The Database Access Control facility
Use the Database Access Control facility to control users' access to databases when running FM/IMS functions. You have the option of controlling users' access to databases when functions run in BMP or DLI mode.
Depending on which profiles you define, access checking may be performed when the function uses a dynamic PSB, when the function uses a static PSB, or when the function uses a dynamic or static PSB.
To activate access checking for functions using a dynamic PSB, do the following:
- Define a FACILITY class profile named
FILEM.IMS1.DBDYNAM
- Give all users whose access you want checked UPDATE or READ access to
this resource:
- UPDATE access, if you want access checking to be performed when functions run in BMP or DLI mode.
- READ access, if you want access checking to be performed only when functions run in BMP mode.
To activate access checking for functions using a static PSB, do the following:
- Define a FACILITY class profile named
FILEM.IMS1.DBSTATIC
- Give all users whose access you want checked UPDATE or READ access to
this resource:
- UPDATE access, if you want access checking to be performed when functions run in BMP or DLI mode.
- READ access, if you want access checking to be performed only when functions run in BMP mode.
FILEM.IMS1.ssid.DB.dbname
, where
ssid is the IMS™ subsystem name and dbname is the name of the database that
the user is attempting to access.- For access by a read-only function, a user requires a minimum of READ access.
- For access by an update function, a user requires a minimum of UPDATE access.
Create corresponding profiles to protect this resource.
If you plan to use the Database Access Control facility to control users' access to databases when running functions in DLI mode, there is one additional requirement. You must define the IMS subsystems to be dynamic allocation only. You do so by setting the DYNALLOC parameter to Y when you customize the FM/IMS options module.
For more information on the DYNALLOC parameter, see FM/IMS options.
Logging unauthorized access attempts
The Database Access Control facility supports writing RACF audit records to SMF.
- Define a FACILITY class profile named FILEM.IMS1.ssid.DBLOG where, ssid is the IMS subsystem name.
- Give all users whose access you want logged READ access to this profile.
RACF® examples
- Activating access checking for functions that use a dynamic PSB and run in BMP
mode.
With these commands, checking is activated for all users:
RDEFINE FACILITY FILEM.IMS1.DBDYNAM AUDIT(NONE) + UACC(READ) OWNER(ownerid) SETROPTS RACLIST(FACILITY) REFRESH
- Activating access checking for functions that use a static PSB and run in BMP or
DLI mode.
With these commands, checking is activated for all users:
RDEFINE FACILITY FILEM.IMS1.DBSTATIC AUDIT(NONE) + UACC(UPDATE) OWNER(ownerid) SETROPTS RACLIST(FACILITY) REFRESH
- Ensure users do not obtain access to databases through profiles that are less specific than the
profile
FILEM.IMS1.*.DB.*
RDEFINE XFACILIT FILEM.IMS1.*.DB.* AUDIT(NONE) + UACC(NONE) OWNER(ownerid) SETROPTS RACLIST(XFACILIT) REFRESH
- Allow user dbadmin to update all databases in subsystem IF52, and allow all
other users to read these
databases.
RDEFINE XFACILIT FILEM.IMS1.IF52.DB.* AUDIT(NONE) + UACC(READ) OWNER(ownerid) PERMIT FILEM.IMS1.IF52.DB.* CLASS(XFACILIT) + ID(dbadmin) ACC(UPDATE) SETROPTS RACLIST(XFACILIT) REFRESH
- Allow user fmuser1 to update database DJ1E in subsystem IF52, and allow all
other users to read this
database.
RDEFINE XFACILIT FILEM.IMS1.IF52.DB.DJ1E AUDIT(NONE) + UACC(READ) OWNER(ownerid) PERMIT FILEM.IMS1.IF52.DB.DJ1E CLASS(XFACILIT) + ID(fmuser1) ACCESS(UPDATE) SETROPTS RACLIST(XFACILIT) REFRESH
- Activating logging for subsystem IF52.
With these commands, logging is activated for all users:
RDEFINE FACILITY FILEM.IMS1.IF52.DBLOG AUDIT(NONE) + UACC(READ) OWNER(ownerid) SETROPTS RACLIST(FACILITY) REFRESH
- Activating logging for all subsystems.
With these commands, logging is activated for all users:
RDEFINE FACILITY FILEM.IMS1.*.DBLOG AUDIT(NONE) + UACC(READ) OWNER(ownerid) SETROPTS RACLIST(FACILITY) REFRESH