Command Authorization in NetView - Bypassing Checking
LarryGreen 0600009UYQ Visits (6497)
Despite the obvious importance of checking the authority of the issuer of a NetView command to issue the command, there are times when such checking should be bypassed in order to optimize performance. One such example is when commands are invoked by NetView's automation table. Users can configure automation-invoked commands to be authority-checked or not. Another such example regards commands that are invoked by other commands. Of course, we can consider the combined case of a command "A" driven by automation, which invokes command "B". First, let's consider "A".
Each NetView command is defined by a CMDDEF statement in a configuration member, or by an ADDCMD command. In either case, the command can be defined with one of the following security settings:
- SEC=CH specifies that authorization checking is always to be performed, regardless of the environment.
- SEC=BY specifies that authorization checking is bypassed regardless of the environment.
- SEC=DE specifies (either explicitly or by default) that (1) authorization checking for commands that do not originate in the automation table is to be performed, and (2) authorization checking for commands that do originate in the automation table is controlled by the value of AUTOSEC that can be specified using the DEFAULTS command.
The AUTOSEC value mentioned just above is NetView-wide, and is set as follows using the DEFAULTS command:
- AUTOSEC=CHECK specifies that all commands routed from the automation table are authority-checked against the target task, unless SEC=BY was specified for the specific command. CHECK is the default.
- AUTOSEC=BYPASS specifies that commands routed from the NetView automation table, as well as any embedded commands, are not authority-checked, unless SEC=CH was specified for the command. BYPASS is the initial value as set in the CNMSTYLE sample stylesheet (reasons for the different "defaults" are historical).
- AUTOSEC=DEFER specifies that commands routed from the automation table are authority-checked unless SEC=BY was specified for the command, or the command is running inside an AUTBYPAS environment. (Note that the DEFER setting just above was added recently for all releases of NetView Version 6. Before then, AUTBYPAS specifications inside automation-driven commands were not effective. They were overridden by the CHECK or BYPASS setting.)
The AUTOSEC setting can be displayed, along with the rest of NetView's security-related parameters, using the LIST SECOPTS command.
Returning to the general topic of commands invoked by other commands, the author of command "A" described earlier, can decide whether subordinate commands such as "B" should be authority-checked, given that the issuer of "A" is authorized. This may be controlled by the use of the AUTBYBAS function, assuming "A" is written in REXX (as nowadays, almost all NetView commands should be), regardless of whether "A" is driven by automation. The above AUTOSEC rules only pertain to the automation case.
For more information about AUTBYPAS, AUTOSEC, SEC, and CMDAUTH, see the IBM