Setting up the security environment by using FMNSECUR
A security exit is provided for security control from within File Manager if you do not use RACF® or equivalent security product, or if SAF is not active at your installation. This exit is called FMNSECUR and is distributed in FMN.SFMNSAM1. You use FMNSECUR to protect selected File Manager functions from unauthorized users.
If you want to use FMNSECUR for security, customize it as described below and install it using the usermod FMNUMODS. For information on installing FMNUMODS, see Installing FMNSECUR using FMNUMODS.
- Give or deny some users (or all users) access to one of the following
groups of File Manager functions:
- FILEM.DISK.INPUT
- Disk input functions
- FILEM.DISK.UPDATE
- Disk update functions
- FILEM.TAPE.INPUT
- Tape input functions
- FILEM.TAPE.OUTPUT
- Tape output functions
- FILEM.TAPE.DUPLICATE
- Tape copy functions
- FILEM.TAPE.UPDATE
- Tape update functions
- FILEM.VSAM.UPDATE
- VSAM update functions
- FILEM.OAM.OUTPUT
- OAM output functions
- FILEM.OAM.UPDATE
- OAM update functions
- FILEM.LOADMOD.UPDATE
- Load module update functions
- FILEM.OTHER.ALL
- All other functions
- FILEM.TAPE.BLP
- See Controlling Bypass Label Processing (BLP)
- FILEM.DISK.FULLPACK
- See Controlling fullpack access to DASD volumes
For more information about these groups, see File Manager function to profile name cross-reference.
- Give or deny some users (or all users) access to an individual File Manager function.
Controlling access
- FILEM.CICS.BASE
- Access to File Manager base function
- FILEM.CICS.IMS
- Access to FM/IMS
- FILEM.CICS.DB2
- Access to FM/Db2
If a user ID running FM/CICS has read access to any of these groups, then the associated function (FM, FM/IMS or FM/Db2) will appear on the FM/CICS primary option menu and the user can invoke these functions, if they are installed.
If you have installed and customized the FM/CICS component, you should review your requirement for this access.
For more information about FM/CICS, see Customizing File Manager CICS Component, and also the File Manager User’s Guide and Reference for CICS.
Protecting update functions
- FILEM.BASE.UPDATE
- Protect update functions in File Manager base
- FILEM.DB2.UPDATE
- Protect update functions in FM/CICS
- FILEM.CICS.UPDATE
- Protect update functions in FM/CICS
(This aspect of security is handled differently for FM/IMS, see IMS subsystems and FM/IMS functions access control facility.)
These facility classes also require the option SEC=YES to be specified in FMN0POPT (for File Manager base), FMN2POPT (for FM/Db2), and FMN3POPT (for FM/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see File Manager unprotected functions, Customizing to protect update functions in FM/Db2, and Customizing to protect update functions in FM/CICS.
If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.
You modify FMNSECUR for your requirements by supplying FMNS macro statements to provide the control you want. Refer to the prolog in the supplied sample FMNSECUR for information about how FMNSECUR processes the FMNS macro statements, and where to insert the statements in the FMNSECUR source. The syntax of the FMNS macro is described in Syntax of the FMNS macro.
Examples of giving or denying access
The following examples show how to use FMNSECUR to give or deny a user access to a group of functions or a specific function.
- To give a user access to a group of functions (for example, tape
output functions), add statements similar to this to FMNSECUR:
FMNS CLASS=FACILITY, ENTITY=FILEM.TAPE.INPUT, ACCESS=READ, USERID=userid
Similarly, to deny a user access to tape output functions, add statements similar to this:FMNS CLASS=FACILITY, ENTITY=FILEM.TAPE.INPUT, ACCESS=NONE, USERID=userid
- To give a user access to a specific function (for example, the
VSAM to Tape function), add statements similar to this:
FMNS CLASS=FACILITY, ENTITY=FILEM.FUNCTION.VT, ACCESS=READ, USERID=userid
Similarly, to deny a user access to the VT function, add statements similar to this:FMNS CLASS=FACILITY, ENTITY=FILEM.FUNCTION.VT, ACCESS=NONE, USERID=userid
When a user tries to use a File Manager function, FMNSECUR is called (once) with both the profile name shown in File Manager function to profile name cross-reference (in the form FILEM.group.name) and the function code. FMNSECUR reads through the list of FMNS macros until a match is found for the user name or job name, and either the profile name or the function code. The first match found is used.
This means that each FMNS macro effectively overrides any FMNS macro that appears after it in the file. If you want FMNSECUR to have the same behaviour as SAF (where function code specifications override profile name specifications), put all of your function code specifications before your profile name specifications.