Defining security categories: SECCATEG

This section describes how to configure access management when not using Central Governance.

This mandatory command defines privileges by associating actions or action domains, objects or object domains, and the scope of the security checks.  This topic describes how to define security categories using this utility.

To speed up the parameter setting process, individual actions and objects can be grouped together directly, without using action or object domains.

Note If an action relating to an object has not been specified via a SECCATEG command, it is inaccessible to all users.

Syntax

SECCATEG
     MODE = {REPLACE | CREATE | DELETE},
     DACT = (action domain, action domain, ..., basic action,...),
     DOBJ = (object domain, object domain,..., basic object, ...),
     ID = identifier,
     SCOPE = {ANY | GROUP | OWNER}

Description

Use the SECCATEG command to define privileges by associating actions or action domains, objects or object domains, and the scope of the security checks.

Parameters

DACT     = (action domain, action domain, ..., basic action,...)

Explicit list of action domains or basic actions applicable to the objects described by the command.

The maximum number of actions is 20.

The * and ? wildcard characters cannot be used when specifying actions.

DOBJ     = (object domain, object domain, ..., basic object,...)

Explicit list of object domains or basic objects.

The maximum number of domains is 20.

The * and ? wildcard characters cannot be used when specifying objects.

ID     = identifier

Identifier of the category.

This identifier must be unique. You cannot use the same ID with multiple SECCATEG commands.

MODE     = {REPLACE | CREATE | DELETE}

Operation to be carried out.

  • REPLACE: modifies one or more records, or creates them if they do not exist
  • CREATE: creates one or more records
  • DELETE: deletes one or more records

SCOPE     = {ANY | GROUP | OWNER}

Scope of the privileges defined by the command.

  • ANY: all users can apply actions of the specified category to objects of the specified category
  • GROUP: only users belonging to the owner’s group can apply actions to the object
  • USER: only the object owner can apply actions to the object

Example 1

Privileges granted to object owners

Action definition

SECDACT     ID     =     UPDATE,
     MODE     =     REPLACE,
     ACTION     =     (READ,MODIFY)

     Object definition

SECDOBJ     ID     =     DPART,
     MODE     =     REPLACE,
     OBJECT     =     CFTPART,
     VALUE     =     P1*

     Category definition

SECCATEG     ID     =     CATPART,
     MODE     =     REPLACE,
     DOBJ     =     DPART,
     DACT     =     UPDATE,
     SCOPE     =     OWNER

The CATPART security category indicates that DPART objects of the type CFTPART commands, the name of which starts with P1 are accessible to their owners in the MODIFY and READ modes.

Example 2

Create privileges from basic actions and objects

Category definition

SECCATEG     ID     =     CFTPARM,
     MODE     =     REPLACE,
     DOBJ     =     (CFTPARM,CFTPROT,CFTNET),
     DACT     =     (READ,CREATE,DELETE,MODIFY)

 

Related Links