000 through 999) which the operator may go without changing his/her password. After that number of days MAGEC will not allow the operator to log on without changing the password. It automatically prevents the use of "trivial" passwords (too easy to guess) and the re-use of the same passwords by the same operator. A value of zeros (or '999') means infinity.

    Authorized Hours is the range of hours-of-the-day (24-hour clock) during which this operator may log on. A range of 00 00 thru 24 00 means "any time of day."

    Authorization Levels by Application specifies the levels (0 through 9) of authorization that this operator posesses in each of the defined logical applications (LAP's). The short name for each LAP is shown along with the LAP number. The LAP's 48, 49, and 50 are pre-defined by MAGEC and must always retain their original meanings (Spooler functions, Security functions, and Developer function, respectively). Other LAP's are defined by you as you need them. The new LAP (01) is shown on the screen. If you add other new LAP's they will also appear. A level of zero means a minimum (or no) authorization, a level of nine indicates the highest possible authorization, for each LAP.



         DO THIS:
    Define yourself to the MAGEC security system.  Enter the command:
    SIFADD nnnnnnnnn (where nnnnnnnnn is your employee ID or social security number).
    Fill in the fields on the screen and press ENTER.    

    If you have successfully added the new record defining yourself to the security system you will receive the message at the top left corner of the screen saying: Data ADDED to Database. You could immediately use your new ID and password to log on to MAGEC, there are no other steps necessary (i.e. no assemblies, no re-cycling of the online system, no "new copy" command).

     SIFADD 123456789
      PASSWORD: ____  SMTWTFSH  87654321  87654321
      LOCATION: ___  DAYS: ________ U-VIEWS: ________  ________
     LAST NAME: ___________________  FIRST:  ______________  ON HOLD: _
     TERM DATE: __________  MAX # UNAUTH FUNCT: ___  LOGON ATTEMPTS: ___
    ....................AUTHORIZATION LEVELS BY APPLICATION........................
      Empl(01): _

      SPLR(48): _  SEC.(49): _  PROG(50): _

    Figure 12 -- Operator Security Information Screen

    Terminal Profile

    DVCxxx Functions

    Now let us look at the definition for a terminal in the MAGEC security system.

         DO THIS:
    Enter the command: DVCSEE
          --  press ENTER.

    The definition for your terminal will be displayed. The asterisk is interpreted as meaning "this terminal", as a convenience for you. MAGEC will substitute your terminal ID for the asterisk. You could have entered the command:

    DVCSEE xxxx

    where xxxx is any valid terminal ID, your own or anyone else's. The specified terminal's profile would be shown.

    The profile for a terminal is similar to the profile for an operator. When an operator logs on to a terminal MAGEC compares the authorization levels for the terminal and the operator (in each individual category) and applies the more restrictive of the two. This means that an operator's authorization at one terminal may be lower than at another. If any of his/her authorizations have been reduced, a message will warn him/her at log on time. The reduction applies only to this session, it does not alter the operator's profile.

    An exception to this automatic authorization reduction is when a central security officer logs on. MAGEC automaticaly gives central security officers full access to all functions from all terminals. This is necessary in order to rescue local security officers who have somehow locked themselves out of the system or otherwise woven a tangled web from which they cannot escape. Needless to say, there should be only a few select individuals with central security officer authorization.

    Location is the 3-character (no wildcards here) designation for the location of this terminal. Location codes are defined by you in MAGEC Table number 252. You can refer to the "Database Administration" chapter for explanations on how to update MAGEC Tables.

    Buf Size is the size of the terminal's buffer (normally 1,920). It is used by the Spooler, not by the Security system.

    Type is the terminal device type, i.e. 3278, 3279, etc. L/R is the line connection type: Local Remote, Dialup, or logial Unit (the uppercase letter is the one-character abbreviation you can enter). 7-Color is a Y or N indicator to specify whether this terminal has 7-color support. Form is the 4-character designation for the type of paper mounted in this device if it is a printer, not a CRT. Active Report also applies only to printers. These fields are not used for Security, but for other MAGEC subsystems.

    Desc is a 30-character free-form text field, a brief description for this terminal.

    Status indicates whether this terminal is in service or not, valid values are Available or Disabled (the uppercase letter may be used as an abbreviation when entering).

     DVCSEE PC01
     ID= PC01  Home Gateway: ................
     Location: SYS ( COMPUTER ROOM (SYSTEM PRINTERS)  ) Buf Size: 1,920
     Type: 3279  L/R: LOCAL  7-Color (Y/N) : N  --TEST--  --PROD--
     Desc: MAGEC Software - AT Portable  87654321  87654321
     Status AVAILABLE  Form:  User Views: YYYYYYYY  YYYYYYYY
     Active Report  Time Out: 999 min.
    Print Classes: A  SMTWTFSH
      Authorized Hours : 00 00 to 24 00 Days: YYYYYYYY
    ...............MAXIMUM AUTHORIZATION LEVELS BY APPLICATION......................
      Empl(01) : 0

      SPLR(48): 9  SEC.(49): 9  PROG(50): 9
    Press PF4 for browse (LOC) screen   Press PF13 for Hardcopy
    Press PF16 to Copy field to buffer  Press PF17 to Paste data from buffer
    Press PF2 for field-level HELP

    Figure 13 -- Device Definition Screen

    Print Classes specifies the class (one character) to be assigned to reports generated from this terminal via the MAGEC Spooler.

    Authorized Hours and Authorization Levels by Application are similar to those specifications for the operator.

    If you wished to define another terminal to the MAGEC dictionary you would use the DVCADD command as:

    DVCADD tttt

    where tttt is a valid terminal ID.


    Home Gateway is the Gateway name of this computer as defined on MAGEC Lookup Table #248. This entry must be a valid name, as defined on the table, or it must be left blank. An entry in this field is needed only if this computer is used as a Host and also as a Client machine using MAGEC's intrinsic TCP/IP networking facility. The purpose for this entry is to tell MAGEC's I/O module that any Data Classes which are defined as being at this Gateway name are actually local to this machine. This machine, it is assumed, also serves a Host so that other machines (Clients) can access Data Classes which are local to this machine.

    If this machine never serves as a Host, then it is not necessary for it to be defined to Table #248 and it is correct to leave this Home Gateway specification blank.

     DVCADD tttt                              Enter data to be ADDED
     ID= TTTT  Home Gateway: ................
     Location: ___ (  ) Buf Size: ______
     Type: ____  L/R: ______ 7-Color (Y/N) : _  --TEST--  --PROD--
     Desc: ____________________________  87654321  87654321
     Status _________  Form: ____  User Views: ________  ________
     Active Report  Time Out: ___ min.
     Print Classes: _________________________________________  SMTWTFSH
      Authorized Hours : __ __ to __ __ Days: ________
    ...............MAXIMUM AUTHORIZATION LEVELS BY APPLICATION......................
      Empl(01) : 9

      SPLR(48): 9  SEC.(49): 9  PROG(50): 9

    Figure 14 -- Device Definition Screen


    What You Have Learned

    As you can readily see, the security authorization profiles for operators and terminals combine to form the authorizations for any given session. The authorizations consist primarily of one-digit codes where 0 is the lowest possible and 9 is the highest, for each of up to 50 logical applications.

    You can define the logical applications via the MAGEC dictionary. Every function code must belong to one logical application, it may not belong to more than one. The various functions handled by a given MMP (program) may, however, each belong to a different logical application from one another.

    As the operator attempts to do any given function, MAGEC compares his/her authorization (for the logical applications to which that function belongs) against the authorization level required to do that function. If the operator is not authorized, MAGEC never even invokes the application program; instead, a message is sent telling him/her "Unauthorized".

    MAGEC's menu system is driven by the dictionary security parameters and definitions. It can never be out of "sync" with security. It requires no coding, no maintenance, and no unnecessary overhead. Operators who do not desire a menu simply do not request one; they can "fast path" directly to any function/screen for which they are authorized. In order to retain the advantages of a fully dictionary-driven system without the usual I/O overhead involved with such an architecture, MAGEC loads the active security and data definition specifications into main memory. You can (if you are authorized to do so) tell MAGEC to re-load the data at any time in order to make recent changes effective immediately.

    The security system helps control separation of test and production environments. This enables you, in one MAGEC system, to conduct production work, development, and testing (prototyping) without interfering with one another.

    Other Interesting Functions

    There are several query functions which are useful to a security officer on a day-to-day basis. Refer to the "Security" section of the Programmer's Reference Guide for more details.

    WHOMAY xxxxxx (where xxxxxx is a valid function code)

    WHODID xxxxxx (where xxxxxx is a valid function code)

    WHOSON )

    OPRACT nnnnnnnnn (where nnnnnnnnn is an employee#)

    MALLOC 1

    There are also "global change" functions for security profiles and definitions. They ask you for selection criteria to select which items are to be changed and to specify which parameters are to be changed and to what values within the selected items. The functions are:




    Appendix A -- Starting Fresh

    On a PC

    If you are doing the tutorial projects on a PC or PS/2, rather than on a mainframe computer, you have the advantage of being the only user of the system. In such an environment, the simplest way to ensure that you are starting fresh is to re-install MAGEC from the initial installation diskettes before beginning the tutorials. You should do this only if you are running MAGEC from your local disk, not from a shared network server--unless you coordinate your actions with the other users of MAGEC on your network. You can also do the procedure described below for maniframe users, if you prefer.

    On a Mainframe

    Because it is most likely that you will interfere with other users on your multi-user mainframe system, we suggest strongly that you try to do these tutorials on a PC instead. If however, you must (or prefer) to do them on the mainframe, you should be especially careful to coordinate your activities with any other users.

    At the time MAGEC is initially installed, and periodically thereafter, we strongly recommend(ed) that you backup and reorganize you MAGEC dictionary using the IDCAMS (or AMSERV) REPRO facility. If you have done (been doing) that, you can restore the FCDK1, SIFK1, and LAPK1 VSAM files to un-do the dictionary changes made in this (and the other) tutorials. This process must be done with careful consideration as to how it might affect other work which is being done at the same time. It is necessary to close the MAGEC dictionary files to your TP Monitor (CICS, Westi, etc.) while you are restoring them therefore, MAGEC would be inactive during the process.


    You could, in any environment, un-do the changes made in this tutorial by manually deleting and updating the effected dictionary records, i.e.:

    LAPDEL 01 (LAP 01 definition is displayed)

      (LAP 01 definition deleted)

    FCDCHG VACADD (FCD definition for VACADD displayed)

      key changes to set all parameters to original
      values as shown in Figure 06 in this sectionl


      repeat above for all other VAC functions

    SIFDEL 123456789 (where 123456789 is your test ID)

      (your ID is deleted)

    Appendix B -- Security Data Classes


    The SIF data class is the Security Information File for operator profiles. Online maintenance is done to it via the SIFxxx functions. A batch index of operators can be produced using the MAGECLBR utility program with a control card of:



    The DVC data class is the Device profiles. Online maintenance is done via the DVCxxx functions.


    The FCD data class is the definitions of every online Function Code. Online maintenance is done to it via the FCDxxx functions. An index listing can be produced using MAGECLBR with a control card of:



    The LAP data class is the defintions for each Logical Application (a grouping of function codes). The index listing for the FCD data class above also shows Logical Applications.


    The ELT data class is the definitions for data elements. A data element is a record or portion of a record, it is the basic unit of transfer between the database (files) and programs. The ELT definition provides for security authorization requirements to control who may develop batch and online applications accessing the data element. The ELT data class is subordinate to the DCL (Data Class) definition. A batch report documenting all available parameters and information, including where-used, can be produced using the DCLDOC utility program with a control card of:

    DCLDOC xxx

    where xxx is a valid DCL name.

    Appendix C -- Global Changes

    Security Entities

    The security entities in MAGEC can be maintained using the standard ...ADD, ...CHG, etc. functions as shown in this tutorial; or they can often be maintained using several handy global change functions provided.

    A global change function simply allows you to select a set of records meeting a particular set of criteria and to update them all in one transaction. The special function codes used to do global changes to security entities are:

    SIFGBL operator profiles  

    FCDGBL function codes  

    DVCGBL video and printer devices  

    These functions all operate in generally the same way. You first enter the function code (with a blank key value, usually), then you receive a screen asking you to indicate the changes you wish to make. For example, in the FCDGBL process you will be presented a screen which resembles the FCDCHG screen, but has underscores in all the data fields. You can enter the desired value into the field (or fields) you wish to alter, leaving all other fields untouched. For example, if you wished to change the Logical Application for a set of function codes to '01', you would type '01' into the Logical Application field and not type anything into any other screen field.

    Next, you will be taken to a sequence of screens designed to let you select which function codes are to be updated. The selection is done using a screen which is very similar to a standard ...SCN function, wherein you enter a selection mask to search for matches. For example, you might enter 'VAC' into the first three positions of the "function code" in the dot mask line.

    Once the screen is returned to you displaying the function codes which match your selection mask, you have one more chance to de-select any function codes you do not wish to update. This is done by pointing with the cursor and pressing a PF key; instructions are displayed on the screen to help you remember which key to use.

    When you are satisfied that you have selected the function codes you wish to update, you simply press a PF key to tell MAGEC to apply the changes. If there were more items than could be displayed on one screenful from the scan, you can press a PF key to proceed forward to process another screenful in exactly the same way.

    Online instructions are presented at the bottom of every panel in this sequence. No updating is done until you press the appropriate PF key at the end of the sequence to indicate that you wish to apply the updates to the "marked" items. You can abort the sequence harmlessly at any time.