Setting up SCLM subproject security

If SCLM subproject security is active, you must:

  1. Define the subprojects available to each SCLM project/alternate using the FLMPROJ macro to specify each subproject. For example: 
    PAYROLL    FLMPROJ DESC='PAYROLL SYSTEM'
ACCOUNTS   FLMPROJ DESC='ACCOUNT PAYABLE'
  2. Re-assemble the SCLM project definition.
  3. Define who has access to the subprojects using the XFACILIT resources.
To define access to the subprojects, you must create a XFACILIT resource class with a UACC of NONE. The profile name should be in the format: 
SCLM.SUB.project.alternate.subproject.type
where:
project
The SCLM project name.
alternate
The SCLM alternate project name.
subproject
The subproject defined in SCLM that you want to secure.
type
Determines what types in the SCLM project you can access.
The type on this resource class can be used to refine the security to allow you to define what types a user can access within the SCLM subproject.
Note: You can set up generic resources by specifying an asterisk (*) for either the project, alternate, subproject, or type in the profile name.
Figure 1 shows an example of setting up SCLM subproject security.
Figure 1. Example of setting up SCLM subproject security
CLASS      NAME
-----      ----
XFACILIT   SCLM.SUB.PRJ0120.*.VISA.* (G)

GROUP CLASS NAME
----- ----- ----
GXFACILI

LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
 00    SCLM            NONE             UPDATE    NO

INSTALLATION DATA
-----------------
NONE

APPLICATION DATA
----------------
NONE

SECLEVEL
NO SECLEVEL

CATEGORIES
----------
NO CATEGORIES

SECLABEL
--------
NO SECLABEL

AUDITING
--------
FAILURES(READ)

NOTIFY
------
NO USER TO BE NOTIFIED

USER      ACCESS
----      ------
AUDITOR   READ
DEVELOP   UPDATE


   ID     ACCESS  CLASS                ENTITY NAME
-------- ------- -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST

Once the XFACILIT resource has been created, you must provide users access to the XFACILIT resource. The easiest way to do this is to set up a RACF® group and give this group the required access to the subproject. Users can be given access to the RACF group.

The access given to a user or RACF group to the subproject XFACILIT resource is important in defining what the user is able to do with a member. For example, when a member is being edited, what a user is able to do depends on whether they have READ, UPDATE, or ALTER authority to the subproject XFACILIT resource.

So, for example, to provide auditors with read access and developers or project leaders with update access to the subproject VISA, you set up two groups:
AUDITOR
Read access to XFACILIT resource SCLM.SUB.PRJ0120.*.VISA.*
VISA
Update access to XFACILIT resource SCLM.SUB.PRJ0120.*.VISA.*

In this example, in RACF you would provide given the required users access to the AUDITOR and VISA RACF groups. Once the RACF resources have been refreshed, the user should have the ability to access members with a VISA subproject in the SCLM project PRJ0120.

Table 1 lists the various SCLM functions and the subproject access provided to the user.
Table 1. Subproject access for each SCLM function
Service Subproject access Notes
READ UPDATE ALTER
ACCTINFO Y     READ access allows the user to display the account information. Issue the A line command in Library Utility (option 3.1) or UOW (option 3.11) and retrieve account information using the ACCTINFO service.
AUTHCODE Y Y   READ access allows the user to retrieve authcode information using the AUTHCODE service. UPDATE access allows the authcode to be modified using the U line command in Library Utility (option 3.1) or UOW (option 3.11) and using the AUTHCODE service.
BUILD Y Y Y Building using build (option 4), C line command in Library Utility (option 3.1) and UOW (option 3.11), or the BUILD service validates the access prior to each translator step:
  • READ access allows input members to be used to generate outputs.
  • Where the output member does not exist, the subproject is copied from the initial input member.
  • Where the output member does exist and the subproject is not changing, the user must have UPDATE access to the output member.
  • Where the output member already exists and the subproject is to change, the user must have ALTER access to the output member.
CCEXITS       The CCEXITS service access will be the same as for Edit.
DBACCT Y     READ access for the DBACCT service allows SCLM to return the accounting information.
DBUTIL       No access validation is performed.
DELETE   Y   Update access allows the D line command in Library Utility (option 3.1) or UOW (option 3.11) and the DELETE service to delete the member.
DELGROUP   Y   UPDATE access allows the Delete from group (option 3.9) and the DELGROUP service to delete the members with subproject with UPDATE access.
DSALLOC       No access validation is performed.
EDIT Y Y Y Editing using edit (option 2), E line command in Library Utility (option 3.1) and UOW (option 3.11) or the EDIT service validates the access in this way:
When entering EDIT:
No access is required if a new member or an existing member with no subproject is to be edited. UPDATE access to the subproject is required if the member exists with a subproject.
When saving the member:
If saving the member with the same subproject or if the member did not have a subproject, then UPDATE access for the subproject is required. If saving the member with a different subproject, then ALTER access for the existing subproject and UPDATE access for the new subproject is required.
END       No access validation is performed.
EXPORT Y     READ access for each of the members allows them to be exported by means of Export (option 3.6) or the EXPORT service.
FREE       No access validation is performed.
GETBLDMP Y     READ authority allows the M line command in Library Utility (option 3.1) and UOW (option 3.11) or the GETBLMP service to display or retrieve the build map information.
IMPORT Y Y Y Importing using Import (option 3.7) or the IMPORT service validates the access depending on the status of the member:
  • If the member is new, then only READ access to the subproject is required.
  • If the member exists with the same subproject, then only UPDATE access to the subproject is required.
  • If the member exists with a different subproject, then only ALTER access for the existing member's subproject and UPDATE authority to the incoming member's subproject is required.
INIT       No access validation is performed.
LOCK   Y   UPDATE access allows the LOCK service to lock the member.
MIGRATE   Y Y Migrating using Migrate (option 3.3) or the MIGRATE service validates the access depending on the status of the part:
  • If the part is new or does not have a subproject, READ access to the new subproject allows the member to be migrated.
  • If the part is already defined to SCLM and subproject passed to migrate does not match the existing subproject, then UPDATE access is required to the existing subproject and ALTER to the new subproject.
  • If the part is already defined to SCLM and subproject passed to migrate matches the existing subproject, UPDATE access is required to the existing subproject.
NEXTGRP       No access validation is performed.
PARSE       No access validation is performed.
PROMOTE   Y   Promoting using Promote (option 5), P line command in Library Utility (option 3.1) and UOW (option 3.11) or the PROMOTE service validates the access in this way:

UPDATE access to each member's subprojects is required for the promote to complete successfully.
RPTARCH       No access validation is performed.
SAVE   Y   The SAVE service validates access depending on the status of the part:
  • If the part is new or does not have a subproject, READ access to the new subproject allows the member to be saved.
  • If the part is already defined to SCLM and subproject passed to save does not match the existing subproject, then UPDATE access is required to the existing subproject and ALTER to the new subproject.
  • If the part is already defined to SCLM and subproject passed to save matches the existing subproject, UPDATE access is required to the existing subproject.
SCLMINFO       No access validation is performed.
START       No access validation is performed.
STORE   Y   The STORE service validates access depending on the status of the part:
  • If the part is new or does not have a subproject, READ access to the new subproject allows the member to be saved.
  • If the part is already defined to SCLM and subproject passed to save does not match the existing subproject, then UPDATE access is required to the existing subproject and ALTER to the new subproject.
  • If the part is already defined to SCLM and subproject passed to save matches the existing subproject, UPDATE access is required to the existing subproject.
TRANSFER   Y   UPDATE access allows transferring of ownership using the T line command in Library Utility (option 3.1) and UOW (option 3.11) for members with a subproject.
UNLOCK   Y   UPDATE access allows the UNLOCK service to unlock the member.
VERDEL   Y   UPDATE access allows the D line command in the Audit and Version Utility (option 3.8) and the VERDEL service to delete the version/audit record.
VERHIST Y     READ access allows the H line command in the Audit and Version Utility (option 3.8) and the VERHIST service to produce the version history report.
VERINFO Y     READ access allows the A and V line commands in the Audit and Version Utility (option 3.8) and the VERINFO service to read the version information or view the version member.
VERRECOV   Y   READ access allows the C, X, and R line commands in the Audit and Version Utility (option 3.8) and the VERRECOV service to restore the version member.