Used to set IBM Session Manager security parameters (class name, resource name, password phrase, and so on), including those that are derived from an External Security Manager (ESM).
This parameter is applicable to the SYSTEM control statement (see SYSTEM statement).
SECURITY
[AUTHCLASsname authclassname]
[AUTHRESname authresname]
[DYNMClass dynamicmenuclassname]
[DYNMDROPSESSION Yes|No|ON|OFF]
[DYNMResnm dynamicmenuresourcename]
[DYNMALog Yes|No|ON|OFF]
[DYNMAUtsthid Yes|No|ON|OFF]
[DYNMHide Yes|No|ON|OFF]
[DYNMLogmax nnnn]
[DYNMTYPE appl|vtamappl]
[ESMPRFCLNM esmprofileclass]
[ESMPRFRSNM esmprofileresname]
[ESMPRFACC Yes|No|ON|OFF]
[OLARESname olaresname]
[PASSPHrase Yes|No|ON|OFF [PASSWORDREQ Yes|No|ON|OFF]]
[SIGNONClass sign-on-class]
[SIGNONAccess Yes|No|ON|OFF]
[SIGNONResname sign-on-resname]
[TERMINALClass terminalclass]
[TERMINALResname terminalresname]
[TERMINALAccess Yes|No|ON|OFF]
[TYPECLASSGLOBAL Yes|No|ON|OFF]
Subparameters under the SECURITY parameter are:
This subparameter sets the name of the ESM class in which resources will be queried to determine security levels. The class name can be up to 8 alphanumeric characters.
A global read-only variable T_AUTHCLASS is created and is available for use by the E21 exit. The variable will contain an ESM class name up to eight characters long.
If subparameter AUTHCLASSNAME is specified, subparameters AUTHRESNAME and OLARESNAME are mandatory.
If subparameter AUTHCLASSNAME is not specified, subparameters AUTHRESNAME and OLARESNAME must not be specified.
This subparameter, along with AUTHCLASSNAME, allows a user's authorization class to be set in an ESM.
The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus one character.
The supplied security exit will determine the user's authorization by checking against this subparameter within the defined ESM class, AUTHCLASSNAME. Starting at 9 and working down to 1,the exit will add the authorization level to the AUTHRESNAME specified and will check if the user has read access to the resource within the specified AUTHCLASSNAME.
Validation will stop as soon as read access is granted and the user's authorization level will be set to this value. If no access is granted then the user's authorization level will be set to 1. A user should only have read access to one authorization resource within the ESM.
This process will only occur if an AUTHRESNAME is defined. If a definition exists then any authorization settings in the configuration will be ignored.
For example, if authresname is set to ISM.AUTH and authclassname is set to ISMCLASS, the supplied security exits ISZE21SF and ISZE21PH will check whether the user has read access to ISM.AUTH9 in ISMCLASS, then whether the user has access to ISM.AUTH8 and so on, until a resource to which the user has read access is found. The user's authorization level will then be set to the appropriate value.
A global read-only variable T_AUTHRESN is created and is available for use by the E21 exit. The variable will contain the resource name, which will be appended with the AUTH value. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus one character.
If subparameter AUTHRESNAME is specified, subparameters AUTHCLASSNAME and OLARESNAME are mandatory.
If subparameter AUTHRESNAME is not specified, subparameters AUTHCLASSNAME and OLARESNAME must not be specified.
DYNMClass dynamicmenuclassname
This subparameter, effective when dynamic menus are being used, sets the name of the ESM class in which resources will be queried to determine which applications the user has authority to access. The class name can be up to 8 alphanumeric characters.
A global read-only variable T_DYNMCLASS is created and is available for use by the ISZE22DM exit. The variable will contain an ESM class name up to eight characters long.
The keyword under the DYNMCLASS parameter is:
For more comprehensive details on defining security and implementing dynamic menus, see the Installation and Customization manual.
This subparameter is used by the supplied ISZE22DM exit to determine whether sessions to which the user has no access are dropped or hidden. If DYNMDROPSESSION is set to Yes or ON then sessions the user can access are not dropped by setting DROP_SESSION No and sessions the user cannot access are dropped by setting DROP_SESSION Yes causing the internal storage for these sessions to be deleted.
Whilst this has a benefit in storage usage and performance there are some drawbacks; you will not be able to autoselect or autostart these sessions (also see the DYNMAUTSTHID subparameter).
If DYNMDROPSESSION is set to No or OFF then sessions to which the user has no access will have HIDE Yes set, and you will be able to autoselect or autostart these sessions (also see the DYNMAUTSTHID subparameter) and sessions to which the user has access will have HIDE No set. Also see the DYNMHIDE subparameter.
A global read-only variable T_DYNMDROPSESS is created and is available for use by the ISZE22DM exit. The variable will contain the drop attribute value 'Y' or 'N'.
See also the DROP_SESSION common session parameter (see DROP_SESSION).
For more comprehensive details on defining security, see the Installation and Customization manual.
DYNMResnm dynamicmenuresourcename
This subparameter, along with DYNMCLASS, sets the name of the ESM resource which, when appended with either the APPL name or APPLID name (see DYNMTYPE), will be queried to determine which applications the user has authority to access when dynamic menus are being used.
The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus one character.
A global read-only variable T_DYNMRESNM is created and is available for use by the ISZE22DM exit. The variable will contain the resource name, which will be appended with either the APPL name or APPLID name. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the APPL name or APPLID name.
For more comprehensive details on defining security and implementing dynamic menus, see the Installation and Customization manual.
This subparameter determines whether sessions hidden from a user may be autostarted or autoselected. A setting of Yes or ON means that hidden sessions can be autostarted or autoselected. A setting of No or OFF means that hidden sessions cannot be autostarted or autoselected.
A global read-only variable T_DYNMAUTSTHID is created and is available for use by the ISZE22DM exit. The variable will contain the value 'Y' or 'N'.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter determines if message 4028 will be recorded in the audit log whenever the ESM cannot determine whether a user should have access to a session. A setting of Yes or ON will cause the message to be recorded. A setting of No or OFF will prevent a message from being recorded.
A global read-only variable T_DYNMALOG is created and is available for use by the ISZE22DM exit. The variable will contain the log attribute value 'Y' or 'N'.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter is used by the supplied ISZE22DM exit to determine whether sessions are hidden or dropped (also see the DYNMDROPSESSION subparameter), if the ESM cannot determine if a user would have access to the sessions.
If RACF PROTECT ALL is active any undefined resources will return a SAF return code of 8 - access denied.
When using the standard supplied ISZE22DM exit the session will be hidden or dropped. If RACF PROTECT ALL is not active any undefined resources will return a SAF return code of 4,4 - RACF cannot make a decision.
When using the standard supplied ISZE22DM exit a setting of Yes or ON will cause these sessions to be hidden or dropped. A setting of No or OFF will cause the sessions to be visible.
The ISZE22DM exit settings will override any configuration common session HIDE or DROP_SESSION settings.
A global read-only variable T_DYNMHIDE is created and is available for use by the ISZE22DM exit. The variable will contain the hide attribute value 'Y' or 'N'.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter sets a limit on the number of DYNMALog 4028 messages written to the audit log during each user sign-on. Any value for nnnn from 0 to 9999 may be specified.
A global read-only variable T_DYNMLOGMAX is created and is available for use by the ISZE22DM exit. The variable will contain the maximum permitted number of log entries, from 0 to 9999.
For more comprehensive details on defining security, see the Installation and Customization manual.
Optional values: appl|vtamappl
This subparameter determines whether the VTAM applid or appl should be used when checking a user's access authorization with the ESM. A DYNMTYPE of appl will cause the appl name to be used. A DYNMTYPE of vtamappl will cause the VTAM applid to be used.
A global read-only variable T_DYNMTYPE is created and is available for use by the ISZE22DM exit. The variable will contain the resource type value APPL or VTAMAPPL.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter indicates whether profiles should be assigned to a user based on resource access rules held in the ESM. If set (by containing the ESM class name under which profile resources are defined) then this indicates that the profile name(s) will be assigned to a user by interrogating the ESM.
An associated global read-only variable T_ESMPRFCLNM is created. The variable will contain an ESM class name up to eight characters long.
A user can be associated with multiple profiles with the maximum being 18. Their sequence is important. If a particular attribute value (common enduser or common session) has not been defined by the user, the profiles will be searched in ascending input order and the first value defined explicitly for that attribute will be used. The order in which a user's access to profiles is checked is controlled through the ESMLEVEL parameter on the PROFILE statement (see ESMLEVEL).
Note: If using the ESM to assign PROFILE(s) then the PROF parameter of the USER statement is ignored. If the ESM prevents access to all profiles for a user then the default profile, as specified under parameter DEFPROFILE of the SYSTEM statement, is used.
The keyword under the ESMPRFCLNM parameter is:
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter sets the name of the External Security Manager resource, which will be queried to determine if the user has authority to use this PROFILE. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the IBM Session Manager PROFILE name. An associated global read-only variable T_ESMPRFRSNM is created. The variable will contain the resource name, which will prefix the IBM Session Manager PROFILE name on issuing the check with the ESM.
Note: If using the ESM to assign PROFILE(s) then the PROF parameter of the USER statement is ignored. If the ESM prevents access to all profiles for a user then the default profile, as specified under parameter DEFPROFILE of the SYSTEM statement, is used.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter determines whether the user is granted access which allows them to use this IBM Session Manager PROFILE, if the External Security Manager cannot determine if a user would have access to the resource.
If RACF PROTECT ALL is active any undefined resources will return a SAF return code of 8 - access denied and the user is not granted access to the PROFILE.
If RACF PROTECT ALL is not active any undefined resources will return a SAF return code of 4,4 - RACF cannot make a decision. An ESMPRFACC setting of Yes or ON will allow the user to use the PROFILE. A setting of No or OFF will not allow the user to use the PROFILE.
An associated global read-only variable T_ESMPRFACC is created.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter, along with AUTHCLASSNAME, allows a user's OLA security class to be set in an ESM.
The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus two characters.
The supplied security exit will determine the user's OLA security class by checking against this subparameter within the defined ESM class, AUTHCLASSNAME. Starting at AD and working alphabetically through the OLA class definitions to US, the exit will add the OLA class name to the resource name specified and will check if the user has read access to the resource within the specified AUTHCLASSNAME.
Validation will stop as soon as read access is granted and the user's OLA security class will be set to this value. If no access is granted then the user's security class level will be set to NO. A user should only have read access to one OLA security class resource within the ESM.
This process will only occur if an OLARESNAME is defined. If a definition exists then any OLA security class settings in the configuration will be ignored.
For example, if olaresname is set to ISM.OLA. and authclassname is set to ISMCLASS, the supplied security exits ISZE21SF and ISZE21PH will check whether the user has read access to ISM.OLA.AD in ISMCLASS, then whether the user has access to ISM.OLA.BT and so on, until a resource to which the user has read access is found. The user's OLA security class will then be set to the appropriate value.
A global read-only variable T_OLARESN is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain the resource name, which will be appended with the OLACLASS value. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus two characters.
If subparameter OLARESNAME is specified, subparameters AUTHCLASSNAME and AUTHRESNAME are mandatory.
If subparameter OLARESNAME is not specified, subparameters AUTHCLASSNAME and AUTHRESNAME must not be specified.
For more comprehensive details on defining security, see the Installation and Customization manual.
PASSPHrase Yes|No|ON|OFF
[PASSWORDREQ Yes|No|ON|OFF]
Some applications may not support password phrases. These applications may be utilizing a STARTSCRIPT that passes the userid and password at session start. Because of this, there may still be a configurable requirement that a user must provide their password at sign on so that it may be passed to the application. If set to Yes or ON then specifies that a password phrase can be used, in place of a password, if authenticating the user with the External Security Manager during IBM Session Manager sign-on. If the password data entered is less than nine characters then it will be treated as a password, otherwise it will be treated as a password phrase. A new global variable called t_passphrase will represent this value. Any update to this subparameter will take effect at the next IBM Session Manager sign-on.
The keyword under the PASSPHRASE parameter is:
If set to Yes or ON then specifies that a password must also to be entered during sign-on.
The sign-on screen will also contain an area for the user to enter their password and if the user has entered a password phrase then they must also enter their password in this field.
This password will be used when IBM Session Manager has been configured to initiate sessions automatically that do not support password phrases.
This subparameter sets the name of the ESM class in which generated resources (a combination of the setting in SIGNONRESNAME and the IBM Session Manager ACB name) will be queried to determine if the user is allowed to login to this application. We would recommend using the APPL class. The class name can be up to 8 alphanumeric characters.
If this subparameter is not set then the user is not checked against the generated resource name and they are granted access.
The specified class is RACLISTED into storage on the first invocation of the ISZE21SF and ISZE21PH exits. The SECFRESH command must be issued if any changes made to the class are to be reloaded into storage.
A global read-only variable T_SIGNONCLASS is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain an ESM class name up to eight characters long.
The keyword under the SIGNONCLASS parameter is:
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter, along with SIGNONCLASS, sets the name of the ESM resource, which will be queried to determine if the user has authority to access this IBM Session Manager. The resource name can be up to 31 alphanumeric characters. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the IBM Session Manager ACB name.
A global read-only variable T_SIGNONRESNAME is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain the resource name, which will be appended with the IBM Session Manager ACB name. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the IBM Session Manager ACB name.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter is used by the supplied ISZE21SF and ISZE21PH exits to determine whether the user is granted access which allows them to sign on to the IBM Session Manager application, if the ESM cannot determine if a user would have access to the generated resource name (a combination of the setting in SIGNONRESNAME and the IBM Session Manager ACB name).
If RACF PROTECT ALL is active any undefined resources will return a SAF return code of 8 - access denied.
When using the standard supplied ISZE21SF and ISZE21PH exits the user is not granted access.
If RACF PROTECT ALL is not active any undefined resources will return a SAF return code of 4,4 - RACF cannot make a decision.
When using the standard supplied ISZE21SF and ISZE21PH exits a setting of Yes or ON will allow the user to be signed on. A setting of No or OFF will cause the sign on to be revoked.
A global read-only variable T_SIGNONACCESS is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain the value 'Y' or 'N'.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter sets the name of the ESM class in which generated resources (a combination of the setting in TERMINALRESNAME and the terminal name) will be queried to determine if the user is allowed to login to this application from this terminal. We would recommend using the TERMINAL class. The class name can be up to 8 alphanumeric characters.
If this subparameter is not set then the user is not checked against the generated resource name and they are granted access.
The specified class is RACLISTED into storage on the first invocation of the ISZE21SF and ISZE21PH exits. The SECFRESH command must be issued if any changes made to the class are to be reloaded into storage.
A global read-only variable T_TERMINALCLASS is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain an ESM class name up to eight characters long.
The keyword under the TERMINALCLASS parameter is:
For more comprehensive details on defining security, see the Installation and Customization manual.
TERMINALResname terminalresname
This subparameter, along with TERMINALCLASS, sets the name of the ESM resource, which will be queried to determine if the user has authority to access this IBM Session Manager from this terminal. The resource name can be up to 31 alphanumeric characters.
The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the terminal name.
A global read-only variable T_TERMINALRESNAM is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain the resource name, which will be appended with the terminal name. The resource name can be made up of any alphanumeric characters, including periods ('.'), and can be up to the length permitted by the defined ESM class, minus the length of the terminal name.
For more comprehensive details on defining security, see the Installation and Customization manual.
This subparameter is used by the supplied ISZE21SF and ISZE21PH exits to determine whether the user is granted access which allows them to sign on to the IBM Session Manager application from this terminal, if the ESM cannot determine if a user would have access to the generated resource name (a combination of the setting in TERMINALRESNAME and the terminal name).
If RACF PROTECT ALL is active any undefined resources will return a SAF return code of 8 - access denied.
When using the standard supplied ISZE21SF and ISZE21PH exits the user is not granted access.
If RACF PROTECT ALL is not active any undefined resources will return a SAF return code of 4,4 - RACF cannot make a decision.
When using the standard supplied ISZE21SF and ISZE21PH exits a setting of Yes or ON will allow the user to be signed on. A setting of No or OFF will cause the sign on to be revoked.
A global read-only variable T_TERMINALACCESS is created and is available for use by the ISZE21SF and ISZE21PH exits. The variable will contain the value 'Y' or 'N'.
For more comprehensive details on defining security, see the Installation and Customization manual.
If set to Yes or ON then the in-storage profile data will be resident in a dataspace, which is dynamically refreshed whenever a SETROPTS RACLIST(classname) REFRESH command is issued to the ESM. If set to No or OFF then the profile data will be resident in private storage and can only be refreshed by issuing the SECFRESH command within IBM Session Manager.