IBM Connect:Direct Functional Authority

When you sign on to a IBM® Connect:Direct® running with security (or when a Process you submit begins executing), you are assigned a 20-byte authorization bit mask (ABM) based on a recommendation by the stage 2 security exit or the IBM Connect:Direct Authorization file. The ABM describes your unique functional authority within IBM Connect:Direct .

IBM Connect:Direct provides four standard security levels in the DGAMGSAF exit described in the following table. The ADMVOL, OPRVOL, DBAVOL, and GENVOL parameters indicate the volumes on which these data sets reside. If you do not specify volume names in the DGAMGSAF stage 2 security exit, the exit provides default volume names for monitoring by your security subsystem.


If the CLASS=DATASET is defaulted or specified, IBM Connect:Direct uses the four standard security levels described above. If the CLASS=FACILITY is specified, IBM Connect:Direct uses these same four standard security levels as defined in the following table. However, the volser information is not needed or used by the STAGE2 security exit (as provided with the installation media).

Note: To add new functional authority levels or change the privileges in the standard functional authority levels, see Functional Authority Privileges. There are also 10 user-defined functional levels (US0DSN-US9DSN). For more information about these functional levels, see Example 3 - Defining Additional Levels of Functional Authority and Example 4 - Assigning Read-Only Authority to a User Authorization Level.
Parameter Description
ADMDSN=file name ADMVOL=volser Specifies full administrator authority. The specified user is authorized to execute all Process language statements and commands.
DBADSN=file name DBAVOL=volser Specifies DB2 Data Base Administrator.
OPRDSN=file name OPRVOL=volser Specifies operator authority. The specified user is authorized to delete, change, display, flush, and submit Processes; stop IBM Connect:Direct; start and stop traces; and display, add, delete, and update type.
Specifies general authority. The specified user is authorized to delete, change, display, and flush his own Processes, submit Processes, and display, add, delete, and update Type.

If NULLFILE is coded, a user who logs on to IBM Connect:Direct without specific administrator or operator authorization is, by default, classified as a general user. The following is a sample User Authorization screen, showing commands available to a general user.

If a bit in one of these standard ABMs is set to one, you are authorized to perform the IBM Connect:Direct command that is associated with that bit, according to the security levels.

For example, if you have the authority to read the ADMDSN, you are given the administrator bit mask that enables you to perform administrator functions. If you do not have ADMDSN authority, OPRDSN read authority is checked, and so on, according to the sequence described in Functional Authority Validation Sequence.

To assign IBM Connect:Direct functional authority, define four data sets or resources on your system to correspond to the administrator, operator, database administrator, and general user data sets.

You can specify IBM Connect:Direct functional authority to individual users by verifying access to one of the named resources. These resource names refer to IBM Connect:Direct functional authority grouped by the four categories. IBM Connect:Direct users are given access to the resource that corresponds to their level of authority.

In addition, you can modify the standard ABMs provided by IBM Connect:Direct to change the default privileges for a functional authority level. See Functional Authority Privileges. In addition, you can expand the number of functional authority levels by creating authorization bit masks for new user-defined levels. See Defining Additional Levels of Functional Authority.