The following fields defined in the Guardium system Access Rule Definition panel
are used by IBM Security Guardium
S-TAP for IMS to
create policies and rules. Use the following information as a guideline.
Table 1. Fields that are used for IMS Policy pushdown
| Label |
Hover text |
| Service Name |
IMS names
to which this rule applies (case sensitive) |
| Application User |
INCLUDE/PSB or EXCLUDE/PSB |
| Database User |
INCLUDE/USERID or EXCLUDE/USERID |
| Object |
INCLUDE/read+update+delete+insert+data+image/DBNAME.SEGNAME
or EXCLUDE/DBDNAME.SEGNAME |
- Service name/IMS name
- Required.
- Must be 1 -- 8 characters.
- Mixed case is allowed, and field is case sensitive.
- Wildcard characters are not allowed.
- Application user/PSB
- Must be 1 -- 8 characters.
- All typed characters should be folded to uppercase.
- Supports % as a wildcard character. % matches
zero or more characters.
Note: If the keyword EXCLUDE is used, at least one INCLUDE must
also be specified.
- Database user/User ID
- Must be 1 -- 8 characters.
- All typed characters should be folded to uppercase.
- Supports % as a wildcard character. % matches zero or more characters.
Note: If the keyword EXCLUDE is used, at least one INCLUDE must
also be specified.
- Object/Target DB/Segment
- database_name must be 1 -- 8 characters.
- segment_name must be 1 -- 8 characters.
- wildcard_pattern supports % as
a wildcard character. % matches zero or more
characters.
- All typed characters should be folded to uppercase.
Note: You must specify at least one INCLUDE with at least one
DLI call type. DBD and segment must also be specified.
- DLI Call Code
- Used to generate audit records for DLI calls that result in a
non-blank status codes. Non-blank status codes can indicate that the
DLI call failed or completed with a warning.
- The following DLI status codes can be audited:
- FD
- FW
- GA
- GB
- GD
- GE
- GK
- L2
- LB
- LS
- NI
- UC
- US
- UX
You can specify one or more DLI status codes.
- For more information about DLI status codes, see the About DLI status codes information at IBM Documentation.
- Audit
- Used to limit the types of DLI calls to be audited.
- NOHLVL causes audit information to be collected for only the target segment
of a DLI Patch call (Command code C or D) instead of generating audit data for each segment of the
hierarchical path. This can reduce the volume of audited data that is sent to, and stored by, the
Guardium appliance in cases where the target segment
concatenated key is sufficient for auditing purposes.
- LTERM Filtering
- Must be 1 -- 8 characters.
- All typed characters should be folded to uppercase.
- Supports % as a wildcard character. % matches zero or more characters.
Note: If the keyword EXCLUDE is used, at least one INCLUDE must
also be specified.
- By default, auditing is considered for any DLI call that has a
blank/null LTERM (for example, from a BMP or other region type that
does not present IMS with an LTERM value). When an LTERM value or
a group of LTERMs is specified, an option box is presented to enable
you to turn off BLANK LTERM auditing. Turning off BLANK LTERM auditing
does not affect the auditing of BMPs; any other region types without
an LTERM value are excluded from auditing.
- Filtering DLI calls from specific IMS Region types
- You can filter out DLI calls from specific IMS Region types. DLI
calls that originate from one or more of these region types can be
excluded from auditing consideration:
- AER
- BMP
- CICS
- DBCTL
- IFP
- MPP
- ODB
- In the Guardium interface, click the pencil icon alongside the Region Types to
Exclude field to open a set of checkboxes that enable you to remove regions from
auditing