Setting up the security environment by using HFMSECUR

A security exit is provided for security control from within Z Data Tools if you do not use RACF® or equivalent security product, or if SAF is not active at your installation. This exit is called HFMSECUR and is distributed in HFM.SHFMSAM1. You use HFMSECUR to protect selected Z Data Tools functions from unauthorized users.

If you want to use HFMSECUR for security, customize it as described below and install it using the usermod HFMUMODS. For information on installing HFMUMODS, see Installing HFMSECUR using HFMUMODS.

Copy HFMSECUR from HFM.SHFMSAM1 to your own source library and edit it there. By default, in the supplied HFMSECUR, no functions are protected. This means that any user can use any Z Data Tools function unless otherwise specified. You can override this as follows:
  • Give or deny some users (or all users) access to one of the following groups of Z Data Tools functions:
    FILEM.DISK.INPUT
    Disk input functions
    FILEM.DISK.UPDATE
    Disk update functions
    FILEM.TAPE.INPUT
    Tape input functions
    FILEM.TAPE.OUTPUT
    Tape output functions
    FILEM.TAPE.DUPLICATE
    Tape copy functions
    FILEM.TAPE.UPDATE
    Tape update functions
    FILEM.VSAM.UPDATE
    VSAM update functions
    FILEM.OAM.OUTPUT
    OAM output functions
    FILEM.OAM.UPDATE
    OAM update functions
    FILEM.LOADMOD.UPDATE
    Load module update functions
    FILEM.OTHER.ALL
    All other functions
    FILEM.TAPE.BLP
    See Controlling Bypass Label Processing (BLP)
    FILEM.DISK.FULLPACK
    See Controlling fullpack access to DASD volumes

    For more information about these groups, see Table 3.

  • Give or deny some users (or all users) access to an individual Z Data Tools function.

Controlling access

Three facility groups are provided to allow you to control access to Z Data Tools base function, and to ZDT/IMS and ZDT/Db2, from the ZDT/CICS primary option menu. These groups are:
FILEM.CICS.BASE
Access to Z Data Tools base function
FILEM.CICS.IMS
Access to ZDT/IMS
FILEM.CICS.DB2
Access to ZDT/Db2

If a user ID running ZDT/CICS has read access to any of these groups, then the associated function (HFM, ZDT/IMS or ZDT/Db2) will appear on the ZDT/CICS primary option menu and the user can invoke these functions, if they are installed.

If you have installed and customized the ZDT/CICS component, you should review your requirement for this access.

For more information about ZDT/CICS, see Customizing Z Data Tools CICS Component, and also the Z Data Tools User’s Guide and Reference for CICS.

Protecting update functions

Three facility groups are provided to enable you to protect update functions in Z Data Tools base function, ZDT/Db2, and ZDT/CICS. They are:
FILEM.BASE.UPDATE
Protect update functions in Z Data Tools base
FILEM.DB2.UPDATE
Protect update functions in ZDT/CICS
FILEM.CICS.UPDATE
Protect update functions in ZDT/CICS

(This aspect of security is handled differently for ZDT/IMS, see Controlling access to IMS subsystems and ZDT/IMS functions.)

These facility classes also require the option SEC=YES to be specified in HFM0POPT (for Z Data Tools base), HFM2POPT (for ZDT/Db2), and HFM3POPT (for ZDT/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see Table 1, Customizing to protect update functions in ZDT/Db2, and Customizing to protect update functions in ZDT/CICS.

If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.

You modify HFMSECUR for your requirements by supplying HFMS macro statements to provide the control you want. Refer to the prolog in the supplied sample HFMSECUR for information about how HFMSECUR processes the HFMS macro statements, and where to insert the statements in the HFMSECUR source. The syntax of the HFMS macro is described in Syntax of the HFMS macro.

Examples of giving or denying access

The following examples show how to use HFMSECUR to give or deny a user access to a group of functions or a specific function.

  • To give a user access to a group of functions (for example, tape output functions), add statements similar to this to HFMSECUR:
    HFMS CLASS=FACILITY,
         ENTITY=FILEM.TAPE.INPUT,
         ACCESS=READ,
         USERID=userid
    Similarly, to deny a user access to tape output functions, add statements similar to this:
    HFMS CLASS=FACILITY,
         ENTITY=FILEM.TAPE.INPUT,
         ACCESS=NONE,
         USERID=userid
  • To give a user access to a specific function (for example, the VSAM to Tape function), add statements similar to this:
    HFMS CLASS=FACILITY,
         ENTITY=FILEM.FUNCTION.VT,
         ACCESS=READ,
         USERID=userid
    Similarly, to deny a user access to the VT function, add statements similar to this:
    HFMS CLASS=FACILITY,
         ENTITY=FILEM.FUNCTION.VT,
         ACCESS=NONE,
         USERID=userid

When a user tries to use a Z Data Tools function, HFMSECUR is called (once) with both the profile name shown in Table 3 (in the form FILEM.group.name) and the function code. HFMSECUR reads through the list of HFMS macros until a match is found for the user name or job name, and either the profile name or the function code. The first match found is used.

This means that each HFMS macro effectively overrides any HFMS macro that appears after it in the file. If you want HFMSECUR to have the same behaviour as SAF (where function code specifications override profile name specifications), put all of your function code specifications before your profile name specifications.