Use of the IQU Security SGS's In Order to Control IQU Access to a Production
Are we right in assuming that batch programs (IQU) started
by either a user in demand or a system scheduler are subjected to the
scrutiny of scanning the 'Security Groups' we'll create?
Also, it looks as if one could get carried away building these SGS.
Any tips on how to keep it relatively simple?
The answer to your first question is "YES". With I-QU PLUS-1
security, it is all or nothing. When security is enabled in the COMUS
configuration, I-QU does a top-down search through the file (and
element) that you specify. Any match against an ACCESS sgs ends the
search; otherwise, the search continues. If the search falls off the
end of the file, security fails; i.e., access is denied.
Yes, you can get carried away with applying security.
TIP: Start simple and keep it simple! For example, you probably only
have one or two people that actually do reorgs. Put them in a DBGROUP
that allows them access to all reorg utilities that make alterations:
PFIX and SCHUTL. All other utilities are harmless; PBLD, QRYSCH,
QINDEX. For the IQU program, you define ALLOWED/DENIED access by IO
type. The type of access you want, you specify by GROUP.
Here is a simple example where we have divided DMS access into two
groups (the example in the IG is a bit overpowering at first glance).
All other file types are wide open. We don't necessarily recommend
that, however, especially for something potentially destructive as DIO.
USER GROUP NONREORGS HAS CHAZ
USER GROUP REORGS HAS BOB LEW
SCHEMA GROUP DEMOSCH HAS DEMOSCH
SUBSCHEMA GROUP DEMOSUB HAS DEMOSUB
SCHEMAFILE GROUP DEMOFILE HAS FILE,UDS$$SRC*SCHABS
ACCESS TO DMR ST ALLOWED FOR NONREORGS FOR ;
RETRIEVAL INVOKING DEMOSUB OF DEMOSCH FILE DEMOFILE
ACCESS TO DMR ST ALLOWED FOR REORGS FOR LOAD ;
INVOKING DEMOSUB OF DEMOSCH FILE DEMOFILE
ACCESS TO DMR $ALL ALLOWED FOR $ALL FOR LOAD
UTILITY TYPE REORGTYPE HAS PBLD PFIX SCHUTL
ACCESS TO UTILITY REORGTYPE ALLOWED FOR REORGS
ACCESS TO UTILITY REORGTYPE DENIED FOR $ALL
ACCESS TO UTILITY $ALL ALLOWED FOR $ALL
ACCESS TO PCIOS $ALL ALLOWED FOR $ALL FOR $ALL
ACCESS TO DIO $ALL ALLOWED FOR $ALL FOR $ALL
ACCESS TO RDMR $ALL ALLOWED FOR $ALL