Controlling access to databases by FM/IMS functions
Security administrators can control the access that users have to databases when using FM/IMS functions.
Different methods of controlling access are required depending on whether the functions run in DLI or BMP mode.
For functions that run in DLI mode, you must control users' access to
the database data sets. There are two ways you can do this:
- You can use RACF® (or an equivalent security product) data set profiles. At most installations, the database data sets are already protected by RACF® data set profiles. If this is not the case, you need to define RACF® profiles for all database data set resources. One advantage of this method is that the protection that it provides is not just restricted to when the access is through FM/IMS functions.
- You can use the FM/IMS Database Access Control facility. For information on how to customize this facility, see The Database Access Control facility.
For functions that run in BMP mode, there are several different ways of controlling users' access to databases.
The standard way is to use Resource Access Security (RAS) and the IIMS and JIMS RACF® security classes to control which PSBs each user can use. An advantage of
this method is that the protection that it provides is not just restricted to when the access is
through FM/IMS functions. However, the method has one serious
limitation: it can only be used to control access by functions that use static PSBs. One of the
following methods must be used to control access by functions that use dynamic PSBs.
- You can use the FM/IMS Database Access Control
facility.
For information on how to customize this facility, see The Database Access Control facility.
- You can provide a version of the FMN1SXT security exit that
prevents users accessing databases that they don't have authority to access.
For information on writing your own version of FMN1SXT, see Customizing the FM/IMS security exit.