Distributed Security Exits

A user can assign security for an object on the Object Attributes panel or the default security setting applies.

PUBLIC

Any user can access the object for any purpose, and any user can modify the status to READONLY or PRIVATE. The object name appears on selection lists.

READONLY

Any user can access the object, but only the owner or site administrator can edit the object, delete the object, or change its security status. The object name appears on selection lists.

PRIVATE

Only the owner or site administrator can access the object for any purpose, including changing its security status. The object name appears on selection lists only if the requestor is the owner or site administrator.

FOP2OS00 is distributed as a load module in the SFOPLLIB library. To use the supplied load module, specify 00 as the Object Security Suffix on the Site Options panel.

(It is assumed that the user reading this section has a working knowledge of SAF facilities; a detailed explanation of SAF processing is beyond the scope of this Customization Guide.)

FOP2OS01 is distributed in source format in the Optim™ sample library. To use FOP2OS01, you must assemble and link the exit into the Optim load library. To use the unmodified exit, name the load module FOP2OS01 and specify 01 as the Object Security Suffix on the Site Options panel. If you customize the exit to satisfy site requirements, rename the load module to FOP2OSnn, where nn is any two-digit number from 02 through 99. You can then enable the new exit by specifying the two-digit number as the Object Security Suffix on the Site Options panel.

The FOP2OS01 security exit establishes access privilege in three steps. Privilege is established as follows:

• If the user requesting access to the object is the owner of the object, access is granted automatically and no SAF call is made; the owner of an object always has complete access to the object.
• If the user requesting access to the object is not the owner, Optim executes an SAF call using a parameter list. (A description of the parameter list follows.)
• If the SAF call cannot establish access privilege (that is, none of the conditions for which it checks apply – see SAF Access Rules), the exit determines access privilege on the basis of the security status of the object and whether the user is the site administrator. The PUBLIC, READONLY, and PRIVATE rules described earlier apply in this case.

The SAF call used by FOP2OS01 uses the following parameter list.

PSTRT.objtype.ssn.objname

objtype

The type of object, which can be:

AD for Access Definition

CD for Compare Definition

CM for Column Map

TM for Table Map

AC for Archive Collection

PK for Optim Primary Key

RL for Optim Relationship

LT for Legacy Table

ED for IMS™ Environment Definition

RD for IMS Retrieval Definition

PR for Column Map Procedure

ssn

The AttachID (either the DB2^® SubsysID or a Group AttachID).

objname

The fully qualified name of the object, consisting of two or three qualifiers separated by periods.

For example, FOPDEMO.TM1 for a Table Map, or FOPDEMO.SAMPLE.AD1 for an Access Definition. See Naming Conventions in the Common Elements Manual for more information about object names.

Note: Standard SAF classes protect access to datasets, for which qualifiers are limited to 8 characters. Qualifiers for Optim objects may exceed 8 characters. Thus, SAF calls require a user-defined RACF^® Class, PSTRT40. The sample definition for this class is in the FOPCDTU member of the install library. This class, with a maximum length of 246 characters, can be defined by assembling and linking the sample provided. For other user-defined RACF classes, you must add the sample to your existing class definitions and assemble and link it.

Access is granted according to the following rules:

User Authority

Type of Request

Control or Alter

CREATE

DELETE

GET

INDEX

STATUS

UPDATE

Update

GET

INDEX

STATUS

UPDATE

Read

GET

INDEX