DDM server access control exit program for additional security

 

Customers who use menu-level security, which is accomplished by restricting the user's access to functions on the server, are likely to have a large number of public files. Public files are those files to which the public has some or all authority. A user exit program allows you to restrict each DDM user's access to public files and to private files.

The name of the program must be specified on the DDMACC parameter of the Change Network Attributes (CHGNETA) command.

User exit programs also let you block or filter DDM connection requests. All connection requests made by a DDM source system can be denied, or access to selected users can be granted. The user exit program must exist on the target server. The target DDM support calls this program:

• For each user's initial reference to a file to verify whether the user can have access to the file. When a file is referred to for I/O operations, this verification occurs only once, when the file is opened. The user exit program indicates to the TDDM whether the access request is accepted or rejected.

• For each DDM connection request.

• For each of the other functions listed in the Subapplication field of the table in Table 1.

When a user exit program is specified, the TDDM first checks for errors in the access request that is received from the source server. If no errors are detected, the TDDM builds the parameter list, calls the user exit program, and passes the parameter list to it.

• User exit program requirement
  The purpose of the exit program created by the user is to determine whether a user's access request is to be accepted or rejected. It does so using the values that are passed to it in the parameter list.

• User exit program parameter list for DDM
  The user exit program on the target server passes two parameter values: a character return code field and a character data structure containing various parameter values.

• User exit program example for DDM
  This user exit program represents the source code for a program that is created by a security officer on a remote system in Chicago.

• Parameter list example for DDM
  The commands in this topic are in a CL program that a user named KAREN on the source server (NEWYORK) is using. The remote location configuration of the target server (CHICAGO) specifies SECURELOC(*YES) for the NEWYORK source server. This action indicates that user IDs are to be sent and that a user profile for KAREN exists on the target server.

• DRDA server access control exit programs with example
  A security feature of the DRDA^® server, for both APPC and TCP/IP use, extends the use of the DDMACC parameter of the CHGNETA command to DRDA.

• User exit program considerations for DDM
  There are some considerations that you should understand before using user exit programs for DDM.

 

Parent topic:

Security

 

Related concepts

Elements of security in an APPC network