cics external security system security … · alert/cics. subject manual installation the bim-alert...

(COPYRIGHT © 1998, B I MOYLE ASSOCIATES, INC.)

BIM-ALERT is a proprietary product of B I Moyle Associates, Inc. It cannot bereproduced, changed, copied, or stored in any form (including, but not limited to, copieson magnetic media) without the express prior written permission of B I MoyleAssociates, Inc.

B I M - A L E R T / C I C S

CICS EXTERNAL SECURITY SYSTEM

SECURITYADMINISTRATOR'S GUIDE

Release 5.0

This documentation applies toRelease 5.0 of the program productBIM-ALERT.

Original Printing .................... 05/15/98Last Revised........................... 05/15/98

Contents iii

ContentsTrademark Information..............................................................................................viiiRelated Publications .................................................................................................... ix

Chapter 1 Introduction ...................................................................................................1-1About This Manual ........................................................................................................1-2

About This Chapter....................................................................................................1-2Manual Organization .................................................................................................1-3

About BIM-ALERT .......................................................................................................1-4Who Uses BIM-ALERT/CICS? ................................................................................1-4Release Compatibility................................................................................................1-5New Features for BIM-ALERT/CICS Release 5.0 ....................................................1-5BIM-ALERT/CICS Overview ...................................................................................1-6BIM-ALERT/CICS Main Directory ..........................................................................1-8Accessing Transactions............................................................................................1-12

Chapter 2 Specifying Organizational Information .......................................................2-1Overview........................................................................................................................2-2Specifying Company Information ..................................................................................2-3

Company Identification Panel....................................................................................2-3Specifying Division Information ....................................................................................2-5

Division Identification Panel .....................................................................................2-5Specifying Department Information...............................................................................2-7

Department Identification Panel ................................................................................2-7Specifying Section Information......................................................................................2-9

Section Identification Panel .......................................................................................2-9

Chapter 3 Securing System Resources...........................................................................3-1Introduction....................................................................................................................3-2

Using System Resources............................................................................................3-2Securing Transactions ....................................................................................................3-3

System Transaction Security Information Panel ........................................................3-3Securing Programs .........................................................................................................3-8

System Program Security Information Panel .............................................................3-8Securing Files...............................................................................................................3-12

System File Security Information Panel...................................................................3-12Securing Maps..............................................................................................................3-16

System Map Security Information Panel..................................................................3-16Securing Field-Level Resources...................................................................................3-19

System Field Level Security Submenu.....................................................................3-19System Field Level Security Panel (Files) ...............................................................3-21System Field Level Security Panel (Maps) ..............................................................3-27

Chapter 4 Securing Groups of Resources......................................................................4-1Introduction....................................................................................................................4-2

Using Resource Groups .............................................................................................4-2Maintaining Resource Groups........................................................................................4-3

Group Authorized Transactions Panel .......................................................................4-3Group Authorized Programs Panel ............................................................................4-6Group Authorized Files Panel....................................................................................4-9

iv Security Administrator's Guide

Group Map Security Panel.......................................................................................4-12Group Authorized Field Resources Panel ................................................................4-15

Chapter 5 Securing Terminal Resources ...................................................................... 5-1Introduction....................................................................................................................5-2

Terminal Resources ...................................................................................................5-2CICS Auto-Installed Terminals..................................................................................5-4Dynamic Terminal Security Processing Flow............................................................5-5

Securing Terminals.........................................................................................................5-6Terminal Security Information Panel .........................................................................5-6

Authorizing Transactions for Terminals.......................................................................5-14Terminal Authorized Transactions Panel.................................................................5-14

Authorizing Programs for Terminals............................................................................5-17Terminal Authorized Programs Panel ......................................................................5-17

Authorizing Files for Terminals ...................................................................................5-19Terminal Authorized Files Panel .............................................................................5-19

Enforcing Map Security for Terminals.........................................................................5-22Terminal Map Security Panel ..................................................................................5-22

Enforcing Field-Level Resource Security for Terminals ..............................................5-24Terminal Authorized Field Resources Panel............................................................5-24

Defining Group Security for Terminals........................................................................5-27Terminal Groups Panel ............................................................................................5-27

Chapter 6 Securing Operator Resources ...................................................................... 6-1Introduction....................................................................................................................6-2

Operator Resources....................................................................................................6-2Assigning Security Administrators.............................................................................6-4Implementing Decentralized Administration .............................................................6-5

Defining Operators.........................................................................................................6-7BIM-ALERT User Profile Panel................................................................................6-7Modeling Operators .................................................................................................6-18

Authorizing Transactions for Operators .......................................................................6-20Operator Authorized Transactions Panel .................................................................6-20

Authorizing Programs for Operators ............................................................................6-24Operator Authorized Programs Panel ......................................................................6-24

Authorizing Files for Operators....................................................................................6-26Operator Authorized Files Panel..............................................................................6-26

Authorizing Maps for Operators ..................................................................................6-29Operator Map Security Panel...................................................................................6-29

Authorizing Field-Level Resources for Operators........................................................6-31Operator Authorized Field Resources Security Panel ..............................................6-31

Assigning Groups to Operators ....................................................................................6-34Operator Groups Panel.............................................................................................6-34

Chapter 7 Activation and Deactivation of Secured Resources ................................... 7-1Introduction....................................................................................................................7-2

About Activation and Deactivation............................................................................7-2Activating or Deactivating Terminals ............................................................................7-3

Activate Secured Terminal Panel...............................................................................7-3Deactivate Secured Terminal Panel ...........................................................................7-5

Activating or Deactivating Operators.............................................................................7-6Activate Secured Operator Panel ...............................................................................7-6

Contents v

Deactivate Secured Operator Panel ...........................................................................7-7Activating or Deactivating Transactions ........................................................................7-8

Activate Secured Transaction Panel ..........................................................................7-8Deactivate Secured Transaction Panel.......................................................................7-9

Activating or Deactivating Programs ...........................................................................7-10Activate Secured Program Panel .............................................................................7-10Deactivate Secured Program Panel ..........................................................................7-11

Activating or Deactivating Files...................................................................................7-12Activate Secured File Panel .....................................................................................7-12Deactivate Secured File Panel .................................................................................7-14

Activating or Deactivating Maps..................................................................................7-15Activate Secured Map Panel....................................................................................7-15Deactivate Secured Map Panel ................................................................................7-16

Activating or Deactivating Field-Level Resources.......................................................7-17Activate Secured Field Resource Panel ...................................................................7-17Deactivate Secured Field Resource Panel................................................................7-19

Chapter 8 System Parameters ........................................................................................8-1Global System Parameters Panel....................................................................................8-2

Using The Panel.........................................................................................................8-2Sample Panel .............................................................................................................8-3Field Descriptions......................................................................................................8-4

Global System Parameters for Terminals and Operators..............................................8-13Using the Panel ........................................................................................................8-13Sample Panel ...........................................................................................................8-14Field Descriptions....................................................................................................8-15

System Security Specifications Panel...........................................................................8-26Using the Panel ........................................................................................................8-26Sample Panel ...........................................................................................................8-27Changing System Security Specifications................................................................8-28Field Descriptions....................................................................................................8-29

Chapter 9 Administrative Facilities ...............................................................................9-1Introduction....................................................................................................................9-3

About This Chapter....................................................................................................9-3Administrator Maintenance............................................................................................9-4

Overview....................................................................................................................9-4Change Operator Administration Panel .....................................................................9-5Reclaim Operator Ownership Panel...........................................................................9-8Change Terminal Administration Panel ...................................................................9-10Reclaim Terminal Ownership Panel ........................................................................9-13

Inactive Time Limit Processing....................................................................................9-15Introduction .............................................................................................................9-15S140 Task ................................................................................................................9-17Conversational Tasks...............................................................................................9-18

User-Callable Interfaces...............................................................................................9-19Introduction .............................................................................................................9-19Command-Level Interface .......................................................................................9-19Macro-Level Interface .............................................................................................9-23

Securing BIM-ALERT Functions and UFO Resources ...............................................9-24Securing BIM-ALERT Functions ............................................................................9-24Securing UFO Resources.........................................................................................9-25

vi Security Administrator's Guide

Setting Up an Interface with CA-ALERT for VM .......................................................9-26Introduction..............................................................................................................9-26Updating CA-ALERT for VM Security Files ..........................................................9-27

Generating BIM-ALERT/CICS Logos.........................................................................9-29Introduction..............................................................................................................9-29How Logo Names are Generated .............................................................................9-29Customizing Logos ..................................................................................................9-30

Maintaining BIM-ALERT/CICS Messages..................................................................9-34Introduction..............................................................................................................9-34Tailor BIM-ALERT Administrator Messages Panel................................................9-35Maintaining Message Text.......................................................................................9-36Maintaining Variables..............................................................................................9-37Using Multiple Message Files..................................................................................9-39

Parameter-Driven Sign-On and Sign-Off Processing ...................................................9-41Introduction..............................................................................................................9-41Operator and Terminal Sign-On from a Terminal....................................................9-42Sign-On and Sign-Off Without Operator Intervention.............................................9-43

Displaying Version Information...................................................................................9-44Display System Version Information Panel .............................................................9-44

Displaying Unsecured Transactions .............................................................................9-51Display Unsecured Transactions Panel ....................................................................9-51

Displaying Unsecured Programs ..................................................................................9-53Display Unsecured Program Panel...........................................................................9-53

Displaying Unsecured Files..........................................................................................9-55Display Unsecured File Panel ..................................................................................9-55

Displaying Current Users .............................................................................................9-57Display Current Users Panel ....................................................................................9-57

Controlling Terminal Sign-On......................................................................................9-60Terminal Sign-On Panel...........................................................................................9-60Terminal Password Distribution ..............................................................................9-61

Controlling Operator Sign-On......................................................................................9-62Operator Sign-On Panel ...........................................................................................9-62Operator Password Distribution...............................................................................9-64User Profile Search Panel ........................................................................................9-65Group Search Panel .................................................................................................9-67

Displaying Attempted Violations .................................................................................9-69Display Attempted Violations Panel ........................................................................9-69Attempted Violations Panel .....................................................................................9-71

Chapter 10 Online Auditing........................................................................................... 10-1Introduction..................................................................................................................10-2

About This Chapter..................................................................................................10-2Using the DAUD Function...........................................................................................10-3

Introduction..............................................................................................................10-3DAUD Selection Criteria Panel ...............................................................................10-4DAUD Display Panel...............................................................................................10-6

Chapter 11 Advanced Security Facilities...................................................................... 11-1User Exits .....................................................................................................................11-2

Introduction..............................................................................................................11-2Using Custom Exits .................................................................................................11-4Passing Data to BIM-ALERT/CICS from an Exit ...................................................11-5

Contents vii

Refreshing User Exits, Monitors, and Logos ...........................................................11-6Post-Sign-On Processing..............................................................................................11-8Authorized Transaction Display Program....................................................................11-9VSE Interactive User Interface Support .....................................................................11-10

Introduction ...........................................................................................................11-10Logic Flow Through Sign-On................................................................................11-11Logic Flow Through Sign-Off ...............................................................................11-13PCT Updates..........................................................................................................11-14PLT Updates..........................................................................................................11-14UPAR and UTOP Updates ....................................................................................11-14ASTR Updates.......................................................................................................11-15

S1SUSER: Return Security Data to Calling Program ...............................................11-16Additional Exits .........................................................................................................11-18

Chapter 12 Utilities..........................................................................................................12-1Introduction..................................................................................................................12-3

Function of Utilities .................................................................................................12-3S1U000: Security File Initialization............................................................................12-4S1U001: Security File Restore/Reorganization - Step 1 .............................................12-5S1U002: Security File Restore/Reorganization - Step 2 .............................................12-6

Introduction .............................................................................................................12-6Reorganize BIM-ALERT/CICS Security File .........................................................12-7

S1U003: Security Log File Initialization ....................................................................12-8S1U004: Audit File Initialization................................................................................12-9S1U005: Current Module Version Report.................................................................12-10S1U006x: Message File Initialization .......................................................................12-12S1U009: Terminal/Operator Access Time Update Utility ........................................12-13S1U010: Release Shared BIM-ALERT/CICS Tables ...............................................12-14S1U100: The Audit Trail Backup/Archive Utility ....................................................12-16

Introduction ...........................................................................................................12-16Examples ...............................................................................................................12-17

S1URESRC: Resource Add/Delete Utility................................................................12-18Introduction ...........................................................................................................12-18Examples ...............................................................................................................12-21

S1UGROUP: Group Assign/Remove Facility...........................................................12-23Introduction ...........................................................................................................12-23Examples ...............................................................................................................12-25

S1U550: Batch Operator Add Facility ......................................................................12-26S1U560: Update Profile Program .............................................................................12-27

Introduction ...........................................................................................................12-27Example .................................................................................................................12-29

S1U887: Freeing Terminal Table Entries Utility ......................................................12-31Introduction ...........................................................................................................12-31Example .................................................................................................................12-32

Appendix A Features of Previous Releases ....................................................................A-1BIM-ALERT/CICS Release 4.9 ...............................................................................A-2BIM-ALERT/CICS Release 4.8 ...............................................................................A-3BIM-ALERT/CICS Release 4.7 ...............................................................................A-4

Index ........................................................................................................................ Index-1

viii Security Administrator's Guide

Trademark Information

This manual refers to the following brand or product names, registered trademarks, and trademarks which arelisted according to their respective owners.

International Business Machines:CICSCICS/VSEIBMIDCAMSVM/ESAVM/XAVSE/POWERVTAM

Computer Associates Corporation:CA-ALERT for VMCA-FAQS/ASO for VMCA-FAVER

Microsoft Corporation:MicrosoftWindows

Related Publications ix

Related Publications

This section lists the documentation that deals with BIM-ALERT/VSE and BIM-ALERT/CICS.

Subject Manual

Installation The BIM-ALERT Installation and Operations Guide explains how toinstall and maintain BIM-ALERT/VSE.

UsingBIM-ALERT

The BIM-ALERT/VSE Security Administrator's Guide explains how touse BIM-ALERT/VSE to set up and maintain security.

Reports The BIM-ALERT Auditing and Report Writing Guide explains how touse the BIM-ALERT batch report writer.

Messages The BIM-ALERT Messages Guide contains explanations of all messagesissued by BIM-ALERT/VSE.

Subject Manual

Installation The BIM-ALERT Installation and Operations Guide explains how toinstall BIM-ALERT/CICS.

UsingBIM-ALERT

The BIM-ALERT/CICS Security Administrator's Guide explains how touse BIM-ALERT/CICS to set up and maintain security.

Reports The BIM-ALERT Auditing and Report Writing Guide explains how touse the BIM-ALERT batch report writer.

Messages The BIM-ALERT Messages Guide contains explanations of all messagesissued by BIM-ALERT/CICS.

Overview

BIM-ALERT/VSEManuals

BIM-ALERT/CICSManuals

x Security Administrator's Guide

1-1

1 Introduction

This chapter describes how BIM-ALERT/CICS works and lists the new features for version5.0.

About This Manual ........................................................................................................1-2About This Chapter....................................................................................................1-2Manual Organization .................................................................................................1-3

About BIM-ALERT .......................................................................................................1-4Who Uses BIM-ALERT/CICS? ................................................................................1-4Release Compatibility................................................................................................1-5New Features for BIM-ALERT/CICS Release 5.0 ....................................................1-5BIM-ALERT/CICS Overview ...................................................................................1-6BIM-ALERT/CICS Main Directory ..........................................................................1-8Accessing Transactions............................................................................................1-12

About This Chapter About This Manual

1-2 Security Administrator's Guide

About This Manual

About This Chapter

This chapter includes the following topics:

• The hierarchy of users of BIM-ALERT/CICS• Compatibility of BIM-ALERT with different versions of IBM CICS• New features for BIM-ALERT/CICS version 5.0• Overview of BIM-ALERT/CICS security• Description of the BIM-ALERT/CICS Main Directory• Information about accessing BIM-ALERT transactions and the structure of transaction

codes

About This Manual Manual Organization

Chapter 1. Introduction 1-3

Manual Organization

The following table shows where to find information in this manual:

For Information About Refer To

Assigning terminal and operator resources to areas within yourorganization.

Chapter 2, "Specifying OrganizationalInformation""

Securing transactions, programs, files, and maps. Chapter 3, "Securing System Resources"

Securing groups of resources. Chapter 4, "Securing Groups of Resources"

Securing terminal resources. Chapter 5, "Securing Terminal Resources"

Securing operator resources. Chapter 6, "Securing Operator Resources"

Activating and deactivating secured resources, including terminals,operators, transactions, programs, files, maps, and field-level resources.

Chapter 7, "Activation and Deactivation ofSecured Resources"

Specifying global systems parameters and system security specifications. Chapter 8, "System Parameters"

Administrative facilities of BIM-ALERT/CICS. Chapter 9, "Administrative Facilities"

Online auditing. Chapter 10, "Online Auditing"

The advanced security facilities of BIM-ALERT/CICS, including thefollowing:• Using exits for conversational tasks• Implementing post-sign-on processing• Displaying authorized transactions of an operator or terminal• Securing fields within records• Defining input mapping security• Interfacing with the VSE/SP interactive user interface• Creating customized exits

Chapter 11, "Advanced Security Facilities"

BIM-ALERT/CICS utilities. Chapter 12, "Utilities"

Features of previous versions of BIM-ALERT. New features of thecurrent version are described on page 1-5.

Appendix A, "Features of PreviousReleases"

Who Uses BIM-ALERT/CICS? About BIM-ALERT


About BIM-ALERT

Who Uses BIM-ALERT/CICS?

BIM-ALERT/CICS is designed so that several staff members can assume the responsibilitiesof its operations and maintenance. The following figure illustrates the types of users and thehierarchy of users in BIM-ALERT/CICS:

+----------------------------------------------+| Main Administrators |+----------------------------------------------+ | | v+----------------------------------------------+| Sub-Administrators (terminals and operators) |+----------------------------------------------+| Sub-Administrators (operators only) |+----------------------------------------------+ | | V+----------------------------------------------+| Operators |+----------------------------------------------+

User Description

Main administrators Control and maintain all secured resources of the CICS onlinenetwork, such as transactions, programs, files, maps, and field-level resources. Main administrators are designated by user classM.

Sub-Administrators Maintain security plans for individual terminals and operatorssubject to the control and audit of the main administrators. Youcan identify two types of sub-administrators, as follows:• Sub-Administrators defined with operator class T process

both terminal and operator security profiles.

• Sub-Administrators defined with operator class O processonly operator security profiles.

Operators Interact with the CICS online network according to the controlsset by the main administrators and sub-administrators. Youidentify each operator with a one- to nine-character user ID.

For more information about assigning main administrators and sub-administrators, see Chapter6, "Securing Operator Resources".

Hierarchy of Users

About BIM-ALERT Release Compatibility


Release Compatibility

BIM-ALERT/CICS is available for different releases of IBM CICS. To ensure that yourrelease of BIM-ALERT/CICS is compatible with the release of CICS that you are running, seefollowing table:

Release of CICS Compatible Releases of BIM-ALERT/CICS

1.7, 2.1, 2.2 or 2.3 5.0, 4.9 and 4.8

1.6 4.7

1.5 2.4.

New Features for BIM-ALERT/CICS Release 5.0

The following features are new with the current release of BIM-ALERT/CICS:

• BIM-ALERT/CICS is now fully compatible with Year 2000 and above.

BIM-ALERT/CICS Overview About BIM-ALERT


BIM-ALERT/CICS Overview

The primary purpose of this overview is to acquaint you with the hierarchical process used byBIM-ALERT/CICS. It is very important to understand this process because it is the key toimplementing a successful security plan.

BIM-ALERT/CICS follows this simple hierarchical process:

1. Identify the system resources that are to be secured. System resources are consideredby BIM-ALERT/CICS to be the CICS transactions, programs, files, field-levelresources, and map display restrictions. Any system resources not defined to BIM-ALERT/CICS are bypassed during security processing.

Therefore, security for individual resources is optional.

2. After the system resources have been defined, specify which system resources eachterminal may access. If a terminal requires operator sign-on, then the resources selectedfor that terminal determine the maximum access capability at that terminal regardless ofthe access rights of any operator who might use the terminal. In other words, if aterminal requires operator sign-on, then any access capability for a particular operator isdenied if the terminal being used has not been granted that capability.

Terminal security is optional. If no resources are specified for the terminal, security isbased on the operator level only.

3. Once the terminal's authorized resources have been defined, specify which of theterminal's resources can be accessed by each operator assigned to use the terminal. Theresources selected for each operator are not secured if operator sign-on is not specifiedfor the terminal. In such a case, security would be based on the resources specified atthe terminal level only.

Operator security is therefore optional for each terminal.

Since each level of security and each resource is optional in BIM-ALERT/CICS, you have theflexibility to define a security plan to meet the individual requirements of each terminal andeach operator accessing the online system.

BIM-ALERTProcessing

About BIM-ALERT BIM-ALERT/CICS Overview


BIM-ALERT/CICS is designed to use the minimum resources to provide the security desired.All in-core tables are dynamically allocated at start-up and automatically grow as you securemore resources. Messages are issued indicating exactly how many resources are being usedby BIM-ALERT/CICS to help you plan for your own application requirements.

The maximum value for each resource is shown as follows:

Resource Type Maximum Number

Transactions 1600

Programs 2000

Files 800

Field-level resources 2000

Maps 2000

Terminals Unlimited

Operators Unlimited

Resources Used ByBIM-ALERT

BIM-ALERT/CICS Main Directory About BIM-ALERT


BIM-ALERT/CICS Main Directory

The BIM-ALERT/CICS Main Directory is the starting point for the administration of BIM-ALERT/CICS, and all security administrators must be familiar with its capabilities.

You need not memorize a long list of transactions in order to maintain the system because alltransactions are conveniently grouped for easy reference, and you can access them byselecting the required transaction from the panel.

The directory menus used for selecting functions within BIM-ALERT/CICS consist of thefollowing menus, which list the available security functions:

• Selection menu• System Functions menu• Terminal/Operator/Group Functions menu• Other Security Functions menu

These menus are described in the following sections.

The Selection menu is shown below. To access this menu, do one of the following:

• Enter transaction SCTY from a blank panel or from the transaction ID field on anyBIM-ALERT/CICS panel and press ENTER.

• Press PF7 from the System Functions menu.

• Press PF8 from the Other Security Functions menu.

SCTY BIM-ALERT/CICS SELECTION MENU MENU1 VERSION 5.0A

SYSTEM FUNCTIONS .............. ( ) TERM/OPER/GROUP FUNCTIONS ...... ( ) ADD/DISPLAY/UPDATE SYSTEM RESOURCES ADD/DISPLAY/UPDATE TERMINAL INFO DISPLAY/UPDATE SECURITY OPTIONS ADD/DISPLAY/UPDATE OPERATOR INFO ACTIVATE/DEACTIVATE SYSTEM RESOURCES ADD/DISPLAY/UPDATE GROUP INFO DISPLAY/PRINT VIOLATION/AUDIT INFO ACTIVATE/DEACTIVATE TERMINALS DISPLAY UNSECURED RESOURCES ACTIVATE/DEACTIVATE OPERATORS

OTHER CICS SECURITY FUNCTIONS . ( ) BIM-ALERT/VSE FUNCTIONS ........ ( ) ADD/DISPLAY/UPDATE ORGANIZATION INFO ADD/DISPLAY/UPDATE BATCH SYSTEM USERS DISPLAY SECURITY SYSTEM INFO ADD/DISPLAY/UPDATE BATCH RESOURCES ADMINISTRATOR CHANGE/RECLAIM DISPLAY BATCH VIOLATION ATTEMPTS PROBLEM ANALYSIS/REFRESH MONITORS MAINTAIN BATCH SECURITY INFORMATION

PF3=EXIT PF8=MENU2 PF7=MENU4 CLEAR=EXIT

GK700 MOVE CURSOR TO FUNCTION TO PROCESS AND PRESS -ENTER

Introduction

Components

Selection Menu

About BIM-ALERT BIM-ALERT/CICS Main Directory


The System Functions menu is shown below. To access this menu, do one of the following:

• Move the cursor to the System Functions input field on any of the other menus andpress ENTER.

• Press PF8 from the Selection menu.

• Press PF7 from the Terminal/Operator/Group Functions menu.

• Press PF3 from inside any function listed on the System Functions menu (for example,ASTR or DVIO).

• Enter SCTY MNU2 from a blank panel.

• Enter MNU2 as the transaction ID from any BIM-ALERT/CICS function.

SCTY BIM-ALERT/CICS SYSTEM FUNCTIONS MENU2 VERSION 5.0A

MAINTAIN SYSTEM RESOURCES ACTIVATE/DEACTIVATE SYSTEM RESOURCES ADD UPDATE DISPLAY ACTIVATE DEACTIVATE TRANSACTION . ?STR ( ) ( ) ( ) TRANSACTION .. ?TRN ( ) ( ) PROGRAM ..... ?SPR ( ) ( ) ( ) PROGRAM ...... ?PRG ( ) ( ) FILE ........ ?SFL ( ) ( ) ( ) FILE ......... ?FIL ( ) ( ) MAP ......... ?SMP ( ) ( ) ( ) MAP .......... ?MAP ( ) ( ) FIELDS ...... ?SFS ( ) ( ) ( ) FIELDS ....... ?FLD ( ) ( )

ALERT SECURITY OPTIONS VIOLATION/AUDIT INFORMATION UPDATE DISPLAY CURRENT ........... ?COP ( ) ( ) DISPLAY VIOLATIONS ...... DVIO ( ) PERMANENT ......... ?POP ( ) ( ) PRINT VIOLATIONS ........ PVIO ( ) SYSTEM PARMS ...... ?PAR ( ) ( ) DISPLAY AUDIT TRAIL ..... DAUD ( ) TERM/OPER PARMS ... ?TOP ( ) ( )

UNSECURED RESOURCE DISPLAY OTHER SECURITY MENUS TRANSACTIONS .............. TRAN ( ) TERM/OPER/GROUP FUNCTIONS .... ( ) PROGRAMS .................. PROG ( ) OTHER CICS SECURITY FUNCTIONS ( ) FILES ..................... FILE ( ) BIM-ALERT/VSE FUNCTIONS ...... ( ) PF3=MENU1 PF7=MENU1 PF8=MENU3 CLEAR=EXIT GK701 MOVE CURSOR TO FUNCTION TO PROCESS AND PRESS -ENTER

System FunctionsMenu

BIM-ALERT/CICS Main Directory About BIM-ALERT


The Terminal/Operator/Group Functions menu is shown below. To access this menu, do oneof the following:

• Move the cursor to the Terminal/Operator/Group Functions input field on any of theother menus and press ENTER.

• Press PF8 from the System Functions menu.

• Press PF7 from the Other Security Functions menu.

• Press PF3 from inside any function listed on the Terminal/Operator/Group Functionsmenu (for example, UAUP or AOGR).



SCTY BIM-ALERT/CICS TERMINAL/OPERATOR/GROUP FUNCTIONS MENU3 VERSION 5.0A

TERMINAL SECURITY OPERATOR SECURITY ADD UPDATE DISPLAY ADD UPDATE DISPLAY BASIC INFO. ?TSI ( ) ( ) ( ) BASIC INFO. ?AUP ( ) ( ) ( ) TRANSACTION ?TTR ( ) ( ) ( ) TRANSACTION ?OTR ( ) ( ) ( ) PROGRAM ... ?TPR ( ) ( ) ( ) PROGRAM ... ?OPR ( ) ( ) ( ) FILE ...... ?TFL ( ) ( ) ( ) FILE ...... ?OFL ( ) ( ) ( ) MAP ....... ?TMP ( ) ( ) ( ) MAP ....... ?OMP ( ) ( ) ( ) FIELDS .... ?TFS ( ) ( ) ( ) FIELDS .... ?OFS ( ) ( ) ( ) GROUPS .... ?TGR ( ) ( ) ( ) GROUPS .... ?OGR ( ) ( ) ( )

GROUP SECURITY ACTIVATION/DEACTIVATION ADD UPDATE DISPLAY ACTIVATE DEACTIVATE TRANSACTION ?GTR ( ) ( ) ( ) TERMINALS .. ACTT ( ) DATM ( ) PROGRAM .... ?GPR ( ) ( ) ( ) OPERATORS .. ACTO ( ) DAOP ( ) FILE ....... ?GFL ( ) ( ) ( ) MAP ........ ?GMP ( ) ( ) ( ) OTHER SECURITY MENUS FIELDS ..... ?GFS ( ) ( ) ( ) SYSTEM FUNCTIONS .............. ( ) OTHER CICS SECURITY FUNCTIONS . ( ) PF3=MENU1 PF7=MENU2 PF8=MENU4 BIM-ALERT/VSE FUNCTIONS ....... ( ) CLEAR=EXIT GK701 MOVE CURSOR TO FUNCTION TO PROCESS AND PRESS -ENTER

Terminal/Operator/Group FunctionsMenu

About BIM-ALERT BIM-ALERT/CICS Main Directory


The Other Security Functions menu is shown below. To access this menu, do one of thefollowing:

• Move the cursor to the Other Security Functions input field on any of the other menusand press ENTER.

• Press PF8 from the Terminal/Operator/Group Functions menu.

• Press PF7 from the Selection menu.

• Press PF3 from inside any function listed on the Other Security Functions menu (forexample, USER or OPER).



SCTY BIM-ALERT/CICS OTHER SECURITY FUNCTIONS MENU4 VERSION 5.0A

ADDITIONAL FUNCTIONS ORGANIZATIONAL INFORMATION ADD UPDATE DISPLAY DISPLAY CURRENT USERS .... USER ( ) COMPANY .... ?COM ( ) ( ) ( ) USER NAME SEARCH ......... SRCH ( ) DIVISION ... ?DIV ( ) ( ) ( ) MAINTAIN MESSAGES ........ MMSG ( ) DEPARTMENT . ?DPT ( ) ( ) ( ) GROUP SEARCH ............. GRPS ( ) SECTION .... ?SCT ( ) ( ) ( )

PROBLEM ANALYSIS/REFRESH MONITORS ADMINISTRATOR CHANGE/RECLAIM CHANGE RECLAIM VERSION INFORMATION ...... VERS ( ) TERMINAL .... ADCT ( ) ADRT ( ) REFRESH MONITORS/EXITS ... REFR ( ) OPERATOR .... ADCO ( ) ADRO ( )

OTHER SECURITY MENUS

SYSTEM FUNCTIONS ......... MNU2 ( ) TERM/OPER/GROUP FUNCTIONS MNU3 ( ) BIM-ALERT/VSE FUNCTIONS .. ALXP ( )

PF3=MENU1 PF7=MENU3 PF8=MENU1 CLEAR=EXIT

GK701 MOVE CURSOR TO FUNCTION TO PROCESS AND PRESS -ENTER

If BIM-ALERT/VSE is installed, a selection for it will be displayed on all of the BIM-ALERT/CICS menus. You can access BIM-ALERT/VSE by selecting it from any menu, orby entering any BIM-ALERT/VSE transaction ID (for example, ALXP, ADDS, or ALIB) inthe transaction ID field on any BIM-ALERT/CICS panel.

Other SecurityFunctions Menu

AccessingBIM-ALERT/VSEfrom Any Menu

Accessing Transactions About BIM-ALERT


Accessing Transactions

To access an individual transaction from any of the selection menus, move the cursor next tothe transaction ID and press ENTER.

To access an individual transaction without using the Main Directory, enter SCTY and theindividual transaction code. For example, SCTY ASFL displays the Add System FileSecurity Information Panel. This allows an experienced security administrator to move freelyfrom function to function.

The transaction codes in BIM-ALERT/CICS follow a pattern that makes them easy to learn:

• The first of the four letters indicates the type of action to be taken. For example, use Afor add, U for update, and D for display.

• The second position indicates the level of security to be affected. For example, use Sfor system level security, T for terminal level security, O for operator level security, andG for group level security.

• The last two positions indicate which resource group is to be affected. For example, useTR for transactions, PR for programs, FL for files, MP for maps, FS for field-levelsecurity, and GR for groups.

For example, to Add System level security for TRansactions, use the ASTR transaction.

It will take some time to learn all the possible combinations. To aid in this learning process,the directory contains the transaction codes for the various functions you can perform. Theseare to the left of the first selection field for any given function. If the transaction code hasmore than one form, it is shown with the variable part coded as a question mark (?). To buildthe correct transaction code, replace the question mark with the first letter of the action youwish to perform.

For example, on the System Functions menu you will find ?STR to the right of transactionsecurity on line six. Because you have actions of add, update, and display, ?STR can beASTR, USTR, or DSTR.

Transaction codes that do not have a question mark must be entered exactly as shown.Examples of transaction codes which must be entered exactly as shown are DVIO, PVIO,DAUD, TRAN, PROG, and FILE. (These transaction codes are in the bottom two groups ofthe System Functions panel.)

All BIM-ALERT/CICS transactions are valid only inside the security transaction SCTY. Ifyou enter them on a cleared CICS panel, you will receive the IBM message DFH2001IINVALID TRANSACTION. To recover, press CLEAR and enter the transaction preceded bythe keyword SCTY. For example, entering TRAN results in the message DFH2001I, butentering SCTY TRAN displays the unsecured transaction report.

After a security function panel has been displayed, you can replace the transaction code withanother code and press ENTER to go directly to the new transaction.

Introduction

Structure ofTransaction Codes

Where to UseTransaction Codes

2-1

2

Specifying Organizational Information

This chapter explains how to use BIM-ALERT/CICS to assign terminal and operatorresources to specific areas within an organization.

Overview....................................................................................................................2-2Specifying Company Information ..................................................................................2-3

Company Identification Panel....................................................................................2-3Specifying Division Information ....................................................................................2-5

Division Identification Panel .....................................................................................2-5Specifying Department Information...............................................................................2-7

Department Identification Panel ................................................................................2-7Specifying Section Information......................................................................................2-9

Section Identification Panel .......................................................................................2-9

Overview


Overview

To administer a security system such as BIM-ALERT/CICS, you may want to assign terminaland operator resources to specific areas within an organization. Through the TerminalSecurity Information panel and the Operator Security Information panel, a terminal oroperator may be assigned to a specific company, division, department, and section. Theappropriate information for these areas must be added to BIM-ALERT/CICS through theCompany, Division, Department, and Section Identification panels.

The location assignment does not affect any controls placed on a resource, but allows reportsproduced by BIM-ALERT/CICS to be segregated according to the structure of theorganization.

From the Company, Division, Department, and Section Identification panels, use the PF8 keywhen you want to display certain organizational information but are not sure of its exactidentification number. Enter any value in the related Company, Division, Department, orSection Number field and press the PF8 key to start browsing from that point. Continuepressing PF8 until the particular organizational information has been located.

Introduction

Browsing

Specifying Company Information Company Identification Panel

Chapter 2. Specifying Organizational Information 2-3

Specifying Company Information

Company Identification Panel

Use the Company Identification panel to add, update, or display company identificationinformation.

Add all companies to be defined to BIM-ALERT/CICS by using the ACOM (Add CompanyIdentification) function of this panel. Once the information is added, you can update it byusing the UCOM (Update Company Identification) function or display it by using the DCOM(Display Company Identification) function.

To display the Company Identification panel, move the cursor to the appropriate field on theOther Security Functions menu and press ENTER, or enter one of the following transactioncodes on any security panel:

Enter ThisTransaction

To Display ThisPanel And Then Enter This Information

ACOM Add CompanyIdentification Panel

Enter the information for the companies to beadded to the security file. Press ENTER tocomplete the addition process.

UCOM Update CompanyIdentification Panel

Enter the numbers of the companies to be updatedand press ENTER to display the current companyinformation. Make the required changes to thecurrent company information and press ENTER tocomplete the update process.

DCOM Display CompanyIdentification Panel

Enter the numbers of the companies to bedisplayed. Press ENTER to display the currentcompany information.

Purpose

Access

Company Identification Panel Specifying Company Information


ACOM ** COMPANY IDENTIFICATION ** ADD

COMPANY NUMBER STATUS COMPANY NAME

____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________

GK710 ENTER COMPANY INFORMATION TO BE ADDED TO FILE

Field Meaning

COMPANY NUMBER The number assigned to uniquely identify each company. This field accepts alphanumeric data.

For numeric data, specifying a number with leading zeroes results in a different value thanspecifying the same number without leading zeroes. For example, 1 and 0001 are two differentcompany numbers.

For alphabetic data, uppercase letters are different from lowercase letters. For example, Compand COMP are different company numbers.

COMPANY NUMBER 0000 is the default and is added when the security file is initialized.

STATUS The status of the company. The acceptable values are A for an active company record, and D fora disabled company record. Records with a D status are deleted from the security file duringsecurity file reorganization using the utilities S1U001 and S1U002.

COMPANY NAME The name used to identify the company. This name appears on the terminal and operator batchreports to help identify the resource's position in the organization.

Sample Panel

Field Descriptions

Specifying Division Information Division Identification Panel


Specifying Division Information

Division Identification Panel

Use the Division Identification panel to add, update, or display division identificationinformation.

All divisions to be defined to BIM-ALERT/CICS must be added to the system by using theADIV (Add Division Identification) function of this panel. Once divisions have been added,they can be updated with the UDIV (Update Division Identification) function or displayedwith the DDIV (Display Division Identification) function.

To display the Division Identification panel, move the cursor to the appropriate field on theOther Security Functions menu and press ENTER, or enter one of the following transactioncodes on any security panel:



ADIV Add DivisionIdentification Panel

Enter the number of the company to which thedivisions belong and the information for thedivisions to be added to the security file. PressENTER to complete the addition process.

UDIV Update DivisionIdentification Panel

Enter the number of the company to which thedivision belongs and the number of the division tobe updated. Press ENTER to display the currentdivision information. Make the required changes tothe current division information and press ENTERto complete the update process.

DDIV Display DivisionIdentification Panel

Enter the number of the company to which thedivision belongs and the number of the division tobe displayed. Press ENTER to display the currentdivision information.

Purpose

Access

Division Identification Panel Specifying Division Information


ADIV ** DIVISION IDENTIFICATION ** ADD

COMPANY NUMBER: ____

DIVISION NUMBER STATUS DIVISION NAME

____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________

GK710 ENTER DIVISION INFORMATION TO BE ADDED TO FILE

Field Meaning

COMPANY NUMBER The number assigned to uniquely identify each company.

DIVISION NUMBER The number assigned to uniquely identify each division within the company. This field acceptsalphanumeric data.

For numeric data, specifying a number with leading zeroes results in a different value thanspecifying the same number without leading zeroes. For example, 1 and 0001 are two differentdivision numbers.

For alphabetic data, uppercase letters are different from lowercase letters. For example, Divsand DIVS are different division numbers.

DIVISION NUMBER 0000 is the default and is added when the security file is initialized.

STATUS The status of the division. The acceptable values are A for an active division record, and D for adisabled division record. Records with a D status are deleted from the security file duringsecurity file reorganization using the utilities S1U001 and S1U002.

DIVISION NAME The name used to identify the division within the company. This name appears on the terminaland operator batch reports.

Sample Panel

Field Descriptions

Specifying Department Information Department Identification Panel


Specifying Department Information

Department Identification Panel

Use the Department Identification panel to add, update, or display department identificationinformation.

Add all departments that are to be defined to BIM-ALERT/CICS by using the ADPT (AddDepartment Identification) function of this panel. Once the information is added, you canupdate it by using the UDPT (Update Department Identification) function or display it byusing the DDPT (Display Department Identification) function.

To display the Department Identification panel, move the cursor to the appropriate field on theOther Security Functions menu and press ENTER, or enter one of the following transactioncodes on any security panel.



ADPT Add DepartmentIdentification Panel

Enter the company number, division number, andthe information for each department to be added tothe security file. Press ENTER to complete theaddition process.

UDPT Update DepartmentIdentification Panel

Enter the company number, division number, anddepartment number of each department to beupdated. Then press ENTER to display the currentdepartment information. Make the requiredchanges to the current department information andpress ENTER to complete the update process.

DDPT Display DepartmentIdentification Panel

Enter the company number, division number, anddepartment number of each department to bedisplayed. Then press ENTER to display thecurrent department information.

Purpose

Access

Department Identification Panel Specifying Department Information


ADPT ** DEPARTMENT IDENTIFICATION ** ADD

COMPANY NUMBER: ____ DIVISION NUMBER: ____

DEPT. NUMBER STATUS DEPARTMENT NAME

____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________

GK710 ENTER DEPARTMENT INFORMATION TO BE ADDED TO FILE

Field Meaning

COMPANY NUMBER The number assigned to uniquely identify each company.

DIVISION NUMBER The number of the division to which the department is assigned.

DEPT. NUMBER The number assigned to uniquely identify each department within the division and company.This field accepts alphanumeric data.

For numeric data, specifying a number with leading zeroes results in a different value thanspecifying the same number without leading zeroes. For example, 1 and 0001 are two differentdepartment numbers.

For alphabetic data, uppercase letters are different from lowercase letters. For example, Deptand DEPT are different department numbers.

DEPARTMENT NUMBER 0000 is the default and is added when the security file is initialized.

STATUS The status of the department. The acceptable values are A for an active record, and D for adisabled record. Records with a D status are deleted from the security file during security filereorganization using the utilities S1U001 and S1U002.

DEPARTMENTNAME

The name used to identify the department within the division and company. This name appearson the terminal and operator batch reports.

Sample Panel

Field Descriptions

Specifying Section Information Section Identification Panel


Specifying Section Information

Section Identification Panel

Use this panel to add, update, or display section identification information.

Add all sections that are to be secured by BIM-ALERT/CICS to the system by using theASCT (Add Section Identification) function of this panel. Once the information is added, youcan update it by using the USCT (Update Section Identification) function, or display it byusing the DSCT (Display Section Identification) function.

To display the Section Identification panel, move the cursor to the appropriate field on theOther Security Functions menu and press ENTER, or enter one of the following transactioncodes on any security panel:



ASCT Add SectionIdentification Panel

Enter the company, division, and departmentnumber of the section and the information to beadded to the security file for that section. PressENTER to complete the addition process.

USCT Update SectionIdentification Panel

Enter the company, division, and departmentnumber of each section to be updated, and thenumber of the section. Press ENTER to display thecurrent section information. Make the requiredchanges to the current section information andpress ENTER to complete the update process.

DSCT Display SectionIdentification Panel

Enter the company, division, and departmentnumber of each section to be displayed, and thenumber of the section. Press ENTER to display thecurrent section information.

Purpose

Access

Section Identification Panel Specifying Section Information


ASCT ** SECTION IDENTIFICATION ** ADD

COMPANY NUMBER: ____ DIVISION NUMBER: ____ DEPART. NUMBER: ____

SECTION NUMBER STATUS SECTION NAME

____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________ ____ _ ___________________________________

GK710 ENTER SECTION INFORMATION TO BE ADDED TO FILE

Field Meaning

COMPANY NUMBER The number of the company to which the section is assigned.

DIVISION NUMBER The number of the division to which the section is assigned.

DEPART. NUMBER The number of the department to which the section is assigned.

SECTION NUMBER The number assigned to uniquely identify each section within the department, division, andcompany. This field accepts alphanumeric data.

For numeric data, specifying a number with leading zeroes results in a different value thanspecifying the same number without leading zeroes. For example, 1 and 0001 are two differentsection numbers.

For alphabetic data, uppercase letters are different from lowercase letters. For example, Sectand SECT are different section numbers.

SECTION NUMBER 0000 is the default and is added when the security file is initialized.

STATUS The status of the section. The acceptable values are A for an active record, and D for a disabledrecord. Records with a D status are deleted from the security file during security filereorganization using the utilities S1U001 and S1U002.

SECTION NAME The name used to identify the section within the department, division, and company. This nameappears on the terminal and operator batch reports.

Sample Panel

Field Descriptions

3-1

3

Securing System Resources

This chapter explains how to add and maintain system resources: transactions, programs,files, field-level resources, and map display restrictions.

Introduction....................................................................................................................3-2Using System Resources............................................................................................3-2

Securing Transactions ....................................................................................................3-3System Transaction Security Information Panel ........................................................3-3

Securing Programs .........................................................................................................3-8System Program Security Information Panel .............................................................3-8

Securing Files...............................................................................................................3-12System File Security Information Panel...................................................................3-12

Securing Maps..............................................................................................................3-16System Map Security Information Panel..................................................................3-16

Securing Field-Level Resources...................................................................................3-19System Field Level Security Submenu.....................................................................3-19System Field Level Security Panel (Files) ...............................................................3-21System Field Level Security Panel (Maps) ..............................................................3-27

Using System Resources Introduction


Introduction

Using System Resources

Although terminal resources and operator resources have numerous controls depending on thecontents of the terminal and operator security profile records, system resources have only thefollowing two controls:

• Access time restrictions for transactions, programs, and files, which allow access onlyduring the specified times for the resource

• Process type identification for files, which restricts file access either to inquiry only, orto both inquiry and updating

There are no system-level security controls on map restrictions or field-level resources sincethey are placed into effect at the terminal and operator levels only.

The security controls for system resources have a higher priority and are in effect (if activated)regardless of the controls specified for a particular terminal or operator.

When you need to display a certain resource but are not sure of its exact identification, use thePF8 key from any of the system resource panels. Enter all or as much of the resourceidentification information as you know. Press PF8 to start browsing and displaying the filefrom that point. Continue pressing PF8 to display additional pages until the particularresource has been located. If you press PF8 without entering any resource identificationinformation, browsing starts from the beginning of the file.

Controls onSystem Resources

Browsing SystemResources

Securing Transactions System Transaction Security Information Panel

Chapter 3. Securing System Resources 3-3

Securing Transactions

System Transaction Security Information Panel

Use the System Transaction Security Information panel to add, update, or display securedtransactions.

Add all CICS transactions to be secured by BIM-ALERT/CICS to the system by using theASTR (Add Secured Transactions) function of this panel. Once they are added, transactionscan be updated with the USTR (Update Secured Transactions) function or displayed with theDSTR (Display Secured Transactions) function.

To display the System Transaction Security Information panel, move the cursor to theappropriate field on the System Functions menu and press ENTER, or enter one of thefollowing transaction codes from any security panel that is currently displayed:

Enter ThisTransaction To Display This Panel And Then Enter This Information

ASTR Add System TransactionSecurity Information Panel

Enter the security information for the newtransactions to be added to the security file.Press ENTER to complete the additionprocess.

USTR Update System TransactionSecurity Information Panel

Enter the transaction identifications of thetransactions to be updated and pressENTER to display the current transactioninformation. Make the required updates tothe current transaction information. PressENTER to complete the update process.

DSTR Display System TransactionSecurity Information Panel

Enter the identifications of the transactionsto be displayed. Press ENTER to displaythe current transaction information.

Purpose

Access

System Transaction Security Information Panel Securing Transactions


If new transactions or updates to currently secured transactions are to go into effectimmediately during the current CICS session, the ATRN (Activate Secured Transaction)function must be completed. This function places the new transaction security informationinto effect during the current CICS session. If not activated, the new transaction securityinformation will not go into effect until BIM-ALERT/CICS's security tables have beenreinitialized. Refer to page 7-8 for more information about the Activate Secured Transactionfunction.

To temporarily remove transactions from any further security monitoring during the currentCICS session, use the DTRN (Deactivate Secured Transaction) function. To permanentlyprevent the transactions from being secured during any subsequent security processing, changethe status of the transactions from active (A) to disabled (D). Refer to page 7-9 for moreinformation about the Deactivate Secured Transaction function.

ASTR ** SYSTEM TRANSACTION SECURITY INFORMATION ** ADD

TRAN STATUS ACCESS-TIME DESCRIPTIVE TRANSACTION NAME

____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________ ____ _ ____ / ____ ______________________________

GK710 ENTER TRANSACTION INFORMATION TO BE ADDED TO FILE

ImplementingChanges toSecurityImmediately

Sample Panel



Field Meaning

TRAN The transaction to be protected as it is identified in the CICS Program Control Table (PCT). Only transactionsdefined on this panel can be allocated to terminals and operators as secured resources.

Securing PA- and PF-Key Transactions

You can also start transactions in CICS by pressing a PA or PF key. BIM-ALERT/CICS allows you to enterthe special transaction codes PF01 - PF24 to provide security for PF-key transactions and PA01 - PA03 forPA-key transactions. Enter PF01 to specify PF key 1, PF02 to describe PF key 2, and so forth.

If you define your PF functions via RDO, turn on optional feature #34 as described in Chapter 9.

Generic Transaction IDsYou can use generic characters in a single security definition to secure multiple transactions with similar IDs.You can use the generic character = (equal sign) to match any string of one to three characters at the end of atransaction ID. Generic transactions must be added with status P.For example, you could secure the payroll transactions PAY1, PAY2, and PAY3 by defining PA= as a securedtransaction ID. You could then assign PA= to any operator, terminal, or group needing authority to process allthe payroll transactions.Suppose you want operator USER01 to use all the payroll transactions except PAY3. You would take thefollowing steps:

1. Define PA= and PAY3 as secured transaction IDs.

2. Assign PA= to USER01, but do not assign PAY3.

3. Assign PA= and PAY3 to all users who need to use all payroll transactions.

Be careful when defining generic resource names. You should use as much of the name as possible with thegeneric character to limit unintended access to resources. For example, PA= matches all transaction IDsbeginning with PA. PAY= would have been a better choice because it still matches all the intended resources,but greatly reduces the chance of matching unintended resources.

Assigning transactions to groups, terminals, and operators is covered in detail in the following chapters.

STATUS The status of the transaction. The STATUS field is used to provide flexibility in handling many differentsituations that arise in CICS networks. Valid status codes are as follows:

Code Meaning

A Activates security for a transaction. It also verifies that the transaction code already existsin the CICS PCT. This verification catches typing errors that could provide security fortransactions that do not exist.

D Disables security for a transaction. At initialization, BIM-ALERT bypasses transactionsthat have status D so they are not loaded into the security table. This status is used when aset of transactions has been removed from CICS and no longer needs security. Any BIM-ALERT/CICS resource that has a status of D is deleted from the security file at the next filereorganization. Since BIM-ALERT bypasses any status D resource at initialization,reorganizing the file has no effect on the amount of storage used for security.

(continued)

Field Descriptions

System Transaction Security Information Panel Securing Transactions


Field Meaning

STATUS(continued)

Code Meaning

M Monitors security for a transaction. The security is checked each time the transaction isused. If a violation is detected for a transaction in monitor mode, a record is written to thesecurity log file. When printed or displayed using BIM-ALERT's PVIO or DVIO function,these records are identified with the word MONITOR instead of the word VIOLATION.Monitored transactions are not stopped, and the terminal or operator is unaware thatmonitoring has taken place. Once you are ready to enforce security, change the transactionto status A or P.

P Preloads transactions to BIM-ALERT before they have been defined to CICS. For example,if you are going on vacation and know that some new transactions will be installed whileyou are gone, you must be able to tell BIM-ALERT to expect them. Status P allows you todo this since no validation of the PCT is performed. At initialization, BIM-ALERTconsiders status A and status P equal. This means that transactions with status P are securedas soon as they are defined to CICS. Be aware that you are responsible for double-checkingyour entry because BIM-ALERT will not attempt to validate it against the PCT if the statusis P. Once the transaction is defined to CICS, you should change the status to A.

Status P is also useful in MRO environments in which there are transactions in PCT tablesnot available to BIM-ALERT controlling the security file. Using status P and sharing theS1SCTY file in multiple CICS regions ensures that all resources are covered.

S Used for safe transactions. A safe transaction is one that should be allowed to run for allterminals and operators whether they are signed on or not. In other words, safe transactionsare invisible to BIM-ALERT. For example, in some CICS systems that run under VM, it ispossible that not all terminal users are CICS users. Status S allows this shop to define aDISConnect transaction that disconnects a terminal from CICS and gives it back to VMwithout requiring a terminal or operator sign-on under CICS. Status S can also be used fortransactions that you may need to run before or after a terminal is signed on or off. Status Sshould be used with caution, but it does allow you to handle unusual situations.

Since safe transactions do not require sign-on, it is not necessary for these transactions to beadded to either the terminal or operator transaction profiles for them to be available. Itwould be very unusual for an installation to have more than a few status S transactions.

In addition to adding safe transactions initially, any transaction under BIM-ALERT/CICSprotection can be made safe by using the BIM-ALERT function USTR to update thetransaction and the BIM-ALERT function ATRN to activate the single transaction whileCICS is running. Similarly, you can change a safe transaction to protected status by usingUSTR to change its status to A and then ATRN to activate the single transaction. See page3-3 for information about USTR and page 7-8 for information about ATRN.

(continued)



Field Meaning

ACCESS-TIME The period of time that a particular transaction may be used regardless of the access times for a particularterminal or operator. Enter the beginning and ending access times in 24-hour clock time within the range of0001 to 2400 hours. The specific combination of 0001 to 2400 is known as all time and causes BIM-ALERT/CICS to bypass all time checks. This allows uninterrupted use of a transaction.

DESCRIPTIVETRANSACTIONNAME

The descriptive name used to identify the transaction. This name appears on the terminal and operator batchreports.

System Program Security Information Panel Securing Programs


Securing Programs

System Program Security Information Panel

Use the System Program Security Information panel to add, update, or display securedprograms.

Add all CICS programs to be secured by BIM-ALERT/CICS to the system by using the ASPR(Add Secured Programs) function of this panel. Once programs are added, you can updatethem with the USPR (Update Secured Programs) function or display them with the DSPR(Display Secured Programs) function.

To display the System Program Security Information panel, move the cursor to the appropriatefield on the BIM-ALERT/CICS System Functions menu and press ENTER, or enter one of thefollowing transaction codes from any security panel:


ASPR Add Program SecurityInformation Panel

Enter the security information for the newprograms to be added to the security file.Press ENTER to complete the additionprocess.

USPR Update Program SecurityInformation Panel

Enter the program name of the program tobe updated and press ENTER to display thecurrent program information. Make therequired changes to the current programinformation and press ENTER to completethe update process.

DSPR Display System ProgramSecurity Information Panel

Enter the program names of the programs tobe displayed. Press ENTER to display thecurrent program information.

Purpose

Access

Securing Programs System Program Security Information Panel


If new programs or updates to currently secured programs are to go into effect immediatelyduring the current CICS session, complete the APRG (Activate Secured Program) function(see page 7-10). This function places the new program security information into effect duringthe current CICS session. If not activated, the new program security information will not gointo effect until BIM-ALERT/CICS's security tables have been reinitialized.

Use the DPRG (Deactivate Secured Program) function (see page 7-11) to temporarily removeprograms from any further security monitoring during the current CICS session. Topermanently prevent the programs from being secured during any subsequent securityprocessing, change the status of the programs from active (A) to disabled (D) on the securityfile.

ASPR ** SYSTEM PROGRAM SECURITY INFORMATION ** ADD

PROGRAM STATUS ACCESS-TIME DESCRIPTIVE PROGRAM NAME

________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________ ________ _ ____ / ____ ______________________________

GK710 ENTER PROGRAM INFORMATION TO BE ADDED TO FILE


Sample Panel

System Program Security Information Panel Securing Programs


Field Meaning

PROGRAM The program to be protected as it is identified in the CICS Processing Program Table (PPT).

Generic Program Names

You can use generic characters in a single security definition to secure multiple programs withsimilar names. You can use the generic character = (equal sign) to match any string of one to sevencharacters at the end of a program name. Generic programs must be added with status P.

For example, you could secure the payroll programs PAYROLL1, PAYROLL2, and PAYROLL3 bydefining PAY= as a secured program. You could then assign PAY= to any operator, terminal, orgroup needing authority to process all the payroll programs.

Suppose you want operator USER01 to use all the payroll programs except PAYROLL3. Youwould take the following steps:

1. Define PAY= and PAYROLL3 as secured program names.

2. Assign PAY= to USER01, but do not assign PAYROLL3.

3. Assign PAY= and PAYROLL3 to all users who need to use all payroll programs.

Be careful when defining generic resource names. You should use as much of the name as possiblewith the generic character to limit unintended access to resources. For example, PAY= matches allprogram names beginning with PAY. PAYROLL= would have been a better choice because it stillmatches all the intended resources, but greatly reduces the chance of matching unintended resources.

Assigning programs to groups, terminals and operators is covered in detail in the following chapters.

STATUS The status of the program. The STATUS field is used to provide flexibility in handling manydifferent situations that arise in CICS networks. Valid status codes are as follows:

Code Meaning

A Activates security for a program and verifies that the program name already existsin the CICS PPT. This verification catches typing errors that could providesecurity for programs that do not exist.

D Disables security for a program. At initialization, BIM-ALERT bypassesprograms that have status D so they are not loaded into the security table. Thisstatus is used when you have removed a set of programs from CICS and they nolonger need security. Any BIM-ALERT/CICS resource that has a status of D isdeleted from the security file at the next file reorganization. Since BIM-ALERTbypasses any status D resource at initialization, reorganizing the file has no effecton the amount of storage used for security.

(continued)

Field Descriptions

Securing Programs System Program Security Information Panel


Field Meaning

STATUS(continued)

Code Meaning

M Monitors security for a program. The security is checked each time the programis used. If a violation is detected for a program in monitor mode, a record iswritten to the security log file. When printed or displayed using BIM-ALERT'sPVIO or DVIO function, these records are identified by the word MONITORinstead of the word VIOLATION. Monitored programs are never stopped, and theterminal or operator is unaware that monitoring has occurred. Once you are readyto enforce security, change the status to A or P.

P Preloads programs to BIM-ALERT before they have been defined to CICS. Forexample, if you are going on vacation and know that some new programs will beinstalled while you are gone, you must be able to tell BIM-ALERT to expectthem. Status P allows this since no validation of the PPT is performed. Atinitialization, BIM-ALERT considers status P and status A equal. This means thatprograms with status P are secured as soon as they are defined to CICS. Be awarethat you are responsible for double-checking your entry because BIM-ALERTwill not attempt to validate it against the PPT if the status is P. Once the programis defined to CICS, you should change the status to A. Status P is also useful inMRO environments where there may be programs in PPTs that are not availableto BIM-ALERT controlling the security file. Using status P and sharing theS1SCTY file in multiple CICS regions ensures that all resources are covered.Generic programs must be added with status P.

ACCESS-TIME The period of time that a particular program may be used regardless of the access time for aparticular terminal or operator. Enter the beginning and ending access times in 24-hour clock timewithin the range of 0001 to 2400 hours. The specific combination of 0001 to 2400 is known as alltime and causes BIM-ALERT/CICS to bypass all time checks. This is useful if you want to allowuninterrupted access.

DESCRIPTIVEPROGRAMNAME

The descriptive name used to identify the program. This name appears on all terminal and operatorbatch reports.

System File Security Information Panel Securing Files


Securing Files

System File Security Information Panel

Use the System File Security Information panel to add, update, or display secured files.

Add all CICS files to be secured by BIM-ALERT/CICS to the system by using the ASFL(Add Secured Files) function of this panel. Once files are added, you can update them withthe USFL (Update Secured Files) function or display them with the DSFL (Display SecuredFiles) function.

DL/I support is provided at the PSB and segment level. PSBs and segments to be secured canbe added to BIM-ALERT/CICS as system resources using the ASFL panel. Substitute thePSB name or segment name for the filename on the panel. Segments must be added as statusP files.

To display the System File Security Information panel, move the cursor to the appropriatefield on the BIM-ALERT/CICS System Functions menu and press ENTER, or enter one of thefollowing program codes on any security panel:


ASFL Add System File SecurityInformation Panel

Enter the security information for the file tobe added to the security file. Press ENTERto complete the addition process.

USFL Update System File SecurityInformation Panel

Enter the filenames of the files to beupdated. Press ENTER to display thecurrent file information. Make the requiredchanges to the current file information.Press ENTER to complete the updateprocess.

DSFL Display System FileSecurity Information Panel

Enter the filename of the files to bedisplayed. Press ENTER to display thecurrent file information.

Purpose

Access

Securing Files System File Security Information Panel


If new files or updates to currently secured files are to go into effect immediately during thecurrent CICS session, complete the AFIL (Activate Secured File) function (see page 7-12).This function places the new file into effect during the current CICS session. If not activated,the new file security information will not go into effect until BIM-ALERT/CICS's securitytables have been reinitialized.

Use the DFIL (Deactivate Secured Files) function (see page 7-14) to temporarily remove filesfrom any further security monitoring during the current CICS session. To permanentlyprevent the file from being secured during any subsequent security processing, change thestatus of the file from active (A) to disabled (D) on the security file.

ASFL ** SYSTEM FILE SECURITY INFORMATION ** ADD

FILENAME STATUS PROCESS ACCESS-TIME DESCRIPTIVE FILE NAME

________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________ ________ _ _ ____ / ____ ______________________________

GK710 ENTER FILE INFORMATION TO BE ADDED TO FILE


Sample Panel

System File Security Information Panel Securing Files


Field Meaning

FILENAME The name of the file to be protected as it is identified in the CICS File Control Table (FCT), or thename of the PSB or segment as defined to DL/I.

Generic File Names

You can use generic characters in a single security definition to secure multiple files with similarnames. You can use the generic character = (equal sign) to match any string of one to sevencharacters at the end of a filename. Generic filenames must be added with status P.

For example, you could secure the payroll files PAYROLL1, PAYROLL2, and PAYROLL3 bydefining PAY= as a secured filename. You could then assign PAY= to any operator, terminal, orgroup needing authority to access all the payroll files.

Suppose you want operator USER01 to access all the payroll files except PAYROLL3. You wouldtake the following steps:

1. Define PAY= and PAYROLL3 as secured filenames.

2. Assign PAY= to USER01, but do not assign PAYROLL3.

3. Assign PAY= and PAYROLL3 to all users who need access to all payroll files.

Be careful when defining generic resource names. You should use as much of the name as possiblewith the generic character to limit unintended access to resources. For example, PAY= matches allfilenames beginning with PAY. PAYROLL= is a better choice because it matches all the intendedresources, but greatly reduces the chance of matching unintended resources.

Assigning files to groups, terminals and operators is covered in detail in the following chapters.

STATUS The status of the file. The STATUS field is used to provide flexibility in handling many differentsituations that arise in CICS networks. Valid status codes are as follows:

Code Meaning

A Activates security for a file. It also verifies that the filename already exists in theCICS FCT. This verification catches typing errors that could provide security forfiles that do not exist.

D Disables security for a file. At initialization, BIM-ALERT bypasses files thathave status D so they are not loaded into the security table. This status is usedwhen you have removed a set of files from CICS and they no longer need security.Any BIM-ALERT/CICS resource that has a status of D is deleted from thesecurity file at the next file reorganization. Since BIM-ALERT bypasses anystatus D resource at initialization, reorganizing the file has no effect on theamount of storage used for security.

(continued)

Field Descriptions

Securing Files System File Security Information Panel


Field Meaning

STATUS(continued)

Code Meaning

M Monitors security for a file. The security is checked each time the file is used. Ifa violation is detected for a file in monitor mode, a record is written to the securitylog file. When printed or displayed using BIM-ALERT's PVIO or DVIOfunction, these records are identified by the word MONITOR instead of the wordVIOLATION. Monitored files are never stopped, and the terminal or operator isunaware that monitoring has occurred. Once you are ready to enforce security,change the status to A or P.

P Preloads files to BIM-ALERT before they have been defined to CICS. Forexample, if you are going on vacation and know that some new files will beinstalled while you are gone, you must be able to tell BIM-ALERT to expectthem. Status P allows this since no validation of the FCT is performed. Atinitialization, BIM-ALERT considers status P and status A equal. This means thatfiles with status P are secured as soon as they are defined to CICS. Be aware thatyou are responsible for double-checking your entry because BIM-ALERT will notattempt to validate it against the FCT if the status is P. Once the file is defined toCICS, you should change the status to A.

Status P is also useful in MRO environments where there may be files in FCTsthat are not available to BIM-ALERT controlling the security file. Using status Pand sharing the S1SCTY file in multiple CICS regions ensures that all resourcesare covered.

Status P must be used when defining DL/I segments and generic filenames.

PROCESS Defines the level of access authorized to the file at the system level. The acceptable file values areas follows:

I InquiryU Both file inquiry and updating

ACCESS-TIME The period of time that a particular file may be used regardless of the access time for a particularterminal or operator. Enter the beginning and ending access times in 24-hour clock time within therange of 0001 to 2400 hours. The specific combination of 0001 to 2400 is known as all time andcauses BIM-ALERT/CICS to bypass all time checks. This is useful if you want to allowuninterrupted access.

DESCRIPTIVEFILE NAME

The descriptive name used to identify the file. This name appears on all terminal and operator batchreports.

System Map Security Information Panel Securing Maps


Securing Maps

System Map Security Information Panel

Use the System Map Security Information panel to add, update, or display secured maps.

Add all CICS maps to be secured by BIM-ALERT/CICS to the system by using the ASMP(Add Secured Maps) function of this panel. Once maps have been added, you can updatethem with the USMP (Update Secured Maps) function or display them with the DSMP(Display Secured Maps) function.

Each System Map Security Information panel lets you define 30 fields. To define more than30 fields for a single map, you must complete a second panel for the additional fields. Use aseparate reference number for the second panel, and assign both reference numbers to anoperator.

Use of datastream compression packages may affect BIM-ALERT's ability to secure mapfields.

To display the System Map Security Information panel, move the cursor to the appropriatefield on the BIM-ALERT/CICS System Functions menu and press ENTER, or enter one of thefollowing transaction codes on any security panel:


ASMP Add System Map SecurityInformation Panel

Enter the security information for the mapto be added to the security file. PressENTER to complete the addition process.

USMP Update System MapSecurity Information Panel

Enter the map and reference number of themap to be updated. Press ENTER todisplay the current map security. Make therequired changes to the current mapinformation and press ENTER to completethe update process.

DSMP Display System MapSecurity Information Panel

Enter the map and reference number of themap to be displayed. Press ENTER todisplay the current map information.

Purpose

Defining Maps WithMany Fields

Restriction

Access

Securing Maps System Map Security Information Panel


If new maps or updates to currently secured maps are to go into effect immediately during thecurrent CICS session, complete the AMAP (Activate Secured Map) function (see page 7-15).This function places the new map security information into effect during the current CICSsession. If not activated, the new map security information will not go into effect until BIM-ALERT/CICS's security tables have been reinitialized.

Use the DMAP (Deactivate Secured Maps) function (see page 7-16) to temporarily removemaps from any further security monitoring during the current CICS session. To permanentlyprevent the maps from being secured during any subsequent security processing, change thestatus of the maps from active (A) to disabled (D) on the security file.

ASMP ** SYSTEM MAP SECURITY INFORMATION ** ADD

MAP: _______ MAPSET: _______ REF. #: ____ TITLE: ____________________ STATUS: _

FIELD DISPLAY DESCRIPTIVE FIELD DISPLAY DESCRIPTIVE NUMBER (Y/N) FIELD NAME NUMBER (Y/N) FIELD NAME

___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________ ___ _ ____________________

GK710 ENTER MAP DISPLAY SECURITY INFORMATION TO BE ADDED TO FILE


Sample Panel

System Map Security Information Panel Securing Maps


Field Meaning

MAP The name of the map to be restricted within the mapset.

MAPSET The name of the mapset to which the restricted map belongs.

REF. # The number used to refer to this version of restrictions for the map. If a particular map requires severaldifferent versions with different fields restricted, each version will have its own reference number.

New Versions of Map Restrictions

The reference number is not supplied by the security administrator when a new version of restrictions isadded for a map. BIM-ALERT/CICS generates this number when the map restriction is added to thesystem. The reference numbers must be used to identify the specific versions of map restrictions beingassigned to an operator or terminal. Refer to Chapter 4, "Securing Groups of Resources", Chapter 5,"Securing Terminal Resources", and Chapter 6, "Securing Operator Resources", for more informationon map reference numbers as they apply to terminal, operator, and group map security.

TITLE The descriptive name used to identify the map and mapset being restricted.

STATUS The status of the map, as follows:

A ActiveD Disabled

A currently unsecured map can be preloaded by adding it as status D. It can then be activated when themap is actually defined in the PPT. Be aware that status D resources will be dropped if the filereorganization programs S1U001 and S1U002 are executed.

FIELDNUMBER

This number references the particular fields in the map to be restricted. The number is determined foreach field by numbering the DFHMDF entries in the map definition source listing. The number of thefield you want to protect is its relative DFHMDF number. For example, the second DFHMDF macro isfield number two of the map. This is the only safe way to determine the field number. If you try tocount the fields on the CRT, you will have problems with dark fields or "field stoppers," which do notshow up.

DISPLAY (Y/N) The value selected determines whether the field represented by the field number will be displayed onthe panel. If Y is entered, the field is displayed; if N is entered, the field is not displayed. Regardless ofwhether Y or N is selected, the field is protected from data entry.

DESCRIPTIVEFIELD NAME

The descriptive name used to identify the map field being restricted. This name appears on all terminaland operator batch reports.

Field Descriptions

Securing Field-Level Resources System Field Level Security Submenu


Securing Field-Level Resources

System Field Level Security Submenu

Use the System Field Level Security Submenu to access other field-level security definitionpanels.

Field-level resources can be added for files and for input mapping security. You can limitaccess to specific records in a file by defining field-level resources at the file level. You canalso limit the application functions a user can process by controlling what the user isauthorized to pass to the application as input on a BMS map.

To display the System Field Level Security Submenu, move the cursor to the appropriate fieldon the BIM-ALERT/CICS System Functions menu and press ENTER, or enter one of thefollowing program codes on any security panel:

Enter ThisTransaction To Display This Panel And Then Take This Action

ASFS Add System Field LevelSecurity Submenu

Move the cursor to the appropriate field andpress ENTER, or press the appropriate PFkey as listed on the System Field LevelSecurity Submenu to access the correctfield-level definition panel.

USFS Update System Field LevelSecurity Submenu

Move the cursor to the appropriate field andpress ENTER, or press the appropriate PFkey as listed on the System Field LevelSecurity Submenu to access the correctfield-level update panel.

DSFS Display System Field LevelSecurity Submenu

Move the cursor to the appropriate field andpress ENTER, or press the appropriate PFkey as listed on the System Field LevelSecurity Submenu to access the correctfield-level display panel.

Purpose

Access

System Field Level Security Submenu Securing Field-Level Resources


ASFS ** SYSTEM FIELD LEVEL SECURITY ** ADD

MAKE A SELECTION BY CURSOR POSITION OR PF-KEY

PF4 ==> _ VSAM FILES

PF5 ==> _ BMS MAPS

PF3=RETURN TO MAIN MENU CLEAR=END

Sample Panel

Securing Field-Level Resources System Field Level Security Panel (Files)


System Field Level Security Panel (Files)

Use the System Field Level Security panel to add, update, or display field-level security forfiles or maps.

Add all file field-level resources to be secured by BIM-ALERT/CICS to the system by usingthe ASFF (Add Secured Fields Files) function of this panel. Once the field-level security hasbeen added, you can update it with the USFF (Update Secured Fields Files) function ordisplay it with the DSFF (Display Secured Fields Files) function.

Each System Field Level Security panel for files lets you define up to five segments uponwhich security can be based. If a particular field can contain more than five values that mustbe defined as the same resource, you must complete a second panel for the additionalsegments. You must assign a different resource name for the second panel, and assign bothnames to an operator, terminal, or group to allow access to both resources.

To display the System Field Level Security panel for files, either move the cursor to theappropriate field on the BIM-ALERT/CICS System Field Level Security Submenu and pressENTER, press PF4 from the System Field Level Security Submenu, or enter one of thefollowing transaction codes on any security panel:


ASFF Add System Field LevelSecurity Panel for files

Enter the security information for the file tobe added to the security file. Press ENTERto validate the information, press PF5 to addadditional segments, or press PF10 tocomplete the addition process.

USFF Update System Field LevelSecurity Panel for files

Enter the resource name and the real nameof the file to be updated. Press ENTER todisplay the current field-level securityinformation. Make the required changes tothe current field-level information. PressENTER to validate the information, pressPF5 to add additional segments, or pressPF10 to complete the update process.

DSFF Display System Field LevelSecurity Panel for files

Enter the resource name and the real nameof the file to be displayed. Press ENTER todisplay the current field-level information.

Purpose

Defining Resourceswith MultipleSegments

Access

System Field Level Security Panel (Files) Securing Field-Level Resources


If you want new field-level definitions or updates to existing field-level definitions to takeeffect immediately during the current CICS session, complete the AFLD (Activate SecuredField) function (see page 7-17). This function places the field-level security information intoeffect during the current CICS session. If not activated, the new field-level securityinformation will not go into effect until BIM-ALERT/CICS's security tables have beenreinitialized.

Use the DFLD (Deactivate Secured Field) function (see page 7-19) to temporarily removefield-level resources from any further security monitoring during the current CICS session. Topermanently prevent the field-level resources from being secured during any subsequentsecurity processing, change the status of the field-level resources from active (A) or preloaded(P) to disabled (D) on the security file.

ASFF ** SYSTEM FIELD LEVEL SECURITY ** ADD

RESOURCE NAME ...... ________ FILE REQ ACT CODE POS FILE NAME .......... ________ ADD ...... RESOURCE STATUS .... _ BROWSE ... _ __ _____ RECORD FORMAT ...... _ DELETE ... DESCRIPTIVE NAME ... ______________________________ READ ..... _ __ _____ UPDATE ...........................DATA FIELD SPECIFICATIONS........................... DATA POSITION ...... _____ COMPARE OPERATOR ....... __ DATA LENGTH ........ ___ FIELD DESCRIPTION ...... _______________ DATA FORMAT ........ _ DATA VALUE 1 > ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________

DATA VALUE 2 > ________________________________________________________________ (RANGE ONLY) ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ LOGICAL CONNECTOR (AND/OR) .... ___ SEGMENT 1 OF _

PF3=RETURN PF5=CONTINUE THIS DEFINITION PF10=COMMIT THIS DEFINITION


Sample Panel



Field Meaning

RESOURCE NAME The name to be assigned to this field-level resource. The name does not need to be the name of anyreal resource defined to CICS. Instead, use any name to be assigned to the resource defined by thisparticular set of data parameters. Add this name to the profiles of operators, terminals, or groups togrant access to the resource.

FILE NAME The real name of the file that contains the data, as it is defined to CICS in the FCT.

It is possible to have the same resource name assigned to data from different files. For example,suppose you have several different customer files that contain customer account numbers, and youwant to limit access to certain records in the files based upon the account number. To do so, define afield-level resource with the same resource name for each real file name. Then add that resourcename to a user's profile, and the user will be limited to accessing the defined field in each file.

RESOURCESTATUS

The status of the field-level definition, as follows:

A ActiveD DisabledP Preloaded

Active field resources are loaded into the security table at initialization, and the real file is validatedagainst the FCT whenever the record is updated. To prepare for future additions to the FCT, definethe field-level resource as status P, which bypasses the FCT authorization. Preloaded resources areloaded into the security file at initialization, and are treated as active. Status D resources are bypassedat initialization, and will be dropped from the file if the reorganization programs S1U001 and S1U002are executed.

RECORD FORMAT One of the following values to specify whether the real file is defined in the FCT as a fixed or variablerecord length file:

V Variable record length (default)F Fixed record length

DESCRIPTIVENAME

The descriptive name used to identify the field-level resource being defined. This name appears on allbatch reports.

FILE REQ The fields under the FILE REQ heading at the upper right of the panel list the different types of fileaccess. The ACT, CODE, and POS fields define actions for each type of file access.

(continued)

Field Descriptions



Field Meaning

ACT The action the field resource monitor is to take for the different types of access (read, add, browse,update, and delete). Acceptable values for ACT are as follows:

V Violation. This value instructs the field-level monitor to handle any unauthorized access asa violation and deny the user.

A Allow. This value instructs the monitor to allow the access, even if the resource is notspecifically defined to the user. By using A on read and browse, for example, you caneasily allow users to read or browse any record on a file, but not update, delete, or addcertain records, without having to actually authorize the user access to the resource.

R Return code (read and browse only). This value instructs the monitor to pass a return codeback to the user application, either in the EIBRCODE field (for example, NOTAUTH orNOTFND), which can then be handled by HANDLE CONDITIONs in the program, or inthe record itself, depending upon how the CODE and POS parameters are coded.

CODE This field can be used to pass a return code back to the application, either in the data, or inEIBRCODE, depending upon how the POS parameter is coded.

POS This field works in conjunction with the CODE field to determine how return codes will be passedback to the application. If CODE contains a value and POS does not, the return code will be returnedto the application in EIBRCODE. A return code passed back in this fashion can be handled by aHANDLE CONDITION in the user application.

For example, if you put D6 in the CODE field and nothing in the POS field, the user application willbe returned a NOTAUTH condition on any unauthorized access. However, if the CODE fieldcontains D6 and the POS field contains 42, a character O will be returned to the application inposition 42 of the record. See the BIM-ALERT Messages Guide for information about file accessreturn codes and to determine which return codes can be passed back to an application.

Important: CODE and POS are valid only if the ACT field value is R, and are therefore valid only forREAD and BROWSE requests. To deny access on unauthorized adds, deletes, or updates, BIM-ALERT/CICS must abend the task.

Preventing deletes based upon data within the record is not possible if no read for update has beenprocessed prior to doing the delete, because the data in the record is not available for the validationunless the record has previously been read for update.

DATA POSITION The position in the record at which the data to be verified is located. This position is relative to 1.Acceptable values are from 1 to 32767.

(continued)



Field Meaning

COMPAREOPERATOR

The type of comparison result that will make the field definition valid. The data specified iscompared to the data in the record, and the resource authorization will be performed if the resultmatches the compare operator. Acceptable values are as follows:

EQ The data in the record matches the data specified in the field-level definition.

NE The data in the record does not match the data specified in the field-level definition.

GT The data in the record is greater than the data specified in the field-level definition.

GE The data in the record is greater than or equal to the data specified in the field-leveldefinition.

LT The data in the record is less than the data specified in the field-level definition.

LE The data in the record is less than or equal to the data specified in the field-level definition.

RA The data in the record falls within the range specified by the DATA VALUE 1 and DATAVALUE 2 fields.

DATA LENGTH The length of the compare. You should take great care to make sure that the data you specify on thefield-level definition matches the data length specified. The actual compare will be based upon thelength specified here, so incorrect data lengths could cause unpredictable results.

If the data format is C, acceptable data length values are from 1 to 256.

If the data format is P, acceptable data length values are from 1 to 8.

If the data format is X, acceptable data length values are from 1 to 128.

FIELDDESCRIPTION

A comment area to describe the field. This field performs no security functions, but is printed onbatch reports as documentation.

DATA FORMAT The format of the data in the record. Acceptable values are as follows:

C Character dataP Packed dataX Hexadecimal data

(continued)



Field Meaning

DATA VALUE 1 This field specifies the data to compare to the data in the record. If the comparison between the datain the record and the data value specified satisfies the compare operator specified in the COMPAREOPERATOR field, the access authorization is performed.

If the data format specified is C, then enter the data exactly the way it is shown on the panel.

If the data format specified is P, then enter the number as characters (for example 100000). Thevalue will be converted to a packed number internally. In this case, the value specified for DATALENGTH should be at least 4, because the minimum field in which a packed 100000 can fit is fourbytes (X'0100000F'). If the data length specified is greater than 4, the data value is padded to the leftwith zeros when the comparison is made.

If the data format specified is X, enter the data in a character representation of hexadecimal data. Forexample, if you want to compare a four-byte field in the record for the hexadecimal valueX'FF01DE80', specify FF01DE80. This is converted internally to the hexadecimal format so thecompare can be performed properly.

DATA VALUE 2 This field is valid only if the value entered in the COMPARE OPERATOR field is RA (range). IfRA is specified, the comparison is performed so that the value specified in the DATA VALUE 1field is treated as the low end of a range of data and the value specified in the DATA VALUE 2 fieldis treated as the high end of the range. If the data in the record falls between or is equal to these twovalues, the access check is performed.

LOGICALCONNECTOR(AND/OR)

One of the following values, specifying the logical connection between the field-level securitydefinition (segment) on the current System Field Level Security panel and the next segment:

AND Specifies a logical AND relationship (both conditions must be true)OR Specifies a logical OR relationship (only one of the conditions must be true)

Securing Field-Level Resources System Field Level Security Panel (Maps)


System Field Level Security Panel (Maps)

Use the System Field Level Security panel to add, update, or display field-level security formaps or files.

Add all map input field-level resources to be secured by BIM-ALERT/CICS to the system byusing the ASFM (Add Secured Fields Maps) function of this panel. Once the field-levelsecurity has been added, you can update it with the USFM (Update Secured Fields Maps)function or display it with the DSFM (Display Secured Fields Maps) function.

Each System Field Level Security panel for maps lets you define up to five segments uponwhich security can be based. If a particular field can contain more than five values that mustbe defined as the same resource, you must complete a second panel for the additionalsegments. You must assign a different resource name for the second panel, and assign bothnames to an operator, terminal, or group to allow access to both resources.

To display the System Field Level Security panel for maps, either move the cursor to theappropriate field on the BIM-ALERT/CICS System Field Level Security Submenu and pressENTER, press PF5 from the System Field Level Security Submenu, or enter one of thefollowing transaction codes on any security panel:


ASFM Add System Field LevelSecurity Panel for maps

Enter the security information for the map tobe added to the security file. Press ENTERto validate the information, press PF5 to addadditional segments, or press PF10 tocomplete the addition process.

USFM Update System Field LevelSecurity Panel for maps

Enter the resource name and the real nameof the map to be updated. Press ENTER todisplay the current field-level securityinformation. Make the required changes tothe current field-level information. PressENTER to validate the information, pressPF5 to add additional segments, or pressPF10 to complete the update process.

DSFM Display System Field LevelSecurity Panel for maps

Enter the resource name and the real nameof the map to be displayed. Press ENTERto display the current field-levelinformation.

Purpose

Defining Resourceswith MultipleSegments

Access

System Field Level Security Panel (Maps) Securing Field-Level Resources


If you want new field-level definitions or updates to existing field-level definitions to takeeffect immediately during the current CICS session, complete the AFLD (Activate SecuredField) function (see page 7-17). This function places the field-level security information intoeffect during the current CICS session. If not activated, the new field-level securityinformation will not go into effect until BIM-ALERT/CICS's security tables have beenreinitialized.

Use the DFLD (Deactivate Secured Field) function (see page 7-19) to temporarily removefield-level resources from any further security monitoring during the current CICS session. Topermanently prevent the field-level resources from being secured during any subsequentsecurity processing, change the status of the field-level resources from active (A) or preloaded(P) to disabled (D) on the security file.

ASFM ** SYSTEM FIELD LEVEL SECURITY ** ADD

RESOURCE NAME ...... ________ MAP NAME ........... ________ MAPSET NAME ........ ________ RESOURCE STATUS .... _ DESCRIPTIVE NAME ... ______________________________

...........................DATA FIELD SPECIFICATIONS........................... ROW NUMBER ......... __ COMPARE OPERATOR ....... __ COLUMN NUMBER ...... ___ FIELD DESCRIPTION ...... _______________ DATA LENGTH ........ ___ DATA VALUE 1 > ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________

DATA VALUE 2 > ________________________________________________________________ (RANGE ONLY) ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ LOGICAL CONNECTOR (AND/OR) .... ___ SEGMENT 1 OF _

PF3=RETURN PF5=CONTINUE THIS DEFINITION PF10=COMMIT THIS DEFINITION


Sample Panel



Field Meaning

RESOURCE NAME The name to be assigned to this field-level resource. The name does not need to be the name of anyreal resource defined to CICS. Instead, use any name to be assigned to the resource defined by thisparticular set of data parameters. Add this name to the profiles of operators, terminals, or groups togrant access to the resource.

MAP NAME The real name of the map that will be checked for the data when it is read.

It is possible to have the same resource name assigned to data from different maps. For example,suppose you have several different application maps that contain customer account numbers, and youwant to restrict operators to entering only account numbers for which they are authorized. To do so,define a field-level resource with the same resource name for each map. By adding this singleresource name to a user's profile, the user will be limited to entering only account numbers for whichhe or she is authorized.

MAPSET NAME The mapset that contains the map. If a mapset name is specified, a double verification (both map andmapset) will be made prior to the access authorization check. If no mapset name is specified, nocheck for a mapset will be made.

RESOURCESTATUS

The status of the field-level definition, as follows:

A ActiveD DisabledP Preloaded

Active field resources are loaded into the security table at initialization, and the mapset is validatedagainst the PPT whenever the record is updated. To prepare for future additions to the PPT, definethe field-level resource as status P, which bypasses the PPT authorization. Preloaded resources areloaded into the security file at initialization, and are treated as active. Status D resources are bypassedat initialization, and will be dropped from the file if the reorganization programs S1U001 and S1U002are executed.

DESCRIPTIVENAME

The descriptive name used to identify the field-level resource being defined. This name appears on allbatch reports.

ROW NUMBER The map row number on which the data to be compared is located. Valid values are from 1 to 43.

(continued)

Field Descriptions



Field Meaning

COMPAREOPERATOR

The type of comparison result that will make the field definition valid. The data specified iscompared to the data in the map, and the resource authorization will be performed if the resultmatches the compare operator. Acceptable values are as follows:

EQ The data in the map matches the data specified in the field-level definition.

NE The data in the map does not match the data specified in the field-level definition.

GT The data in the map is greater than the data specified in the field-level definition.

GE The data in the map is greater than or equal to the data specified in the field-leveldefinition.

LT The data in the map is less than the data specified in the field-level definition.

LE The data in the map is less than or equal to the data specified in the field-level definition.

RA The data in the map falls within the range specified by the DATA VALUE 1 and DATAVALUE 2 fields.

COLUMNNUMBER

The map column number on which the data to be compared is located. Valid values are from 1 to132.

If you have a terminal that displays the row and column of the current cursor position, display the mapin CICS, move the cursor to the field you want to secure, and note the cursor position displayed todetermine the row and column number you should code. Another method is to look at the map source,find the correct field, and use the POS=(nn,nn) to determine the correct values. With this method, youmust remember to add one to the second number (column), because the POS=(nn,nn) in a BMS mapdefinition actually defines the location of the attribute. For example, if you look at a field withPOS=(09,27) coded, you would specify 9 for ROW NUMBER and 28 for COLUMN NUMBER.

FIELDDESCRIPTION

A comment area to describe the field. This field performs no security functions, but is printed onbatch reports as documentation.

DATA LENGTH The length of the compare. You should take great care to make sure that the data you specify on thefield-level definition matches the data length specified and matches the length of the field in the map.Incorrect data lengths can cause unpredictable results.

(continued)



Field Meaning

DATA VALUE 1 The data to compare to the data in the map. If the comparison between the data in the map and thedata value specified satisfies the compare operator specified in the COMPARE OPERATOR field, theaccess authorization is performed.

DATA VALUE 2 This field is valid only if the value entered in the COMPARE OPERATOR field is RA (range). If RAis specified, the comparison is performed so that the value specified in the DATA VALUE 1 field istreated as the low end of a range of data and the value specified in the DATA VALUE 2 field istreated as the high end of the range. If the data in the map falls between or is equal to these twovalues, the access check is performed.

LOGICALCONNERCTOR(AND/OR)

One of the following values, specifying the logical connection between the field-level securitydefinition (segment) on the current System Field Level Security panel and the next segment:

AND Specifies a logical AND relationship (both conditions must be true)OR Specifies a logical OR relationship (only one of the conditions must be true)

4-1

4

Securing Groups of Resources

This chapter explains how to define resource groups for each type of resource: transactions,programs, files, maps, and field-level resources.

Introduction....................................................................................................................4-2Using Resource Groups .............................................................................................4-2

Maintaining Resource Groups........................................................................................4-3Group Authorized Transactions Panel .......................................................................4-3Group Authorized Programs Panel ............................................................................4-6Group Authorized Files Panel....................................................................................4-9Group Map Security Panel.......................................................................................4-12Group Authorized Field Resources Panel ................................................................4-15

Using Resource Groups Introduction


Introduction

Using Resource Groups

A BIM-ALERT/CICS resource group is nothing more than a collection of authorizedresources. A group can contain resources of all types, resources of a few types, or resourcesof a single type. After groups are defined, they can be assigned to an operator or a terminal.The next time the operator signs on, or the next time the terminal is activated, the operator orterminal is automatically authorized for all resources in the group. Each terminal and operatorcan be assigned up to 32 resource groups.

Using resource groups does not limit the flexibility of BIM-ALERT/CICS. You can still tailoroperator or terminal profiles at the individual resource level while exploiting the capabilitiesof resource groups.

Suppose you have a resource group named SYSTEMS, which contains all the CICS system-supplied transactions and files (CEMT, CECI, DFHCSD, and so on), and you want operatorUSER01 to be able to perform all these functions except CECI. To do so, you can assignresource group SYSTEMS to the operator (using BIM-ALERT's AOGR function), and thenuse BIM-ALERT's UOTR function to remove CECI from USER01's profile. See page 6-34for detailed information about the AOGR and UOTR functions.

In this example, you used a resource group to easily provide a user access to manytransactions and files, and then restricted the user's access to a single transaction using theUOTR function. If anything is added to or removed from the resource group at a later date,the changes will apply to USER01 automatically. If you assign to USER01 a second group ofresources that also contain CECI, you will not have to use UOTR to remove CECI again,because BIM-ALERT/CICS remembers that this operator is not supposed to have access toCECI.

A resource group is defined the first time you add any type of resource to it.

Description ofResource Groups

Example of HowResource GroupsAre Used

When a ResourceGroup is Defined

Maintaining Resource Groups Group Authorized Transactions Panel

Chapter 4. Securing Groups of Resources 4-3

Maintaining Resource Groups

Group Authorized Transactions Panel

Use the Group Authorized Transactions panel to add, delete, or display group authorizedtransactions.

Add all CICS transactions to be included in a resource group by using the AGTR (Add GroupTransactions) function of this panel. Once they are added, transactions can be deleted with theUGTR (Update Group Transactions) function or displayed with the DGTR (Display GroupTransactions) function.

To display the Group Authorized Transactions panel, either move the cursor to the appropriatefield on the Terminal/Operator/Group Functions menu and press ENTER, or enter one of thefollowing transaction codes from any security panel:


AGTR Add Group AuthorizedTransactions Panel

Enter the group number, group description(first time only), and the authorizedtransactions to be assigned to this group.Press ENTER to complete the additionprocess.

If no transactions are added to the group, thegroup is not authorized for any transactions.

UGTR Update Group AuthorizedTransactions Panel

The update function is used only to deletetransactions from a group. Therefore, enterthe group number and the transactions thatare to be removed from the resource group.Press ENTER to complete the update(deletion) process.

If all transactions are deleted from theresource group, no transactions will beauthorized for the group.

DGTR Display Group AuthorizedTransactions Panel

Enter the group number and press ENTERto display the transactions currentlyassigned to the group.

Purpose

Access

Group Authorized Transactions Panel Maintaining Resource Groups


If you want the changes to take effect immediately for any terminal to which the new orchanged resource group is assigned, the ACTT function (see page 7-3) must be completed toactivate each terminal authorized for the group. This function places the new groupinformation into effect during the current CICS session. If not activated, the new groupinformation will not go into effect until BIM-ALERT/CICS's security tables have beenreinitialized.

Changes will take effect for operators to whom the group is assigned when they sign on.Execute the ACTO function to force operators to sign on immediately.

AGTR ** GROUP AUTHORIZED TRANSACTIONS ** ADD

GROUP NUMBER: _________ GROUP DESCRIPTION: ______________________________ GROUP STATUS: _ - BIM-ALERT TRANSACTIONS - ____ ____ ____ ____ ____ ____

- AUTHORIZED TRANSACTIONS - ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____

PF3=MENU3 CLEAR=EXIT

GK723 ENTER THE GROUP NUMBER AND TRANSACTION(S) TO BE ADDED

ImplementingChanges to GroupsImmediately

Sample Panel

Maintaining Resource Groups Group Authorized Transactions Panel


Field Meaning

GROUP NUMBER The number assigned to this group. This number can be from 1 to 9 alphanumeric characters. Addthis number to an operator or terminal profile to assign the group to that operator or terminal.

GROUPDESCRIPTION

A description of the group. This field is provided for documentation purposes only. It has nofunction in the security process.

GROUP STATUS The status of the group, as follows:

A Active. This is the default.

D Disabled. Any BIM-ALERT resource that has a status of D will be deleted from thesecurity file at the next file reorganization. (The reorganization programs are S1U001and S1U002.) Since BIM-ALERT bypasses any status D resource at initialization,reorganizing the file has no effect on the amount of storage used for security.

ALERTTRANSACTIONS

A maximum of six user-defined transactions to be put in alert status for each group. Alerttransactions, if specified, are logged into the security log file every time they are executed. An alerttransaction must be a secured transaction, and must be authorized for the group.

Not all operators or terminals who are assigned this group will automatically be assigned the alerttransactions in that group. The ALERT TRANSACTION GROUP field is provided on the AOGR(Add Operator Group) and ATGR (Add Terminal Group) panels to specify which group the alerttransactions are to be extracted from. See page 5-27 for information about ATGR and 6-34 forinformation about AOGR.

AUTHORIZEDTRANSACTIONS

The secured transactions to be assigned to this group. Only transactions that have been defined atthe system level using ASTR can be assigned to a group. BIM-ALERT/CICS generates an error ifyou attempt to assign unsecured transactions. See page 3-3 for information about defining thesetransactions to BIM-ALERT. Transactions with generic names and defined PA- and PF-keytransactions can be assigned to a group.

Transactions can also be started in your CICS system by pressing a PA or PF key. BIM-ALERT/CICS allows you to enter the special transaction codes PF01 through PF24 and PA01through PA03 to provide security for PA- or PF-key transactions. Enter PF01 to assign PF key 1,PF02 for PF key 2, and so on.

Field Descriptions

Group Authorized Programs Panel Maintaining Resource Groups


Group Authorized Programs Panel

Use the Group Authorized Programs panel to add, delete, or display group authorizedprograms.

Add all CICS programs to be included in a resource group by using the AGPR (Add GroupAuthorized Programs) function of this panel. Once they are added, programs can be deletedwith the UGPR (Update Group Authorized Programs) function or displayed with the DGPR(Display Group Authorized Programs) function.

To display the Group Authorized Programs panel, either move the cursor to the appropriatefield on the Terminal/Operator/Group Functions menu and press ENTER, or enter one of thefollowing transaction codes from any security panel:


AGPR Add Group AuthorizedPrograms panel

Enter the group number, group description(first time only), and the authorizedprograms to be assigned to this group. PressENTER to complete the addition process.

If no programs are added to the group, thegroup is not authorized for any programs.

UGPR Update Group AuthorizedPrograms panel

The update function is used only to deleteprograms from a group. Therefore, enterthe group number and the programs that areto be removed from the resource group.Press ENTER to complete the update(deletion) process.

If all programs are deleted from the resourcegroup, no programs will be authorized forthe group.

DGPR Display Group AuthorizedPrograms panel

Enter the group number and press ENTERto display the programs currently assignedto the group.

Purpose

Access

Maintaining Resource Groups Group Authorized Programs Panel



Changes will take effect for operators to whom the group is assigned the next time they signon. Execute the ACTO function to force operators to sign on immediately.

AGPR ** GROUP AUTHORIZED PROGRAMS ** ADD

GROUP NUMBER: _________ GROUP DESCRIPTION: ______________________________ GROUP STATUS: _ - AUTHORIZED PROGRAMS - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________


GK723 ENTER THE GROUP NUMBER AND PROGRAM(S) TO BE ADDED


Sample Panel

Group Authorized Programs Panel Maintaining Resource Groups


Field Meaning


GROUPDESCRIPTION





AUTHORIZEDPROGRAMS

The secured programs assigned to this group. Only programs that have been defined at the systemlevel using ASPR can be assigned to a group. BIM-ALERT/CICS generates an error if you attemptto assign unsecured programs. Programs added with generic names can be assigned to a group.

Field Descriptions

Maintaining Resource Groups Group Authorized Files Panel


Group Authorized Files Panel

Use the Group Authorized Files panel to add, delete, or display group authorized files.

Add all CICS files to be included in a resource group by using the AGFL (Add Group Files)function of this panel. Once they are added, files can be deleted with the UGFL (UpdateGroup Files) function or displayed with the DGFL (Display Group Files) function.

To display the Group Authorized Files panel, either move the cursor to the appropriate fieldon the Terminal/Operator/Group Functions menu and press ENTER, or enter one of thefollowing transaction codes from any security panel:


AGFL Add Group AuthorizedFiles Panel

Enter the group number, group description(first time only), and the authorized files tobe assigned to this group. Press ENTER tocomplete the addition process.

If no files are added to the group, the groupis not authorized for any files.

UGFL Update Group AuthorizedFiles Panel

Enter the group number and the file namesand process types. Press ENTER tocomplete the update process. If the file is tobe deleted from the group, enter D for thefile's process type during the update process.

If all files are deleted from the resourcegroup, no files will be authorized for thegroup.

DGFL Display Group AuthorizedFiles Panel

Enter the group number and press ENTERto display the files currently assigned to thegroup.

Purpose

Access

Group Authorized Files Panel Maintaining Resource Groups




AGFL ** GROUP AUTHORIZED FILES ** ADD

GROUP NUMBER: _________ GROUP DESCRIPTION: ______________________________ GROUP STATUS: _ - AUTHORIZED FILES - FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _


GK723 ENTER THE GROUP NUMBER AND FILE(S) TO BE ADDED


Sample Panel

Maintaining Resource Groups Group Authorized Files Panel


Field Meaning


GROUPDESCRIPTION





FILENAME The secured files assigned to this group. Only files that have been defined at the system level usingASFL can be assigned to a group. BIM-ALERT/CICS generates an error if you attempt to assignunsecured files. Files added with generic names can be assigned to a group.

PROCESS The type of processing authorized for the file for this group. Acceptable values are as follows:

D Delete authorizationI Inquiry onlyU File inquiry and update

Field Descriptions

Group Map Security Panel Maintaining Resource Groups


Group Map Security Panel

Use the Group Map Security panel to add, delete, or display group restricted maps.

Add all restricted CICS maps to be included in a resource group by using the AGMP (AddGroup Maps) function of this panel. Once they are added, maps can be deleted with theUGMP (Update Group Maps) function or displayed with the DGMP (Display Group Maps)function.

To display the Group Map Security panel, either move the cursor to the appropriate field onthe Terminal/Operator/Group Functions menu and press ENTER, or enter one of the followingtransaction codes from any security panel:


AGMP Add Group Map SecurityPanel

Enter the group number, group description(first time only), mapname, and the mapreference number of the map restrictions tobe assigned to this group. Press ENTER tocomplete the addition process.

If no maps are added to the group, no mapsare restricted for the group.

UGMP Update Group MapSecurity Panel

The update function is used only to deletemaps from a group. Therefore, enter themapname and reference number of the mapsto be removed from the resource group.Press ENTER to complete the update(deletion) process.

If all maps are deleted from the resourcegroup, no maps will be restricted for thegroup.

DGMP Display Group MapSecurity Panel

Enter the group number and press ENTERto display the maps currently assigned to thegroup.

Purpose

Access

Maintaining Resource Groups Group Map Security Panel




AGMP ** GROUP MAP SECURITY ** ADD

GROUP NUMBER: _________ GROUP DESCRIPTION: ______________________________ GROUP STATUS: _ - DISPLAY RESTRICTIONS - MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____


GK723 ENTER THE GROUP NUMBER AND MAP(S) TO BE ADDED


Sample Panel

Group Map Security Panel Maintaining Resource Groups


Field Meaning


GROUPDESCRIPTION





MAPNAME The restricted maps assigned to this group. Only maps that have been defined at the system levelusing ASMP can be assigned to a group. BIM-ALERT/CICS generates an error if you attempt toassign unrestricted maps.

REF. # The number used to reference the version of map restrictions that apply for this group. This numberis assigned by BIM-ALERT/CICS at the time the map restrictions are defined. You can use theDSMP transaction (see page 3-16) to determine the reference number for any given map. The maprestrictions are defined using ASMP.

Field Descriptions

Maintaining Resource Groups Group Authorized Field Resources Panel


Group Authorized Field Resources Panel

Use the Group Authorized Field Resources panel to add, delete, or display group authorizedfield-level resources.

Add all CICS field-level resources to be included in a resource group by using the AGFS (AddGroup Field Security) function of this panel. Once they are added, field-level resources canbe deleted with the UGFS (Update Group Field Security) function or displayed with the DGFS(Display Group Field Security) function.

To display the Group Authorized Field Resources panel, either move the cursor to theappropriate field on the Terminal/Operator/Group Functions menu and press ENTER, or enterone of the following transaction codes from any security panel:


AGFS Add Group AuthorizedField Resources Panel

Enter the group number, group description(first time only), and the authorized field-level resources to be assigned to this group.Press ENTER to complete the additionprocess.

If no field-level resources are added to thegroup, no field-level resources areauthorized for the group.

UGFS Update Group AuthorizedField Resources Panel

The update function is used only to deletefield-level resources from a group.Therefore, enter the group number and thefield-level resources to be removed from theresource group. Press ENTER to completethe update (deletion) process.

If all field-level resources are deleted fromthe resource group, no field-level resourceswill be authorized for the group.

DGFS Display Group AuthorizedField Resources Panel

Enter the group number and press ENTERto display the field-level resources currentlyassigned to the group.

Purpose

Access

Group Authorized Field Resources Panel Maintaining Resource Groups




AGFS ** GROUP AUTHORIZED FIELD RESOURCES ** ADD

GROUP NUMBER: _________ GROUP DESCRIPTION: ______________________________ GROUP STATUS: _ - AUTHORIZED FIELD RESOURCES - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________


GK723 ENTER THE GROUP NUMBER AND FIELD RSRC.(S) TO BE ADDED


Sample Panel

Maintaining Resource Groups Group Authorized Field Resources Panel


Field Meaning


GROUPDESCRIPTION





AUTHORIZEDFIELDRESOURCES

The secured field-level resources assigned to this group. Only field-level resources that have beendefined at the system level using ASFF or ASFM can be assigned to a group. BIM-ALERT/CICSgenerates an error if you attempt to assign unsecured field resources.

Field Descriptions

Group Authorized Field Resources Panel Maintaining Resource Groups


5-1

5

Securing Terminal Resources

This chapter describes how to secure terminal resources with BIM-ALERT/CICS panels.

Introduction....................................................................................................................5-2Terminal Resources ...................................................................................................5-2CICS Auto-Installed Terminals .................................................................................5-4Dynamic Terminal Security Processing Flow............................................................5-5

Securing Terminals ........................................................................................................5-6Terminal Security Information Panel.........................................................................5-6

Authorizing Transactions for Terminals.......................................................................5-14Terminal Authorized Transactions Panel.................................................................5-14

Authorizing Programs for Terminals............................................................................5-17Terminal Authorized Programs Panel......................................................................5-17

Authorizing Files for Terminals ...................................................................................5-19Terminal Authorized Files Panel .............................................................................5-19

Enforcing Map Security for Terminals.........................................................................5-22Terminal Map Security Panel ..................................................................................5-22

Enforcing Field-Level Resource Security for Terminals..............................................5-24Terminal Authorized Field Resources Panel............................................................5-24

Defining Group Security for Terminals........................................................................5-27Terminal Groups Panel ............................................................................................5-27

Terminal Resources Introduction


Introduction

Terminal Resources

All 3270 terminals in the CICS Terminal Control Table (TCT) can be defined to BIM-ALERT/CICS as terminal resources. The control features for a particular terminal aredetermined by the contents of the terminal's security profile record. The security profilerecord is built by BIM-ALERT using the information entered on the following panels:

• Terminal Security Information panel• Terminal Authorized Transactions panel• Terminal Authorized Programs panel• Terminal Authorized Files panel• Terminal Map Security panel• Terminal Authorized Resources panel• Terminal Groups panel

BIM-ALERT uses the following two types of security for terminals:

• Standard terminal security requires that you specifically define a security profile recordfor each terminal that you want BIM-ALERT to secure. If you do not define a securityprofile record for a specific terminal, BIM-ALERT is unable to perform any securityprocessing on any activity from that terminal. The IBM-supplied version of CICSsecurity remains in effect for all terminals not secured by BIM-ALERT.

• Dynamic terminal security enables you to have all of your terminals secured by BIM-ALERT without specifically defining a security profile record for each terminal. Eachundefined terminal is dynamically added to the security table when it first accesses thesystem. BIM-ALERT treats the terminal as secured as long as it remains connected tothe CICS system. BIM-ALERT creates a security profile record for each dynamically-added terminal with the user-supplied information in the DUMMY TERM NAME andDYNAMIC TERMINAL fields on the UPAR panel. Refer to the description of theDisplay Global System Parameters panel on page 8-2 for detailed information on theDUMMY TERM NAME and DYNAMIC TERMINAL fields.

The terminal sign-on and the operator sign-on are two distinct processes and are notdependent on each other.

Terminal security profiles are enforced even if a terminal sign-on is not required. Terminalsign-ons are optional.

Even if an installation requires only operator sign-on, any selected terminal security is stillenforced.

Introduction

Types of TerminalSecurity

Terminal Sign-Onand Operator Sign-On

Introduction Terminal Resources

Chapter 5. Securing Terminal Resources 5-3

You can define security for a terminal by entering any of the following types of definitions inthe terminal's security profile record:

• Resource groups

• Map display restrictions

• Transactions, programs, files, and field-level resources that the terminal is authorized toaccess

If nothing is entered for a particular category, no security exists for those resources from thedevice. For example, if you do not specify the programs a given terminal is authorized toaccess, the terminal can access all programs. The security administrator can override thisopen-system structure. Refer to the description of the Global System Parameters forTerminals and Operators panel on page 8-13 for detailed information on terminal defaultauthority.

Thus, each level of security is optional for each terminal.

The controls on a terminal that requires operator sign-on always have a higher priority than thecontrols on any operator who might use that terminal. Thus, any operator who has greateraccess privileges than a given terminal that requires sign-on will be denied those extra accessprivileges from that terminal. (For more information about optional terminal and operatorsign-on, see the description of the EXEMPT TERMINAL SIGN-ON field on page 5-9 and thedescription of the EXEMPT OPERATOR SIGN-ON field on page 5-10.)

For example, suppose an operator's security profile record allows access to a file namedPAYROLL. The operator signs on to a terminal with a security profile record that disallowsaccess to PAYROLL. As a result, the operator is denied access to PAYROLL from thisterminal. If the terminal's security profile record allowed access to PAYROLL, but theoperator's security profile disallowed access to the file, the operator would still be deniedaccess to the file.

When you need to display information about a certain terminal but you are not sure of its exactidentification, use the PF8 key from the Terminal Security Information panel. Enter all or asmuch of the terminal ID as you are sure of and press the PF8 key. Start browsing anddisplaying the file from that point. Continue pressing the PF8 key to display additionalterminals until the particular terminal has been located. If no terminal ID is entered and thePF8 key is pressed, browsing starts from the beginning of the file. You can use PF7 to browsebackward through the terminal profiles.

This feature is helpful when you need to display a certain terminal but you are not sure of itsexact identification.

Defining Securityfor Terminals

Priority of Controls

Browsing

CICS Auto-Installed Terminals Introduction


CICS Auto-Installed Terminals

CICS auto-installed terminals can be secured by either of the two methods of providingterminal security available through BIM-ALERT/CICS: standard and dynamic terminalsecurity.

If you use the dynamic terminal security feature, BIM-ALERT adds an entry to the terminalsecurity table the first time a terminal accesses the system. This means that you are notrequired to individually define each terminal.

If you want to individually secure auto-installed terminals, you must define them to BIM-ALERT as secured terminals. To do this, find the algorithm that CICS is using to generate thename of the auto-installed terminal. The CICS-supplied default algorithm uses the last fourcharacters of the node name.

Next, define each terminal ID to BIM-ALERT with the ATSI function. You must define eachauto-installed terminal with status code P because the terminal may or may not exist in theTCTTE at the time you define it. If you define a terminal with status code A, BIM-ALERTattempts to verify the TCTTE entry and will issue an error if the entry is not present. BIM-ALERT skips this validation check for terminals with status code P, but includes the terminalsin the security table at start-up time as if they had status A.

BIM-ALERT secures the terminal when it first accesses the system with no further action bythe administrator.

Overview

Dynamic TerminalSecurity

Standard TerminalSecurity

Introduction Dynamic Terminal Security Processing Flow


Dynamic Terminal Security Processing Flow

The name of the terminal is acquired from the first four bytes of that terminal's TCTTE entry.This is the name scanned for in the BIM-ALERT terminal security table prefix.

• If the terminal is found, the address of the terminal table entry is passed back to thecaller.

• If the terminal is not found, the first available security table entry has the terminal IDassigned and this entry is used to secure this terminal as long as it remains logicallyconnected to CICS.

Acquiring theTerminal Name

Terminal Security Information Panel Securing Terminals


Securing Terminals

Terminal Security Information Panel

Use the Terminal Security Information panel to add, update, or display terminal securityinformation.

Add all 3270 terminals to be secured by BIM-ALERT to the system by using the ATSI (AddTerminal Security Information) function of this panel. Once the terminals are added, you canupdate them by using the UTSI (Update Terminal Security Information) function or displaythem by using the DTSI (Display Terminal Security Information) function.

If you plan to use BIM-ALERT's dynamic terminal security (which automatically defines eachterminal's security), you must define the model terminal profile using ATSI.

Important: It is highly recommended that you do not use dynamic terminal security during thetrial process, because this assumes that all terminals must be secured.

To display the Terminal Security Information panel, either move the cursor to the appropriatefield on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER,or enter one of the following transaction codes on any security panel:


ATSI Add Terminal SecurityInformation panel

Enter the security information for theterminal to be added to the security file.Press ENTER to complete the additionprocess.

UTSI Update Terminal SecurityInformation panel

Enter the ID of the terminal to be updated.Press ENTER to display the currentterminal security information. Make therequired changes to the current terminalsecurity information. Press ENTER tocomplete the update process.

DTSI Display Terminal SecurityInformation panel

Enter the ID of the terminal to be displayed.Press ENTER to display the currentterminal security information, PF8 tobrowse forward, or PF7 to browsebackward.

Purpose

Access

Securing Terminals Terminal Security Information Panel


If new terminals or updates to currently secured terminals are to go into effect immediatelyduring the current CICS session, complete the ACTT (Activate Secured Terminals) function(see page 7-3). This function places the new terminal security information into effect duringthe current CICS session. If not activated, the new terminal security information does not gointo effect until the BIM-ALERT security tables have been refreshed. If you need to update aterminal entry that was dynamically added to the table, you must first update and activate themodel, then execute ACTT against the terminal.

Use the DATM (Deactivate Secured Terminals) function (see page 7-5) to temporarily removeterminals from any further security monitoring during the current CICS session. Topermanently prevent the terminals from being secured during any subsequent processing,change the status of the terminal from A (active) to D (disabled) on the security file.

DTSI ** TERMINAL SECURITY INFORMATION ** DISPLAY

MODEL ____ TERMINAL-ID ____ GROUP-ID ____ TELEPHONE NO ( ___ ) ___ ____TIME DIFF __ HOURS ADMINISTRATOR _________ INACTIVE TIME HRS __ MINS __

PASSWORD .... EXEMPT TERMINAL SIGN-ON ... _ COMPANY ..... ____DATE ISSUED ...... __/__/__ EXEMPT OPERATOR SIGN-ON ... _ DIVISION .... ____NEW PASSWORD VIOLATION REPORTING TERM ____ DEPARTMENT .. ____EFFECTIVE DATE ... __/__/__ ASSOCIATED TERM. PRINTER ____ SECTION ..... ____

LOGO SUFFIX ........ __ MESSAGE SUFFIX __ PROCESS TYPE .. _ STATUS ... _USER DEFINED DATA .. __________

<= SCHEDULED ACCESS TIMES => <= = = = = TEMPORARY ACCESS TIMES = = = = =>DAY ............. FROM .. TO DAY ...... FROM .. TO .. EFF DATE - EXP DATEMONDAY ......... ____ / ____ MONDAY .. ____ / ____ __/__/__ __/__/__TUESDAY ........ ____ / ____ TUESDAY . ____ / ____ __/__/__ __/__/__WEDNESDAY ...... ____ / ____ WEDNESDAY ____ / ____ __/__/__ __/__/__THURSDAY ....... ____ / ____ THURSDAY . ____ / ____ __/__/__ __/__/__FRIDAY ......... ____ / ____ FRIDAY .. ____ / ____ __/__/__ __/__/__SATURDAY ....... ____ / ____ SATURDAY . ____ / ____ __/__/__ __/__/__SUNDAY ......... ____ / ____ SUNDAY ... ____ / ____ __/__/__ __/__/__

GK714 ENTER TERMINAL TO BE DISPLAYED (OR) PRESS -PF8- TO BROWSE


Sample Panel



Field Meaning

MODEL The four-character identification of a previously defined terminal that you want to use as a modelfor this terminal's profile. Each field in the new profile is assigned the value specified in thecorresponding field of the model unless you specify a different value for the field. You can changethe value of any or all of the fields to suit your needs. If you do not specify a model for a newterminal profile, any field whose value you do not specify is assigned the default value.

Terminal security profiles are made up of the following seven logical parts:• Basic security information as described on the ATSI panel• Authorized transactions as described on the ATTR panel• Authorized programs as described on the ATPR panel• Authorized files as described on the ATFL panel• Restricted maps as described on the ATMP panel• Authorized field-level resources as described on the ATFF and ATFM panels• Authorized terminal groups as described on the ATGR panel

All seven parts are modeled when you select a terminal in the model field. This means that youmust complete the security profile of a terminal at each level before you use that terminal as amodel. If you complete only the basic information for a terminal and then use it as a model for anew terminal, the new terminal will receive default profiles for the other six levels (transactions,programs, files, maps, field-level resources, and groups).

To delete a model from a terminal's profile, use the space bar to enter blanks in the MODEL fieldon the Update Terminal Security Information panel (UTSI) and press ENTER to complete theupdate process. This will not change data currently in the terminal's profile, but will delete themodel from the terminal's profile. If you then want to re-model the terminal after a differentterminal (or the existing one), enter the terminal ID of the model terminal in the MODEL field onthe Update Terminal Security Information panel and press ENTER.

TERMINAL-ID The identification of the terminal as defined in the CICS Terminal Control Table.

GROUP-ID The identification of the terminal group with which the terminal is to be associated. This is anoptional field and defaults to blanks if not entered. Use this number if you want to allow anoperator to use this terminal as part of a group of terminals. Refer to Chapter 6, "SecuringOperator Resources", for more information.

TELEPHONE NO This field is user-defined and is displayed on all violations. You might assign it the number of thesecurity officer responsible for this terminal, or you might assign it the number of the telephonenearest to the offending terminal so that you can call to give help. This is an optional field anddefaults to zeros if not entered.

(continued)

Field Descriptions



Field Meaning

TIME DIFF The time zone difference between the terminal and the host CPU. If the time zone of the terminalis ahead of the CPU's time zone, precede the number of hours by a plus sign (+). If the time zoneis behind that of the CPU, precede the number by a minus sign (-).

For example, if the terminal is located in Atlanta (Eastern time zone), and the host CPU is locatedin San Francisco (Pacific time zone), the time difference would be +3 hours since Atlanta's time is3 hours ahead of San Francisco's. If the terminal and host CPU locations are reversed, the timedifference would be -3 hours.

ADMINISTRATOR The user ID of the main administrator or subadministrator owning the terminal. This field can beupdated only by a main administrator.

The ATSI panel automatically displays the user ID of the main administrator or subadministratorwho is adding a resource. The ADMINISTRATOR field is also displayed on the DTSI and UTSIpanels.

INACTIVE TIME The maximum length of time a terminal remains inactive without being automatically erased andsigned off by BIM-ALERT. To remain active, press any interrupt key within the time limit. If aterminal remains inactive past its inactive time limit, BIM-ALERT will erase the panel or begin astage-two time interval as specified in the FORCE DELAY field of the UPAR panel.

PASSWORD The current password used for terminal sign-on. This password must initially be entered by theadministrator. A new password is automatically generated by BIM-ALERT when the effectiveperiod has expired, or may be changed as part of the sign-on process.

DATE ISSUED The date the current password is issued. This date is provided by the system and cannot be enteredor changed by the administrator. When a new terminal is added, the date issued automaticallydefaults to the current date.

NEW PASSWORD The new password used for terminal sign-on. This password is automatically generated by BIM-ALERT or is entered by the administrator and becomes effective on the specified effective date.

EFFECTIVE DATE The date on which the new password becomes effective. This date is automatically generated byBIM-ALERT or can be entered by the security administrator.

EXEMPTTERMINAL SIGN-ON

Specify one of the following to indicate whether the terminal must be signed on to before it can beused:

N Indicates that the terminal is not exempt from terminal sign-on and must be signed onbefore system access is permitted.

Y Indicates that the terminal is exempt from terminal sign-on and does not have to besigned on before system access is permitted.

(continued)



Field Meaning

EXEMPTOPERATOR SIGN-ON

Specify one of the following to indicate whether an operator must sign on to the terminal beforeaccessing the CICS system:

N (No) Indicates that the operator is not exempt from operator sign-on and must sign on tothe terminal before accessing the system. This is the default.

Y (Yes) Indicates that the operator is exempt from operator sign-on and need not sign onto the terminal before accessing the system.

O (Optional) Indicates that the operator can sign on to a terminal that does not normallyrequire operator sign-on. If no operator is signed on, the terminal is restricted to thefunctions defined as authorized for that terminal. If an operator signs on, the terminalmay access any function authorized to the operator for the duration of the sign-on.When the operator signs off or times out, the standard terminal restrictions take effectagain. This value is useful in several situations. For example, many electronic mailpackages require operators to sign on to receive mail. Allowing terminals in remotelocations or warehouses to accept sign-ons allows salespeople on the road or inwarehouses to sign on to receive mail without searching for a terminal that alwaysaccepts sign-ons. Also, if the system administrator is in a location where terminalsnormally do not require sign-on and needs to perform an administrative function, thisfeature allows sign-on.

Requirement

Set up at least one terminal that requires operator sign-ons (exempt status N or O). This isnecessary because once BIM-ALERT is activated, the SCTY transaction runs only from a BIM-ALERT secured terminal that has a BIM-ALERT administrator signed on. If all terminals areexempt from operator sign-on, it is impossible to meet this requirement and you must terminateCICS to correct the problem.

Terminal and Operator Sign-On

The terminal sign-on and the operator sign-on are two distinct processes and are not dependent oneach other.

Terminal security profiles are enforced whether or not a terminal sign-on is required. Terminalsign-ons are optional.

Even if an installation requires only operator sign-on, all terminal security turned on is invokedimmediately at sign-on.

VIOLATIONREPORTINGTERM

If violation auditing has been activated on the UCOP or UPOP panel, any attempted securityviolations occurring at this terminal are routed as they occur to the terminal specified. There is nolimit to the number of terminals that report to this destination.

ASSOCIATEDTERM. PRINTER

If violation auditing has been activated on the UCOP or UPOP panel, any attempted securityviolations occurring at this terminal are routed as they occur to the printer specified. There is nolimit to the number of terminals that report to this destination.

(continued)



Field Meaning

COMPANY The company number to which the terminal is assigned. Add the number to the security systemthrough the Company Identification panel. This is an optional field and defaults to zeros if notentered.

DIVISION The division number within the company to which the terminal is assigned. Add the number usedto the security system through the Division Identification panel. This is an optional field anddefaults to zeros if not entered.

DEPARTMENT The department number within the company and division to which the terminal is assigned. Addthe number to the security system through the Department Identification panel. This is an optionalfield and defaults to zeros if not entered.

SECTION The section number within the company, division, and department to which the terminal isassigned. Add the number to the security system through the Section Identification panel. This isan optional field and defaults to zeros if not entered.

LOGO SUFFIX Use this field to specify the two-character suffix that determines the logo for this terminal. Eachterminal under BIM-ALERT control can receive a different logo at sign-on time. This is helpfulwhen you have multiple companies or departments under a single CICS system and would like tomaintain separate identities.

Logo Families

Families of logos are created using the ALRTLOGO macro by changing the last two characters ofthe module name. For example, if you create a logo called USERLOGO as your company-widelogo, you could create USERLOD1 for Division 1 logos, USERLOD2 for Division 2 logos, and soforth.

You specify the family logo name on the UTOP panel and can change it at any time using thispanel. As each terminal requests a logo, the last two nonblank characters of the module name arereplaced with the LOGO SUFFIX specified here. This creates the unique logo requested.

All logos in a family must have names of equal length. Only one logo family can be in use at atime. Any number of members can be in a family.

To have help panels match each logo in a family, use the same two-character suffix for the help asyou do for the logo. Refer to page 9-29 for more information on ALRTLOGO and HELPLOGO.

Logo Storage

For performance reasons, only one copy of any logo will be in storage at any given time. If youhave 100 terminals with 100 different logos, you will have 100 logos in storage. If you have 100terminals using the same logo, you will have only one logo in storage.

(continued)



Field Meaning

MESSAGE SUFFIX The two-character message language suffix for this terminal. You can define message files so thateach terminal receives messages from BIM-ALERT/CICS in a different language. The defaultlanguage is English and is represented by the ## symbols appearing in this field. If you do notspecify a language, BIM-ALERT/CICS will automatically convert your file to this value. Thesecurity administrator controls the languages supported and the value to be entered. For moreinformation on using the message suffix, see page 9-34.

PROCESS TYPE The type of file processing authorized for this terminal, as follows:

I Inquiry onlyU Both inquiry and update

STATUS The status of the terminal, as follows:



E Erase immediately. Use to physically delete the profile from the security file withoutwaiting for the next reorganization. If you enter E, BIM-ALERT prompts you to enterY for yes. If you do not reply with Y, BIM-ALERT does not delete the record.

K Keep but prohibit sign-on. Use to prohibit access to a terminal without triggeringdeletion by programs S1U001 and S1U002. For example, you can set a terminal tostatus K while an operator is on vacation; access to the terminal is prohibited, but itsprofile is not deleted during a reorganization.

P Preloaded. Use to add terminals to the BIM-ALERT system before the terminals aredefined to CICS.

Status P and status A are treated the same, except that status P terminals are not validated againstthe TCT. Security is automatically invoked when the terminal is defined to CICS.

(continued)



Field Meaning

USER DEFINEDDATA

This is an optional field provided for user-defined requirements. This data is not edited orchecked in any way by BIM-ALERT. This data is loaded into the BIM-ALERT terminal securitytable and is available to any security exit program.

SCHEDULEDACCESS TIMES

Identifies the time periods that the terminal is allowed to access the system for each day of theweek. Any attempt to access the system outside the access times is denied. The FROM and TOparameters are in 24-hour clock time and are in the range of 0001 to 2400 hours. The combinationof 0001 to 2400 is called all time and causes BIM-ALERT to bypass all time checks for that day.The combination of 0001 to 0002 is called no time and prohibits any system access from thatterminal on that day.

TEMPORARYACCESS TIMES

Identifies the temporary time period that the terminal accesses the system for each day of the week.Temporary times and dates are entered only when exceptions to normal access times are required.The temporary times override the scheduled access times for each day specified during theeffective period. The FROM and TO times must be in 24-hour clock time and are in the range of0001 to 2400 hours. The EFF DATE and EXP DATE must be in the date format selected on theUPAR panel (default is mm/dd/yyyy).

Terminal Authorized Transactions Panel Authorizing Transactions for Terminals


Authorizing Transactions for Terminals

Terminal Authorized Transactions Panel

Use the Terminal Authorized Transactions panel to add, delete, or display terminal authorizedtransactions.

Add all CICS transactions authorized for a terminal to the terminal's security informationusing the ATTR (Add Terminal Authorized Transactions) function of this panel. Once thetransactions are added, you can delete them using the UTTR (Update Terminal AuthorizedTransactions) delete function or display them using the DTTR (Display Terminal AuthorizedTransactions) function.

To display the Terminal Authorized Transactions panel, either move the cursor to theappropriate field on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu andpress ENTER, or enter one of the following transaction codes on any security panel:


ATTR Add Terminal AuthorizedTransactions panel

Enter the terminal number and the transactions that the terminal is to beauthorized to access. Press ENTER to complete the addition process.

If no transactions are added for the terminal's authorized transactions, theterminal is authorized to access all CICS transactions. Therefore,transaction security is optional for each terminal. The securityadministrator can override this open-system structure. Refer to thedescription of the Global System Parameters for Terminals and Operatorspanel on page 8-13 for detailed information on terminal default authority.

UTTR Update Terminal AuthorizedTransactions panel

The update function is a delete process because there is no information tobe updated for a transaction at the terminal level. Therefore, enter thetransactions that are to be deleted from authorized access by the terminal.Press ENTER to complete the update (deletion) process.

If all transactions are deleted from the terminal's authorized transactions,the authorized transactions for the terminal revert to the authority definedby default authority as described in Chapter 8, "System Parameters".

If you want the updated Terminal Authorized transaction information togo into effect during the current CICS session, process the ACTT(Activate Secured Terminal) function for the terminal.

DTTR Display Terminal AuthorizedTransactions panel

Enter the terminal number and press ENTER to display the transactionsthat the terminal is currently authorized to access.

Purpose

Access

Authorizing Transactions for Terminals Terminal Authorized Transactions Panel


If you have assigned one or more groups to a terminal's profile, but you need to tailor theterminal's profile beyond the group profiles, you can use ATTR and UTTR to do so.

If there are individual transactions for which this terminal should be authorized which are notincluded in any group assigned to this terminal, you can use ATTR to add those transactionsto the terminal.

If there are individual transactions in the group which this terminal should not be authorized toexecute, use the UTTR function to delete them from the terminal's profile.

BIM-ALERT/CICS remembers these exceptions to the grouped resources as changes aremade, and maintains the integrity of the changes. If you want to remove the exceptions later,you can do so by regrouping the terminal (see page 5-28).

ATTR ** TERMINAL AUTHORIZED TRANSACTIONS ** ADD

TERMINAL NUMBER: ____ TRANS MODELLED - ALERT TRANSACTIONS - ____ ____ ____ ____ ____ ____

- AUTHORIZED TRANSACTIONS - ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____

GK722 (B)=BASE (P)=PROGS (F)=FILES (M)=MAPS (R)=FIELDS (G)=GRPS (N)=NEXT ==>(_)

Exceptions toAuthorized GroupTransactions

Sample Panel

Terminal Authorized Transactions Panel Authorizing Transactions for Terminals


Field Meaning

TERMINAL NUMBER The number of the terminal whose authorized transactions are to be displayed or modified.

TRANS MODELLED Specifies whether the resources contained in the terminal's profile exactly match those in themodel's profile.

ALERTTRANSACTIONS

A maximum of six user-defined transactions to be put in alert status for each terminal. Alerttransactions, if specified, are logged into the security log file each time they are used by theterminal. An alert transaction must be a secured transaction (that is, it must show on theDSTR panel).


The secured transactions that the terminal is authorized to access. Only transactions that havebeen defined at the system level using ASTR can be authorized for a terminal. BIM-ALERTgenerates an error message if you attempt to authorize unsecured transactions.

Transactions can also be started in CICS by pressing a PA or PF key. BIM-ALERT allowsyou to enter the special transaction codes PF01 through PF24 and PA01 through PA03 toprovide security for PA- or PF-key transactions. Enter PF01 to specify PF key 1, PF02 for PFkey 2, and so forth.

Field Descriptions

Authorizing Programs for Terminals Terminal Authorized Programs Panel


Authorizing Programs for Terminals

Terminal Authorized Programs Panel

Use this panel to add, delete, or display terminal authorized programs.

Add all CICS programs that are authorized for a terminal to the terminal's security informationby using the ATPR (Add Terminal Authorized Programs) function of this panel. Onceprograms have been added, you can delete them by using the UTPR (Update TerminalAuthorized Programs) delete function or display them by using the DTPR (Display TerminalAuthorized Programs) function.

To display the Terminal Authorized Programs panel, either move the cursor to the appropriatefield on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER,or enter one of the following transaction codes on any security panel:


ATPR Add Terminal AuthorizedPrograms panel

Enter the terminal number and the programs that the terminal is to beauthorized to access. Press ENTER to complete the addition process.

If no programs are added for the terminal's authorized programs, theterminal is authorized to access all CICS programs. Therefore, programsecurity is optional for each terminal. The security administrator canoverride this open-system structure. Refer to the description of theDisplay Global System Parameters for Terminals and Operators panel onpage 8-13 for detailed information on terminal default authority.

UTPR Update Terminal AuthorizedPrograms panel

The update function is a delete process because there is no information tobe updated for a program at the terminal level. Therefore, enter theprograms that are to be deleted from authorized access by the terminal.Press ENTER to complete the update (deletion) process.

If all programs are deleted from the terminal's authorized programs, theauthorized programs for the terminal revert to the authority defined bydefault authority as described in Chapter 8, "System Parameters".

If you want the updated Terminal Authorized Programs information to gointo effect during the current CICS session, process the ACTT (ActivateSecured Terminals) function for the terminal.

DTPR Display Terminal AuthorizedPrograms panel

Enter the terminal number and press ENTER to display the programs thatthe terminal is currently authorized to access.

Purpose

Access

Terminal Authorized Programs Panel Authorizing Programs for Terminals


If you have assigned one or more groups to a terminal's profile, but you need to tailor theterminal's profile beyond the group profiles, you can use ATPR and UTPR to do so.

If there are individual programs for which this terminal should be authorized which are notincluded in any group assigned to this terminal, you can use ATPR to add those programs tothe terminal.

If there are individual programs in the group which this terminal should not be authorized toexecute, use the UTPR function to delete them from the terminal's profile.

BIM-ALERT/CICS remembers these exceptions to the grouped resources as changes aremade and maintains the integrity of the changes. If you want to remove the exceptions later,you can do so by regrouping the terminal (see page 5-28).

ATPR ** TERMINAL AUTHORIZED PROGRAMS ** ADD

TERMINAL ID: ____ PROGS MODELLED - AUTHORIZED PROGRAMS - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

GK722 (B)=BASE (T)=TRANS (F)=FILES (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT ==> (_)

Field Meaning

TERMINAL ID: The number of the terminal whose authorized programs are to be displayed or modified.

PROGS MODELLED Specifies whether the resources contained in the terminal's profile exactly match those in themodel's profile.

AUTHORIZEDPROGRAMS

The secured programs that the terminal is authorized to access. Only programs that have beendefined at the system level using the ASPR transaction are authorized for a terminal. BIM-ALERT generates an error message if you attempt to authorize an unsecured program.

Exceptions toAuthorized GroupPrograms

Sample Panel

Field Descriptions

Authorizing Files for Terminals Terminal Authorized Files Panel


Authorizing Files for Terminals

Terminal Authorized Files Panel

Use the Terminal Authorized Files panel to add, update, or display terminal authorized files.

Add all CICS files that are authorized for a terminal to the terminal's security information byusing the ATFL (Add Terminal Authorized Files) function of this panel. Once files have beenadded, you can update them by using the UTFL (Update Terminal Authorized Files) functionor display them by using the DTFL (Display Terminal Authorized Files) function.

DL/I secured resources are assigned to a terminal by using the ATFL transaction to enter thePSB or segment name under the FILENAME field.

To display the Terminal Authorized Files panel, either move the cursor to the appropriate fieldon the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, orenter one of the following transaction codes on any security panel:


ATFL Add Terminal AuthorizedFiles panel

Enter the terminal number, the files the terminal is authorized to access,and the type of processing permitted for each file (update or inquiryonly). Press ENTER to complete the addition process.

If no files are added for the terminal's authorized files, the terminal isauthorized to access all CICS files. Therefore, file security is optionalfor each terminal. The security administrator can override this open-system structure. Refer to the description of the Display Global SystemParameters for Terminals and Operators panel on page 8-13 for detailedinformation on terminal default authority.

UTFL Update Terminal AuthorizedFiles panel

Enter the terminal number and filenames or process types. Press ENTERto complete the update process. If the file is to be deleted fromauthorized terminal access, enter a D (delete) for the file's process typeduring the update process.

If all files are deleted from the terminal's authorized files, the authorizedfiles for the terminal revert to the authority defined by default authorityas described in Chapter 8, "System Parameters".

If you want the updated Terminal Authorized Files information to go intoeffect during the current CICS session, process the ACTT (ActivateSecured Terminals) function for the terminal.

DTFL Display Terminal AuthorizedFiles panel

The DTFL transaction displays the Display Terminal Authorized Filespanel. Enter the terminal number and press ENTER to display the filesthat the terminal is currently authorized to access.

Purpose

Access

Terminal Authorized Files Panel Authorizing Files for Terminals


If you have assigned one or more groups to a terminal's profile, but you need to tailor theterminal's profile beyond the group profiles, you can use ATFL and UTFL to do so.

If there are individual files, PSBs, or DL/I segments for which this terminal should beauthorized which are not included in any group assigned to this terminal, you can use ATFL toadd those files, PSBs, or DL/I segments to the terminal.

If there are individual files, PSBs, or DL/I segments in the group which this terminal shouldnot be authorized to access, use the UTFL function to delete them from the terminal's profile.


ATFL ** TERMINAL AUTHORIZED FILES ** ADD

TERMINAL ID: ____ FILES MODELLED - AUTHORIZED FILES - FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _

GK722 (B)=BASE (T)=TRANS (P)=PROGS (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT ==> (_)

Exceptions toAuthorized GroupFiles

Sample Panel

Authorizing Files for Terminals Terminal Authorized Files Panel


Field Meaning

TERMINAL ID: The number of the terminal whose authorized files are to be displayed or modified.

FILESMODELLED

Specifies whether the resources contained in the terminal's profile exactly match those in the model'sprofile.

FILENAME The secured files that are accessible by this terminal. Only files that have been defined at the systemlevel using the ASFL transaction can be authorized. BIM-ALERT generates an error message if youattempt to authorize an unsecured file.

PROCESS The type of processing authorized for the file from the terminal, as follows:

D Delete authorization access (update only)I Inquiry onlyU File display and update

Field Descriptions

Terminal Map Security Panel Enforcing Map Security for Terminals


Enforcing Map Security for Terminals

Terminal Map Security Panel

Use the Terminal Map Security panel to add, delete, or display terminal map security.

Add all CICS maps that are restricted for a terminal to the terminal's security information byusing the ATMP (Add Terminal Map Security) function of this panel. Once maps have beenadded, you can delete them by using the UTMP (Update Terminal Map Security) function ordisplay them by using the DTMP (Display Terminal Map Security) function.

To display the Terminal Map Security panel, either move the cursor to the appropriate field onthe BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, or enterone of the following transaction codes on any security panel:


ATMP Add Terminal Map Securitypanel

Enter the terminal number, mapname, and reference number of the maprestrictions that apply for the terminal. Press ENTER to complete theaddition process.

If no maps are added for the terminal's restricted maps, no maprestrictions are in effect for the terminal. Therefore, map security isoptional for each terminal.

UTMP Update Terminal Map Securitypanel

The update function is a delete process because there is no information tobe updated for a map at the terminal level. Therefore, enter the mapnameand reference number of the maps that are to be deleted from restrictedaccess by the terminal and press ENTER to complete the update (delete)process.

If all maps are deleted from the terminal's restricted maps, the restrictedmaps for the terminal revert to no map restrictions.

If the updated Terminal Map Security function is to go into effect duringthe current CICS session, process the ACTT (Activate Secured Terminal)function for the terminal.

DTMP Display Terminal MapSecurity panel

Enter the terminal number and press ENTER to display the maprestrictions that are currently in effect for the terminal.

Purpose

Access

Enforcing Map Security for Terminals Terminal Map Security Panel


If you have assigned one or more groups to a terminal's profile, but you need to tailor theterminal's profile beyond the group profiles, you can use ATMP and UTMP to do so.

If there are maps for which this terminal should be restricted which are not included in anygroup assigned to this terminal, you can use ATMP to add those maps to the terminal.

If there are individual maps in the group which this terminal should not be restricted to access,use the UTMP function to delete them from the terminal's profile.


ATMP ** TERMINAL MAP SECURITY ** ADD

TERMINAL ID: ____ MAPS MODELLED: - DISPLAY RESTRICTIONS - MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____

GK722 (B)=BASE (T)=TRANS (P)=PROGS (M)=FILES (R)=FLDS (G)=GRPS (N)=NEXT ==>(_)

Field Meaning

TERMINAL ID The number of the terminal whose restricted maps are to be displayed or modified.

MAPS MODELLED Specifies whether the resources contained in the terminal's profile exactly match those in themodel's profile.

MAPNAME The name of the map containing restrictions for this terminal. Only maps that have beendefined at the system level using the ASMP transaction can be authorized. BIM-ALERTgenerates an error message if you attempt to authorize an unsecured map.

REF. # The number used to reference the version of map restrictions that apply for this terminal. Thisnumber is assigned by BIM-ALERT at the time the map restrictions are defined. You can usethe DSMP transaction (see page 3-16) to determine the reference number for any given map.The map restrictions are defined using ASMP.

Exceptions toAuthorized GroupMaps

Sample Panel

Field Descriptions

Terminal Authorized Field Resources Panel Enforcing Field-Level Resource Security for Terminals


Enforcing Field-Level Resource Security for Terminals

Terminal Authorized Field Resources Panel

Use the Terminal Authorized Field Resources panel to add, delete, or display terminalauthorized field-level resources.

Add all CICS field-level resources that are authorized for a terminal to the terminal's securityinformation by using the ATFS (Add Terminal Field Security) function of this panel. Oncefield-level resources have been added, you can delete them by using the UTFS (UpdateTerminal Field Security) function or display them by using the DTFS (Display Terminal FieldSecurity) function.

Purpose

Enforcing Field-Level Resource Security for Terminals Terminal Authorized Field Resources Panel


To display the Terminal Authorized Field Resources panel, either move the cursor to theappropriate field on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu andpress ENTER, or enter one of the following transaction codes on any security panel:


ATFS Add Terminal AuthorizedField Resources panel

Enter the terminal number and the authorized field-level resources to beassigned to the terminal. Press ENTER to complete the additionprocess.

If no field-level resources are added for the terminal's authorized field-level resources, the terminal is authorized to access all field-levelresources. Therefore, field-level security is optional for each terminal.

You can override this open-system security structure using the GlobalSystem Parameters for Terminals and Operators panel. See page 8-13for more information about this panel and terminal default authority.

UTFS Update Terminal AuthorizedField Resources panel

The update function is a delete process because there is no informationto be updated for field-level resources at the terminal level. Therefore,enter the terminal number and the field-level resources that are to bedeleted from authorized access by the terminal and press ENTER tocomplete the update (delete) process.

If all field-level resources are deleted from the terminal's authorizedfield resources, the authorized fields for the terminal revert to theauthority defined by default authority. See Chapter 8, "SystemParameters", for more information about default authority settings.

If you want the updated terminal authorized field-level resourcesinformation to go into effect during the current CICS session, processthe ACTT (Activate Secured Terminal) function for the terminal.

DTFS Display Terminal AuthorizedField Resources panel

Enter the terminal number and press ENTER to display the field-levelresources that are currently authorized for the terminal.

Access

Terminal Authorized Field Resources Panel Enforcing Field-Level Resource Security for Terminals


If you have assigned one or more groups to a terminal's profile, but you need to tailor theterminal's profile beyond the group profiles, you can use ATFS and UTFS to do so.

If there are field-level resources for which this terminal should be authorized which are notincluded in any group assigned to this terminal, you can use ATFS to add those resources tothe terminal.

If there are individual field-level resources in the group which this terminal should not beauthorized to access, use the UTFS function to delete them from the terminal's profile.


ATFS ** TERMINAL AUTHORIZED RESOURCES ** ADD

TERMINAL NUMBER: ____ FIELDS MODELLED: - AUTHORIZED RESOURCES - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

GK723 ENTER THE TERMINAL NUMBER AND FIELD RSRC.(S) TO BE ADDED

Field Meaning

TERMINAL NUMBER The number of the terminal whose authorized field-level resources are to be displayed ormodified.

FIELDS MODELLED Specifies whether the resources contained in the terminal's profile exactly match those in themodel's profile.

AUTHORIZEDRESOURCES

The secured field-level resources that are accessible by the terminal. Only field-level resourcesthat have been defined at the system level ussing ASFF or ASFM can be authorized. BIM-ALERT/CICS generates an error message if you attempt to assign unsecured field resources.

Exceptions toAuthorized GroupFields

Sample Panel

Field Descriptions

Defining Group Security for Terminals Terminal Groups Panel


Defining Group Security for Terminals

Terminal Groups Panel

Use the Terminal Groups panel to add, delete, or display terminal groups.

Add all groups that are assigned for a terminal to the terminal's security information by usingthe ATGR (Add Terminal Groups) function of this panel. Once groups have been added, youcan delete them by using the UTGR (Update Terminal Groups) function or display them byusing the DTGR (Display Terminal Groups) function.

To display the Terminal Groups panel, either move the cursor to the appropriate field on theBIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, or enterone of the following transaction codes on any security panel:


ATGR Add Terminal Groups panel Enter the terminal number and the groups to be assigned to the terminal.Press ENTER to complete the addition process.

Assigning groups to a terminal is optional. If you want to maintainterminal profiles at the individual resource level, use the appropriatefunctions to add and update the terminal profile at the resource level,and do not assign groups to the terminal.

UTGR Update Terminal Groups panel The update function is a delete process because there is no informationto be updated for groups at the terminal level. Therefore, enter theterminal number and the groups that are to be deleted from the terminaland press ENTER to complete the update (delete) process.

If all groups are deleted from the terminal's profile, no resources of anytype will be authorized for the terminal.

If you want the updated terminal groups information to go into effectduring the current CICS session, process the ACTT (Activate SecuredTerminal) function for the terminal.

DTGR Display Terminal Groupspanel

Enter the terminal number and press ENTER to display the groups thatare currently assigned to the terminal.

Purpose

Access

Terminal Groups Panel Defining Group Security for Terminals


ATGR ** TERMINAL GROUPS ** ADD

TERMINAL NUMBER: ____FORCED REGROUP: N

- - - TERMINAL GROUPS - - - GROUP GROUP GROUP GROUP

_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________

ALERT TRANSACTION GROUP = = = > _________

CLEAR=EXIT PF3=MENU3

GK723 ENTER THE TERMINAL NUMBER AND GROUP(S) TO BE ADDED

Field Meaning

TERMINAL NUMBER The number of the terminal whose groups are to be displayed or modified.

FORCED REGROUP Either Y or N, specifying whether a regroup will be forced to eliminate any exceptions togroup-defined security that were defined by adding or deleting individual resources from theterminal profile. Y forces a regroup; N does not.

For example, suppose you had run ATTR to add a transaction after adding one or more groupsto a terminal. BIM-ALERT/CICS remembers that the transaction is authorized for the terminalin addition to the resources authorized by the terminal's assigned groups. To eliminate theadditional transaction and modify the terminal's security profile to include only group-definedsecurity, enter Y in the FORCED REGROUP field. The terminal's profile will be reconfiguredto eliminate all exceptional conditions.

TERMINAL GROUPS Defines the groups assigned to the terminal. Up to 32 groups of resources can be assigned toeach terminal.

ALERTTRANSACTIONGROUP

Defines the group in which the alert transactions for this terminal are defined. Because only sixalert transactions can be defined for a terminal, any alert transactions for a terminal with groupsassigned must be in the same group. This lets BIM-ALERT avoid deciding which sixtransactions to use if the groups assigned to the terminal contain more than six alerttransactions. The alert transaction group can also contain normal authorized transactions.

Sample Panel

Field Descriptions

6-1

6

Securing Operator Resources

This chapter explains how to define operator resources using an operator’s user profile record.

Introduction....................................................................................................................6-2Operator Resources....................................................................................................6-2Assigning Security Administrators ............................................................................6-4Implementing Decentralized Administration .............................................................6-5

Defining Operators.........................................................................................................6-7BIM-ALERT User Profile Panel ...............................................................................6-7Modeling Operators .................................................................................................6-18

Authorizing Transactions for Operators.......................................................................6-20Operator Authorized Transactions Panel .................................................................6-20

Authorizing Programs for Operators ............................................................................6-24Operator Authorized Programs Panel ......................................................................6-24

Authorizing Files for Operators ...................................................................................6-26Operator Authorized Files Panel..............................................................................6-26

Authorizing Maps for Operators ..................................................................................6-29Operator Map Security Panel...................................................................................6-29

Authorizing Field-Level Resources for Operators .......................................................6-31Operator Authorized Field Resources Security Panel..............................................6-31

Assigning Groups to Operators ....................................................................................6-34Operator Groups Panel ............................................................................................6-34

Operator Resources Introduction


Introduction

Operator Resources

All operators who are required to sign on are defined to BIM-ALERT as operator resources.The control features for each operator are determined by the contents of the operator's securityprofile record. To define an operator's user profile record, you enter the information on thefollowing panels:

• BIM-ALERT User Profile panel• Operator Authorized Transactions panel• Operator Authorized Programs panel• Operator Authorized Files panel• Operator Map Security panel• Operator Field Level Security panel• Operator Groups panel

Only operators that are required to sign on must have their basic security information enteredinto the system. If the basic security profile information is not entered for an operator, thatoperator will be denied access to CICS processing on terminals that require an operator to signon.

Each level of security is optional for each operator. You enter the map display restrictions,transactions, programs, field-level resources, and files that each operator is authorized toaccess in the operator's security profile record, or optionally assign up to 32 groups ofresources to an operator. If nothing is entered for a given category, no security exists for thoseresources for the operator. By default, if no authorized programs are entered, the operator canaccess all programs and is therefore eliminated from program security. The securityadministrator can override this open-system structure. (Refer to the description of the GlobalSystem Parameters for Terminals and Operators panel on page 8-13 for detailed informationon operator default authority.)

The controls on an operator always have a lower priority than the controls on any terminal thatrequires operator sign-on. Thus, any operator who has greater access privileges than a giventerminal that requires sign-on will be denied those extra access privileges from that terminal.If operator sign-on is optional for the terminal being used, the operator's authority overridesthe terminal's while the operator is signed on. (For more information about exempt terminalsign-on, refer to page 5-9; for more information about exempt operator sign-on, refer to page5-10.)

Defining OperatorResources

What OperatorsMust Be Defined?

Defining OperatorSecurity

Priority of Controls

Introduction Operator Resources

Chapter 6. Securing Operator Resources 6-3

When you need to display information about a certain operator but are not sure of the exactuser ID, use the PF8 key from the operator security information panel. Enter all or as much ofthe operator identification as you know. Press the PF8 key to start browsing and displayingthe file from that point. Continue pressing the PF8 key to display additional operators untilthe particular operator has been located. If no operator identification is entered and the PF8key is pressed, browsing starts from the beginning of the file. You can use PF7 to browsebackwards through the operator profiles.

Browsing

Assigning Security Administrators Introduction


Assigning Security Administrators

Identify main security administrators to BIM-ALERT/CICS by using the AAUP (Add BIM-ALERT User Profile) transaction. Use the following rules to specify the main administratorson the Operator Security Information panel.

• The USER ID consists of one to nine alphanumeric characters.

• The NAME is any name you want to assign, but must be immediately preceded by aplus sign (+). This plus sign is not entered when administrators sign on to BIM-ALERT/CICS.

• The USER CLASS must be M to designate a main administrator.

• Main administrators' assigned terminals must be secured terminals in the system.

Sample main administrator information is given below:

USER ID: MAINADMINNAME: +MAIN ADMINUSER CLASS: M

Complete the remainder of the administrator's information as if adding a new operator. It issuggested that

• More than one secured terminal should be assigned for the administrator in the event ofhardware failure

• Scheduled access times should be for the entire week and the entire day (that is, 24hours)

• Main administrators should be authorized for all resources

• The security administrator should perform only administrative security functions whensigned on as the administrator

A default main administrator with the user ID A and operator name +DEFAULT ADMIN isadded to the security file as part of the file initialization process. This administrator is used bydefault when BIM-ALERT/CICS is not active. You can override the default administratorafter you add an administrator of your own. See page 8-11 for information about defining thedefault main administrator.

Introduction

Sample MainAdministratorInformation

Default MainAdministrator

Introduction Implementing Decentralized Administration


Implementing Decentralized Administration

If decentralized administration is to be used, add sub-administrators to the system while youare signed on as a main administrator. The USER ID can be from one to nine alphanumericcharacters. Add sub-administrators with a plus sign preceeding the OPERATOR NAME.The plus sign is not entered when the subadministrator signs on to BIM-ALERT/CICS.

Although main security administrators have the responsibility of controlling and maintainingall secured resources of the CICS online network, decentralizing security allows sub-administrators to maintain security plans for individual terminals and operators, subject to thecontrol and audit of the main security administrators.

Two operator classes are provided to allow you to create two types of sub-administrators:

• Sub-Administrators defined with USER CLASS of T can process both terminal andoperator security profiles.

• Sub-Administrators defined with USER CLASS of O can process only operator securityprofiles. This extends the amount of control main administrators have in assigningauthority to sub-administrators.

It should be emphasized that sub-administrators cannot add or update system resources (thatis, transactions, programs, files, field-level resources, and maps). Only main administratorscan perform these functions.

When a subadministrator adds a terminal or operator to the security system, that terminal oroperator is assigned as a resource of the specific subadministrator by BIM-ALERT/CICS.Any attempt by a subadministrator to access an unassigned resource is denied by BIM-ALERT/CICS and reported as an attempted violation.

If a terminal or operator resource is transferred from one subadministrator to another, thesubadministrator number for that resource must be changed by a main administrator before thenew subadministrator can access the resource's security information.

The following are important points to remember when using decentralized administration:

• The main administrators (USER CLASS M) maintain ultimate control of the securitysystem. Auditors should also be defined as main administrators, but with a process typeof I. With file security activated, this will allow auditors to look at data in any securedfile but not update anything.

• Only a main administrator adds, updates, or deletes system resources (that is,transactions, programs, files, field-level resources, and maps).

Assigning Sub-Administrators

Authority of Sub-Administrators

Sub-Administrators'AssignedResources

Features ofDecentralizedAdministration

Implementing Decentralized Administration Introduction


• Sub-Administrators (USER CLASS T or O) update or delete only those terminal andoperator resources that they have added to the system or that a main administrator hasassigned to them.

• Only a main administrator changes the subadministrator number for a terminal oroperator resource.

• Sub-Administrators authorize only those resources contained in their own profiles.Since a main administrator is the owner of the subadministrator's record, the mainadministrator maintains control over the amount of authority each subadministratorpossesses.

Defining Operators BIM-ALERT User Profile Panel


Defining Operators

BIM-ALERT User Profile Panel

Use the BIM-ALERT User Profile panel to add, update, or display operator securityinformation.

Add all operators that are to be secured by BIM-ALERT/CICS to the system by using theAAUP (Add BIM-ALERT User Profile) function of this panel. Once operator information isadded, you can update it by using the UAUP (Update BIM-ALERT User Profile) function ordisplay it by using the DAUP (Display BIM-ALERT User Profile) function.

New user profiles or updates to existing profiles will go into effect when the operator signs on.To force an operator to log on again and thereby put updates to his or her profile into effect,use the ACTO (Activate Secured Operator) transaction (see page 7-6).

Use the DAOP (Deactivate Secured Operators) function to temporarily remove operators fromany further security monitoring during the current CICS session. To permanently prohibit theoperator from accessing the system during any subsequent processing, change the status of theoperator from active to disabled on the Operator security file with the UAUP transaction.

To display the BIM-ALERT User Profile panel, either move the cursor to the appropriate fieldon the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, orenter one of the following transaction codes on any security panel:


AAUP Add BIM-ALERT UserProfile

Enter the user profile information for thenew operator to be added. Press ENTER tocomplete the addition process.

UAUP Update BIM-ALERT UserProfile

Enter the user ID of the operator to beupdated and press ENTER to display thecurrent operator user profile. Make therequired changes to the current user profileand press ENTER to complete the updateprocess.

DAUP Display BIM-ALERT UserProfile

Enter the user ID of the operator to bedisplayed and press ENTER to display thecurrent operator user profile.

Purpose

ImmediateChanges toSecurity

Access

BIM-ALERT User Profile Panel Defining Operators


DAUP ** BIM-ALERT USER PROFILE ** DISPLAY

USERID BMOYLE NAME BEN MOYLE MODEL _________ UP-STAT _ ADMIN _________ USER CLASS M CICS Y BATCH N DATA __________ / ________ BATCH >>>>>>>>> PWS N REM N ACT * MON * CON N CLB N EXPIRE DATE __ / __ / ____ SUBMIT USERIDS: ________ ________ _ ________ EXT/PW ________ / ________ TABLES/SECIDS: __ ________ __ ________ __ ________ __ ________ __ ________

CICS >>>>>>>>>> OPID ___ IUI ID/PW ________ / ______ EXT SEC ___ / ________ PASSWORD MOYLE TRM GRP 1 ____ COMP ____ STATUS A ISSUE DATE 04 / 01 / 1998 PRIM/GRP2 ____ DIV ____ PROC TYPE U NEW PSWD ALT1/GRP3 ____ DEPT ____ MSG SUFFIX ## EFF DATE __ / __ / ____ ALT2/GRP4 ____ SECT ____ INACTIVE HRS 00 MINS 30

..SCHED TIMES.. ...TEMP TIMES.. ...EFF DATE... ...EXP DATE... MON ____ / ____ MON ____ / ____ __ / __ / ____ __ / __ / ____ TUE ____ / ____ TUE ____ / ____ __ / __ / ____ __ / __ / ____ WED ____ / ____ WED ____ / ____ __ / __ / ____ __ / __ / ____ THU ____ / ____ THU ____ / ____ __ / __ / ____ __ / __ / ____ FRI ____ / ____ FRI ____ / ____ __ / __ / ____ __ / __ / ____ SAT ____ / ____ SAT ____ / ____ __ / __ / ____ __ / __ / ____ SUN ____ / ____ SUN ____ / ____ __ / __ / ____ __ / __ / ____

GK717 (T)=TRANS (P)=PROGS (F)=FILES (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT => ( _ )

Sample Panel



The following table explains the fields on the User Profile panel that are used to define bothVSE and CICS user profiles. The column labeled VSE or CICS? explains whether a fieldapplies to only a VSE or CICS profile or to both.

Field Meaning

VSEorCICS? Required?

USERID Any one of the user IDs from which you can submit jobs, such as a CMS userID. However, if you are creating a CICS user profile, you must use the BIM-ALERT/CICS user ID. This ID alone makes a user profile unique.

To define additional user IDs, you can use the SUBMIT USERIDS, EXT/PW,and IUI ID/PW fields.

This is a nine-character field because the CICS user ID is a nine-character ID.For all other user IDs, the ninth byte is blank.

Both Yes

NAME The user name can be the user's real name, or it can be a name applied to aspecial position, job, function, and so on, within the company. For example, ina VM environment, multiple people may need to log on to the VM directorymaintenance machine (MAINT). In this case, the NAME field could be VMDIRECTORY, and the logon for that CMS machine would be provided underthe submit userids information.

Both Yes

MODEL The nine-character identification of a previously defined user that you want touse as a model for this user's profile. If a model is entered, all fields that youdo not specify are assigned the model's value for that field. If a model is notentered, all fields you do not specify are modeled after the administrator.

Both No

UP-STAT The update status of the operator, as follows:


D Disabled. An operator in disabled status cannot sign on to anyterminal that BIM-ALERT/CICS controls and is deleted duringreorganization.

E Erase immediately. This directs BIM-ALERT/CICS to physicallydelete the entire profile from the security file without waiting for thenext reorganization. If you enter E, BIM-ALERT/CICS prompts youto enter Y for yes. If you do not reply with Y, BIM-ALERT/CICSdoes not delete the record.

K Keep but prohibit sign-on. This prohibits sign-on by an operator, butdoes not trigger deletion of the record by the S1U001 and S1U002reorganization programs. For example, you can put an operator instatus K during a vacation to prohibit unauthorized sign-on for thattime.

For more detailed information about changing a user’s status, see page 6-14.

CICS No

(continued)

Field Descriptions



Field Meaning


ADMIN The user ID of the main administrator or subadministrator. Only a mainadministrator can update this field.

This User Profile panel automatically displays the user ID of the mainadministrator or subadministrator who is adding a resource. The ADMIN fieldis also displayed on the AAUP and DAUP panels.

CICS No

USER CLASS Specify one of the following:

M The user is a main administrator.T The user is a terminal and operator subadminstrator.O The user is an operator only subadministrator.R The user is a regular user.

CICS No

CICS Specify one of the following:

Y The user can log on to CICS. This is the default.N The user can submit only batch jobs.

You must enter Y in either this field or the BATCH field.

Both Yes

BATCH Specify one of the following:

Y The user can submit batch jobs. This is the default.N The user cannot submit batch jobs.

You must enter Y in either this field or the CICS field.

Both Yes

DATA User-defined requirements that the local installation uses. The field can containinformation such as data that a user can share with others through a post sign-on program.

You can access the second field using the AXP macro, BIM-ALERT/VSE'scallable interface. For more information on the AXP macro, see the BIM-ALERT/VSE Security Administrator's Guide.

Both No

PWS Specify one of the following:

Y The user can submit jobs from a Personal Work Station (PWS).N The user cannot submit jobs from a PWS. This is the default.

VSE No

(continued)



Field Meaning


REM Specify one of the following:

Y The user's jobs are permitted to come from another node on thenetwork.

N The user's jobs are not permitted to come from another node on thenetwork. This is the default.

VSE No

ACT The action to take when this user submits a job to the system. Valid actionvalues are L, W, *, and C. If no action is entered, the default is * (take noaction). For more information on these values, see the BIM-ALERT/VSESecurity Administrator's Guide.

VSE No

MON The monitoring code to apply when this user submits a job to the system. If noaction is entered, the default is * (do not perform any monitoring). Forinformation on these values, see the BIM-ALERT/VSE Security Administrator'sGuide.

VSE No

CON Specify one of the following:

Y The user is permitted to define a VSE master console and to entersystem commands and replies through a VSE master console.

N The user is not permitted to define a VSE master console and toenter system commands and replies through a VSE master console.

VSE No

CLB Specify one of the following:

Y The user is permitted to update a controlled library, members in acontrolled library, and sublibraries.

N The user is not permitted to update a controlled library, members ina controlled library, and sublibraries.

For specific information about controlled libraries, see BIM-ALERT/VSESecurity Administrator's Guide.

VSE No

(continued)



Field Meaning


EXPIREDATE

User profile expiration date, displayed in mm/dd/yyyy format.

For mm, specify a value from 01-12 to indicate the month.

For dd, specify a value from 01-31 to indicate the day. The value must beconsistent with the value entered for month and year. For example, if themonth is 04, only the values from 01-30 are acceptable.

For yyyy, specify a value to indicate the year. Valid year values are 1989 -2041.

You can leave the field blank. It appears as "00 / 00 / 0000" when you displayit with DAUP or UAUP, and BIM-ALERT/VSE considers that the user profilenever expires.

VSE No

SUBMITUSERIDS

Any additional user IDs from which the operator can submit jobs. The one-character field that follows is for a valid logon source. The following are validlogon source codes:

L Local PUTSPOOL or XPCC with no ID cardS User ID for ASI procedure (VSE/ESA version 1.3 or higher)

For a complete list of logon source codes and their meanings, see the BIM-ALERT/VSE Security Administrator's Guide.

VSE No

EXT/PW These fields let you define the SECID to be associated with jobstreams thatBIM-ALERT/VSE does not provide a submittal monitor for.

The first field is the user ID. Enter a one- to eight-character user ID. There areno restrictions on the characters that may be used for this field.

The second field is a password. Enter one to eight alphanumeric characters.Alphanumeric characters consist of characters A through Z, 0 thru 9, and thespecial characters @ (at-sign), # (number sign), and $ (dollar sign). Thefollowing passwords are reserved for internal use by BIM-ALERT:• AXHJ21• AXHJ6A, AXHJ6O, AXHJ6T• AXH19O, AXH19A, AXH19T• AXPSRV

You can use the main user ID and password in the EXT/PW fields.

VSE No

TABLES /SECIDS

The two-character ID of the table where you want this user definition to beincluded. If you want the user defined for all possible tables, enter *. You canenter specific table IDs in conjunction with the *.

The SECID for each table where you want this user defined. The SECIDs canbe different for different tables, but they don't have to be different.

VSE Yes

(continued)



Field Meaning


OPID The three-character CICS operator ID. Both No

IUI ID/PW The user ID and password of the Interactive User Interface. For moreinformation, see page 11-10.

CICS No

EXT SEC Specify one of the following in the first field:

YES Call an external security product if password validation fails.NO Do not call an external security product if password validation fails.

In the second field, you can designate a MODEL ID to pass to the externalsecurity product when adding a new user.

CICS No

PASSWORD The current password used for operator sign-on and batch jobs. Theadministrator initially specifies this password, and BIM-ALERT/CICSautomatically generates a new password or allows users to enter a newpassword when the effective period has expired.

If an operator changes his own password at sign-on, the new password becomesthe current one and is used for all subsequent sign-ons. All existing passwordsare cleared, including ones generated by BIM-ALERT/CICS or by mainadministrators or sub-administrators.

If the operator enters HELP as the password, BIM-ALERT/CICS displays thespecial HELPLOGO, if a main administrator created one using the LOGOfacility for BIM-ALERT/CICS. For more information about the HELPLOGOand help screens, see page 9-29.

CICS

PRM Specify one of the following:

Y The current password will never expire. BIM-ALERT will never forcethe password to be changed. This does not prevent the operator fromchanging their password at signon.

N The current password will expire. BIM-ALERT will automaticallygenerate a new password or will allow the user to enter a new passwordwhen the effective period has expired.

CICS No

TRM GRP 1 The name of a group of terminals the operator uses. If an operator is to beauthorized to use a group of terminals, add each terminal in the group to thesecurity file with the same group name that corresponds with the terminal groupassigned for the operator.

Enter ALL in this field to allow an operator to sign on to all terminals.

CICS Yes

COMP The company number the operator is assigned to. Add the number to thesecurity system through the Company Identification panel. This field defaultsto zeros if nothing is entered.

Both No

(continued)



Field Meaning


STATUS The status of the operator, as follows:


D Disabled. An operator in disabled status cannot sign on to anyterminal that BIM-ALERT/CICS controls and is deleted duringreorganization.

E Erase immediately. This directs BIM-ALERT/CICS to physicallydelete the CICS portion of the profile from the security file withoutwaiting for the next reorganization. If you enter E, BIM-ALERT/CICS prompts you to enter Y for yes. If you do not replywith Y, BIM-ALERT/CICS does not delete the record. If you wantto delete the entire user profile, user the UP-STAT field. See page6-9 for more information.

K Keep but prohibit sign-on. This prohibits sign-on by an operator, butdoes not trigger deletion of the record by the S1U001 and S1U002reorganization programs. For example, you can put an operator instatus K during a vacation to prohibit unauthorized sign-on for thattime.

If an operator in active status reaches maximum consecutive violations, thestatus is changed to V. The operator then receives a message indicating thatsign-on to secured terminals is not allowed. At this point, the operator mustcontact his or her security administrator. See the OPER STAT IF MAX VIOLfield on the UPAR panel for more information.

To return the operator's status to A, any subadministrator or main administratorcan execute ACTO to reactivate the operator and update his or her status to A.The administrator using the ACTO subtransaction need not own the operatorresource. ACTO cannot be used to activate an operator with status D. Status Dcan be changed only by using the UAUP subtransaction.

Any BIM-ALERT/CICS resource that has a status of D will be deleted from thesecurity file at the next file reorganization. (The reorganization programs areS1U001 and S1U002.) Since BIM-ALERT/CICS bypasses any status Dresource at initialization, reorganizing the file has no effect on the amount ofstorage used for security.

CICS No

ISSUE DATE The date the current password is issued. The system provides this date, whichthe administrator cannot enter or change. When a new operator is added, thedate issued automatically defaults to the current date.

CICS No

(continued)



Field Meaning


PRIM/GRP2 Either a specific terminal or a terminal group that this operator can use to signon. There is no default value for this field.

This allows an operator to sign on from up to four different terminal groups ifyou code a terminal group in both ALT1/GRP3 and ALT2/GRP4, as well as inthe regular TRM GRP 1 field. No validity check is made on this field.Terminal group names are assigned when a terminal is added using the ATSIpanel.

CICS No

DIV The division number the operator is assigned to. Add the number to thesecurity system through the Department Identification panel. This field defaultsto zeros if nothing is entered.

Both No

PROC TYPE Process type. The type of file processing authorized for this operator. Specifyone of the following:

I Restrict the operator to file inquiry only.U Allow the operator to both display and update the file.

If an operator with a process type of I is allowed a transaction that updates asecured file, the operator is still permitted to execute the transaction. However,any attempts to update a file through that transaction fail. File-level securitymust be turned on and the applicable files must be secured for this to takeeffect.

CICS No

NEW PWD The new password to be used for operator sign-on. BIM-ALERT/CICSgenerates this password automatically when the old password expires, or theadministrator selects the password and it becomes effective on the specifiedeffective date. When a new operator is added, the date issued automaticallydefaults to the current date.

CICS No

ALT1/GRP3 Enter a specific terminal or terminal group that this operator can use to sign on.This allows an operator to sign on from up to four different terminal groups ifyou code a terminal group in both ALT1/GRP3 and ALT2/GRP4, as well as inthe regular TRM GRP 1 field. No validity check is made on this field.Terminal group names are assigned when a terminal is added using the ATSIpanel.

CICS No

DEPT The department number the operator is assigned to. Add the number to thesecurity system through the Company Identification panel. This field defaultsto zeros if nothing is entered.

Both No

(continued)



Field Meaning


MSG SUFFIX The two-character message language suffix for this operator. Each operatorcan receive messages from BIM-ALERT/CICS in his or her own language.

The default is English and is represented by ## symbols. If you do not specifya language, BIM-ALERT/CICS automatically converts your file to this value.

The security administrator controls what languages are supported and whatvalues can be entered. Alternate message files must be included in the FCT. Ifa file cannot be located, BIM-ALERT/CICS uses the message file defined onthe UTOP panel.

CICS No

EFF DATE Effective date. The date the new password is to become effective. BIM-ALERT/CICS automatically generates this date or the security administratorselects the date.

Special Values

The EFF DATE field can be used to force some special processing at operatorsign-on time. In particular, by properly using this field, you can force anoperator to get a new password the first time he signs on, or set up a particularoperator's profile in such a way that her password never expires.

Let's suppose that you want to force an operator to get a new password the firsttime he signs on. To do so, you should assign the operator a password in theNEW PWD field and assign an EFF DATE that is expired. The first time hesigns on, the operator will either have to choose a new password or else BIM-ALERT will assign a randomly generated password, depending on the value ofthe field ASSIGNED BY BIM-ALERT on the Global System Parameters panel(see the BIM-ALERT/CICS System Administrator's Guide).

CICS No

ALT2/GRP4 Identifies either a specific terminal or a terminal group that this operator canuse to sign on. This allows an operator to sign on from up to four differentterminal groups if you code a terminal group in both ALT1/GRP3 andALT2/GRP4, as well as the regular TRM GRP 1 field. No validity check ismade on this field. Terminal group names are assigned when a terminal isadded using the ATSI panel.

CICS No

(continued)



Field Meaning


SECT The section number the operator is assigned to. Add the number to the securitysystem through the Section Identification panel. This field defaults to zeros ifnothing is entered.

Both No

INACTIVEHRS MIN

The maximum length of time an operator is allowed between terminal inputs. Ifthe time limit is exceeded, the terminal the operator is using is automaticallyerased and the operator is signed off, or a stage-two time interval is started asspecified in the FORCE DELAY field of the UPAR panel.

CICS No

SCHEDFROM

Identifies the time periods that the operator is allowed to access the system foreach day of the week. Any attempt to access the system outside the accesstimes is denied. The FROM and TO parameters are in 24-hour clock time andare in the range of 0001 to 2400 hours. The combination of 0001 to 2400 iscalled all time and causes BIM-ALERT/CICS to bypass all time checks for thatday. The combination of 0001 to 0002 is called no time and prohibits theoperator from accessing the system on that day.

CICS No

TEMPTIMESEFF DATEEXP DATE

The temporary time period that the operator can access the system for each dayof the week. Temporary times and dates are to be entered only whenexceptions to normal access times are required. The temporary times overridethe scheduled access times for each day specified during the effective period.The FROM and TO times are in 24-hour clock time and are in the range of00:01 to 24:00 hours. The EFF DATE and EXP DATE are in the date formatselected on the UPAR panel (default is mm/dd/yyyy).

CICS No

LASTACCESS

The terminal ID and the date and time the operator last signed-on. CICS No

Modeling Operators Defining Operators


Modeling Operators

Operator security profiles are made up of the following seven logical parts:• Basic security information, as described on the AAUP panel• Authorized transactions, as described on the AOTR panel• Authorized programs, as described on the AOPR panel• Authorized files, as described on the AOFL panel• Authorized maps, as described on the AOMP panel• Authorized field-level resources, as described on the AOFS panel• Authorized groups, as described on the AOGR panel

All seven parts are modeled when you select an operator in the model field. This means thatyou must complete the security profile an operator at each level before you use it as a model.If you complete only the basic information for an operator and then use it as a model for a newoperator, the new operator will receive default profiles for the other six levels (that is,transactions, programs, files, maps, field-level resources, and groups).

To delete a model from an operator's profile, access the UAUP panel (see page 6-7), use thespace bar to enter blanks in the model field, and press ENTER to complete the update process.This will not change data currently in the operator's profile, but will delete the model from theoperator's profile.

If you want to model the operator after a different operator (or the existing one), access theUAUP panel (see page 6-7), enter the user ID of the model operator, and press ENTER.

When an operator is added using a model, or an operator is updated and remodeled, switchesare set in the operator's profile that tell BIM-ALERT that this operator has exactly the sametransactions, programs, files, maps, and field-level resources as the model. When the operatorsigns on, these switches are used by the sign-on program to determine where to get the accessauthorization information for this operator: if the switch is on, the information is extractedfrom the model's profile; if the switch is off, the information is taken from the operator'sprofile.

These switches remain on for a modeled operator unless that operator's authorization access ischanged using the AOTR, UOTR, AOPR, UOPR, AOFL, UOFL, AOMP, or UOMPtransactions. A field has been added to the display panel for each of these functions to tell youwhether the operator's access is the same as the model's.

Each of these switches is independent of the others: changing a modeled operator'stransactions does not affect the setting of the switches for programs, files, or maps, and so on.For example, if a modeled operator were given a new transaction, the transaction switch wouldbe turned off, but the other switches would remain on. Therefore, if the model were thenauthorized to access a new program, the modeled operator would also be authorized to accessthat program (after signing on the next time).

Introduction

Deleting a Modelfrom an Operator'sProfile

How the ModelingFunction isImplemented

Defining Operators Modeling Operators


These switch settings do not affect the behavior of the batch utilities, however. If you run anyof the batch utilities with the UPDATE=MODEL input parameter specified, the updates willbe made to the model and all operators modeled after that model just as it always did. If yourun with the UPDATE=OPERATOR input parameter specified, the modeling switch will beturned off for those operators updated, just as if the change were made using the online panels.

Automatic modeling affects only the resources an operator is authorized to access; the otherfields (for example, time-of-day access and logo suffix) are not affected.

Suppose you need to add the new operator XYZ who is to be modeled after ABC. After this iscompleted, XYZ's profile will have all the modeling switches set. If you were to use DOTR,you would see underneath the operator's name the following field:

TRANS MODELLED YES

If you then added a transaction to the model ABC, the next time XYZ signed on, XYZ wouldalso be authorized to execute the new transaction. If, however, after you modeled XYZ, youwent into UOTR and deleted a transaction from XYZ's profile, the transaction modeled switchwould then be turned off. Then, if you gave ABC a new transaction, XYZ would notautomatically receive it.

Grouping overrides automatic modeling at signon. The operator's profile is built from theassigned groups (and exceptions) each time he or she signs on. Therefore, any change to anygroup assigned to the operator will be reflected at each signon.

Example

Grouping

Operator Authorized Transactions Panel Authorizing Transactions for Operators


Authorizing Transactions for Operators

Operator Authorized Transactions Panel

Use the Operator Authorized Transactions panel to add, delete, or display operator authorizedtransactions.

Add all CICS transactions that are authorized for an operator to the operator's securityinformation by using the AOTR (Add Operator Authorized Transactions) function of thispanel. Once transactions have been added, you can delete them by using the UOTR (UpdateOperator Authorized Transactions) delete function or display them by using the DOTR(Display Operator Authorized Transactions) function.

Purpose

Authorizing Transactions for Operators Operator Authorized Transactions Panel


To display the Operator Authorized Transactions panel, either move the cursor to theappropriate field on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu andpress ENTER, or enter one of the following transaction codes on any security panel:


AOTR Add Operator AuthorizedTransactions Panel

Enter the user ID and the transactions that the operator is to be authorized toaccess. Press ENTER to complete the addition process.

If no transactions are added for the operator's authorized transactions, theoperator is granted the authority defined with DEFAULT AUTHORITY onthe UTOP panel. Refer to the description of the Display Global SystemParameters for Terminals and Operators panel on page 8-13 for detailedinformation on operator default authority. Therefore, transaction security isoptional for each operator.

Sub-Administrator Authority

Sub-Administrators can authorize only those transactions that they havebeen authorized to execute. Attempts by sub-administrators to addtransactions for which they are not authorized result in errors.

UOTR Update Operator AuthorizedTransactions Panel

The update function is a delete process because there is no information to beupdated for a transaction at the operator level. Therefore, enter thetransactions to be deleted from authorized access by the operator. PressENTER to complete the update (delete) process.

If all transactions are deleted from the operator's authorized transactions bya main administrator, the authorized transactions for the operator revert tothe authority defined with DEFAULT AUTHORITY on the UTOP panel, asexplained in Chapter 8, "System Parameters".

On the other hand, if all transactions are deleted by a subadministrator, noaccess to any secured transactions is allowed.

If the updated operator authorized transaction information is to go intoeffect during the current CICS session, process the ACTO (Activate SecuredOperator) function for the operator.

DOTR Display Operator AuthorizedTransactions Panel

Enter the user ID and press ENTER to display the transactions that theoperator is currently authorized to access.

Access

Operator Authorized Transactions Panel Authorizing Transactions for Operators


If you have assigned one or more groups to an operator's profile, but you need to tailor theoperator's profile beyond the group profiles, you can use AOTR and UOTR to do so.

If there are individual transactions for which this operator should be authorized which are notincluded in any group assigned to this operator, you can use AOTR to add those transactionsto the operator.

If there are individual transactions in the assigned groups which this operator should not beauthorized to execute, use the UOTR function to delete them from the operator's profile.

BIM-ALERT/CICS remembers these exceptions to the grouped resources as changes aremade and maintains the integrity of the changes. If you want to remove the exceptions later,you can do so by regrouping the operator (see page 6-35).

AOTR ** OPERATOR AUTHORIZED TRANSACTIONS ** ADD

USER ID: _________ NAME: ____________________ TRANS MODELLED - ALERT TRANSACTIONS - ____ ____ ____ ____ ____ ____

- AUTHORIZED TRANSACTIONS - ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____

GK722 (B)=BASE (P)=PROGS (F)=FILES (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT ==>(_)

Exceptions toAuthorized GroupTransactions

Sample Panel

Authorizing Transactions for Operators Operator Authorized Transactions Panel


Field Meaning

USER ID The user ID of the operator whose authorized transactions are to be displayed or modified.

NAME The name of the operator whose authorized transactions are to be displayed or modified.

TRANS MODELLED Specifies whether the resources contained in the operator's profile exactly match those in themodel's profile.

ALERTTRANSACTIONS

A maximum of six user-defined transactions can be put in alert status for each operator. Alerttransactions are logged to the violation file each time they are used by the operator. An alerttransaction must be a secured transaction (that is, it must show on the DSTR panel).


The secured transactions that the operator is authorized to access. Only transactions that havebeen defined at the system level using the ASTR transaction are eligible to be authorized. BIM-ALERT/CICS generates an error message if you attempt to authorize an unsecured transaction.See page 3-3 for information about defining these transactions to BIM-ALERT.

Securing PA and PF Key Transactions

Transactions can also be started in CICS by pressing a PA or PF key. BIM-ALERT/CICS allowsyou to enter the special transaction codes PF01 through PF24 and PA01 through PA03 to providesecurity for PA- or PF-key transactions. Enter PF01 to describe PF key 1, PF02 for PF key 2, andso forth.

Field Descriptions

Operator Authorized Programs Panel Authorizing Programs for Operators


Authorizing Programs for Operators

Operator Authorized Programs Panel

Use the Operator Authorized Programs panel to add, delete, or display operator authorizedprograms.

Add all CICS programs that are authorized for an operator to the operator's securityinformation by using the AOPR (Add Operator Authorized Programs) function of this panel.Once programs have been added, you can delete them by using the UOPR (Update OperatorAuthorized Programs) function or display them by using the DOPR (Display OperatorAuthorized Programs) function.

To display the Operator Authorized Programs panel, either move the cursor to the appropriatefield on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER,or enter one of the following transaction codes on any security panel:


AOPR Add Operator AuthorizedPrograms Panel

Enter the user ID and the programs that the operator is to be authorized toaccess. Press ENTER to complete the addition process.

If no programs are added for the operator's authorized programs, theoperator is granted the authority defined with DEFAULT AUTHORITY onthe UTOP panel. Refer to the description of the Display Global SystemParameters for Terminals and Operators panel on page 8-13 for detailedinformation on operator default authority. Therefore, program security isoptional for each operator.

UOPR Update Operator AuthorizedPrograms Panel

The update function is a delete process because there is no information to beupdated for a program at the operator level. Therefore, enter the programsto be deleted from authorized access by the operator and press ENTER tocomplete the update (delete) process.

If all programs are deleted from the operator's authorized programs, theauthorized programs for the operator revert to the authority defined withDEFAULT AUTHORITY on the UTOP panel, as explained in Chapter 8,"System Parameters".

If the updated operator authorized programs information is to go into effectduring the current CICS session, process the ACTO (Activate SecuredOperator) function for the operator.

DOPR Display Operator AuthorizedPrograms Panel

Enter the user ID and press ENTER to display the programs that theoperator is currently authorized to access.

Purpose

Access

Authorizing Programs for Operators Operator Authorized Programs Panel


If you have assigned one or more groups to an operator's profile, but you need to tailor theoperator's profile beyond the group profiles, you can use AOPR and UOPR to do so.

If there are individual programs for which this operator should be authorized which are notincluded in any group assigned to this operator, you can use AOPR to add those programs tothe operator.

If there are individual programs in the assigned groups which this operator should not beauthorized to execute, use the UOPR function to delete them from the operator's profile.


AOPR ** OPERATOR AUTHORIZED PROGRAMS ** ADD

USER ID: _________ NAME: ____________________ PROGS MODELLED - AUTHORIZED PROGRAMS - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

GK722 (B)=BASE (T)=TRANS (F)=FILES (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT ==>(_)

Field Meaning

USER ID The user ID of the operator whose authorized programs are to be displayed or modified.

NAME The name of the operator whose authorized programs are to be displayed or modified.

PROGS MODELLED Specifies whether the resources contained in the operator's profile exactly match those in themodel's profile.

AUTHORIZEDPROGRAMS

The secured programs that the operator is authorized to access. Only programs that havebeen defined at the system level using the ASPR transaction are eligible to be authorized.BIM-ALERT/CICS generates an error message if you attempt to authorize an unsecuredprogram.

Exceptions toAuthorized GroupPrograms

Sample Panel

Field Descriptions

Operator Authorized Files Panel Authorizing Files for Operators


Authorizing Files for Operators

Operator Authorized Files Panel

Use the Operator Authorized Files panel to add, update, or display operator authorized files.

Add all CICS files that are authorized for an operator to the operator's security information byusing the AOFL (Add Operator Authorized Files) function of this panel. Once files have beenadded, you can update them by using the UOFL (Update Operator Authorized Files) functionor display them by using the DOFL (Display Operator Authorized Files) function.

DL/I secured resources are assigned to an operator by using the AOFL transaction. Enter thePSB or segment name under the FILENAME field.

To display the Operator Authorized Files panel, either move the cursor to the appropriate fieldon the BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, orenter one of the following transaction codes on any security panel:


AOFL Add Operator AuthorizedFiles Panel

Enter the user ID, the names of the files the operator is authorized to access,and the type of processing permitted for each file (update or inquiry only).Press ENTER to complete the addition process.

If no files are added for the operator's authorized files, the operator isgranted the authority defined with the DEFAULT AUTHORITY field onthe UTOP panel. Refer to the description of the Display Global SystemParameters for Terminals and Operators panel on page 8-13 for detailedinformation on operator default authority.

UOFL Update Operator AuthorizedFiles Panel

Enter the user ID and filenames or process type update information. PressENTER to complete the update process. If the file is to be deleted fromauthorized operator access, enter a D (delete) for the file's process typeduring the update process.

If all files are deleted from the operator's authorized files, the authorizedfiles for the operator revert to the authority defined with the DEFAULTAUTHORITY field on the UTOP panel, as explained in Chapter 8, "SystemParameters".

If the updated operator authorized program information is to go into effectduring the current CICS session, process the ACTO (Activate SecuredOperator) function for the operator.

DOFL Display Operator AuthorizedFiles Panel

Enter the user ID and press ENTER to display the files that the operator iscurrently authorized to access.

Purpose

Access

Authorizing Files for Operators Operator Authorized Files Panel


If you have assigned one or more groups to an operator's profile, but you need to tailor theoperator's profile beyond the group profiles, you can use AOFL and UOFL to do so.

If there are individual files, PSBs, or DL/I segments for which this operator should beauthorized which are not included in any group assigned to this operator, you can use AOFLto add those files to the operator.

If there are individual files, PSBs, or DL/I segments in the assigned groups which this operatorshould not be authorized to execute, use the UOFL function to delete them from the operator'sprofile or change the access level.


AOFL ** OPERATOR AUTHORIZED FILES ** ADD

USER ID: _________ NAME: ____________________ FILES MODELLED - AUTHORIZED FILES - FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS FILENAME PROCESS ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _ ________ _

GK722 (B)=BASE (T)=TRANS (P)=PROGS (M)=MAPS (R)=FLDS (G)=GRPS (N)=NEXT ==>(_)

Exceptions toAuthorized GroupFiles

Sample Panel

Operator Authorized Files Panel Authorizing Files for Operators


Field Meaning

USER ID The user ID of the operator whose authorized files are to be displayed or modified.

NAME The name of the operator whose authorized files are to be displayed or modified.

FILES MODELLED Specifies whether the resources contained in the operator's profile exactly match those in themodel's profile.

FILENAME The secured files that are accessible by this operator. Only files that have been defined at thesystem level using the ASFL transaction are eligible to be authorized. BIM-ALERT/CICSgenerates an error message if you attempt to authorize an unsecured file.

PROCESS The type of processing authorized for the file, as follows:

D Delete the file from authorized operator access (update only).I Restrict the operator to inquiry only.U Allow the operator to both display and update the file.

Field Descriptions

Authorizing Maps for Operators Operator Map Security Panel


Authorizing Maps for Operators

Operator Map Security Panel

Use the Operator Map Security panel to add, delete, or display operator map security.

Add all CICS maps that are restricted for an operator to the operator's security information byusing the AOMP (Add Operator Map Security) function of this panel. Once maps have beenadded, you can delete them by using the UOMP (Update Operator Map Security) deletefunction or display them by using the DOMP (Display Operator Map Security) function.

To display the Operator Map Security panel, either move the cursor to the appropriate field onthe BIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, or enterone of the following transaction codes on any security panel:


AOMP Add Operator Map SecurityPanel

Enter the user ID, mapname, and reference number of the map restrictionsthat apply for the operator. Press ENTER to complete the addition process.

If no maps are added for the operator's restricted maps, no map restrictionsare in effect for the operator. Therefore, map security is optional for eachoperator.

UOMP Update Operator MapSecurity Panel

The update function is a delete process because there is no information to beupdated for a map at the operator level. Therefore, enter the mapnames andreference numbers of the maps to be deleted from restricted access by theoperator and press ENTER to complete the update (delete) process.

If all maps are deleted from the operator's restricted maps, the restrictedmaps for the operator revert to no map restrictions.

If the updated Operator Map Security function is to go into effect during thecurrent CICS session, process the ACTO (Activate Secured Operator)function for the operator.

DOMP Display Operator MapSecurity Panel

Enter the user ID and press ENTER to display the map restrictions that arecurrently in effect for the operator.

If you have assigned one or more groups to an operator's profile, but you need to tailor theoperator's profile beyond the group profiles, you can use AOMP and UOMP to do so.

If there are individual maps for which this operator should be restricted which are not includedin any group assigned to this operator, you can use AOMP to add those maps to the operator.

Purpose

Access

Exceptions toAuthorized GroupMaps

Operator Map Security Panel Authorizing Maps for Operators


If there are individual maps in the assigned groups which this operator should not be restrictedfrom accessing, use the UOMP function to delete them from the operator's profile.


AOMP ** OPERATOR MAP SECURITY ** ADD

USER ID: _________ NAME: ____________________ MAPS MODELLED: - DISPLAY RESTRICTIONS - MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # MAPNAME REF. # _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____ _______ ____

GK722 (B)=BASE (T)=TRANS (P)=PROGS (F)=FILES (R)=FLDS (G)=GRPS (N)=NEXT ==>(_)

Field Meaning

USER ID The user ID of the operator whose restricted maps are to be displayed or modified.

NAME The name of the operator whose restricted maps are to be displayed or modified.

MAPS MODELLED Specifies whether the resources contained in the operator's profile exactly match those in themodel's profile.

MAPNAME The name of the map containing restrictions for this operator. Only maps that have beendefined at the system level using the ASMP transaction are eligible to be restricted. BIM-ALERT/CICS generates an error message if you attempt to restrict an unsecured map.

REF. # The number used to reference the version of map restrictions that apply for this operator. Thisnumber is assigned by BIM-ALERT/CICS at the time the map restrictions are defined. Usethe DSMP transaction to determine the reference number for any given map.

Sample Panel

Field Descriptions

Authorizing Field-Level Resources for Operators Operator Authorized Field Resources Security Panel


Authorizing Field-Level Resources for Operators

Operator Authorized Field Resources Security Panel

Use the Operator Authorized Field Resources Security panel to add, delete, or displayoperator authorized field-level resources.

Add all field-level resources that are authorized for an operator to the operator's securityinformation by using the AOFS (Add Operator Field Security) function of this panel. Oncefield-level resources have been added, you can delete them by using the UOFS (UpdateOperator Field Security) delete function or display them by using the DOFS (Display OperatorField Security) function.

Purpose

Operator Authorized Field Resources Security Panel Authorizing Field-Level Resources for Operators


To display the Operator Authorized Field Resources panel, either move the cursor to theappropriate field on the BIM-ALERT/CICS Terminal/Operator/Group Functions menu andpress ENTER, or enter one of the following transaction codes on any security panel:


AOFS Add Operator AuthorizedField Resources Panel

Enter the user ID and the authorized field-level resources to be assigned tothe operator. Press ENTER to complete the addition process.

If no field-level resources are added for the operator's authorized field-level resources, the operator is authorized to access all field-levelresources. Therefore, field-level security is optional for each operator.The security administrator can override this open-system structure. (Referto the description of the Display Global System Parameters for Terminalsand Operators panel on page 8-13 for detailed information on operatordefault authority.)

UOFS Update Operator AuthorizedField Resources Panel

The update function is a delete process because there is no information tobe updated for a field-level resource at the operator level. Therefore, enterthe group number and the field-level resources to be deleted fromauthorized access by the operator and press ENTER to complete theupdate (delete) process.

If all field-level resources are deleted from the group's authorized field-level resources, the authorized resources for the operator revert to theauthority defined by default authority, as explained in Chapter 8, "SystemParameters".

If the updated Operator Authorized Field Resources information is to gointo effect during the current CICS session, have the operator sign on, orprocess the ACTO (Activate Secured Operator) function for the operator.

DOFS Display Operator AuthorizedField Resources Panel

Enter the user ID and press ENTER to display the field-level resources theoperator is currently authorized to access.

Access

Authorizing Field-Level Resources for Operators Operator Authorized Field Resources Security Panel


If you have assigned one or more groups to an operator's profile, but you need to tailor theoperator's profile beyond the group profiles, you can use AOFS and UOFS to do so.

If there are individual field-level resources for which this operator should be authorized whichare not included in any group assigned to this operator, you can use AOFS to add thoseresources to the operator.

If there are individual field-level resources in the assigned groups which this operator shouldnot be authorized to access, use the UOFS function to delete them from the operator's profile.


AOFS ** OPERATOR FIELD LEVEL SECURITY ** ADD

USER ID: _________ NAME: ____________________ FIELDS MODELLED: - AUTHORIZED RESOURCES - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

GK723 ENTER THE USER ID AND FIELD RSRC.(S) TO BE ADDED

Field Meaning

USER ID The user ID of the operator whose authorized field-level resources are to be displayed ormodified.

NAME The name of the operator whose authorized field-level resources are to be displayed ormodified.

FIELDS MODELLED Specifies whether the resources contained in the operator's profile exactly match those in themodel's profile.

AUTHORIZEDRESOURCES

The secured field-level resources that are accessible by this operator. Only field-levelresources that have been defined at the system level using ASFF or ASFM can be authorized.BIM-ALERT/CICS generates an error if you attempt to assign unsecured field resources.

Exceptions toAuthorized GroupFields

Sample Panel

Field Descriptions

Operator Groups Panel Assigning Groups to Operators


Assigning Groups to Operators

Operator Groups Panel

Use the Operator Groups panel to add, delete, or display operator groups.

Add all groups that are assigned for an operator to the operator's security information by usingthe AOGR (Add Operator Groups) function of this panel. Once groups have been added, youcan delete them by using the UOGR (Update Operator Groups) delete function or displaythem by using the DOGR (Display Operator Groups) function.

To display the Operator Groups panel, either move the cursor to the appropriate field on theBIM-ALERT/CICS Terminal/Operator/Group Functions menu and press ENTER, or enterone of the following transaction codes on any security panel:


AOGR Add Operator Groups Panel Enter the user ID and the groups to be assigned to the operator. If youwant ALERT transactions to be assigned to this operator from a definedgroup, enter the group number in the ALERT TRANSACTION GROUPfield. Press ENTER to complete the addition process.

Assigning groups to an operator is optional. If you want to maintainoperator profiles at the individual resource level, use the appropriatefunctions to add and update the operator profile at the resource level, anddo not assign groups to the operator.

UOGR Update Operator GroupsPanel

The update function is a delete process because there is no information tobe updated for a group at the operator level. Therefore, enter the user IDand the groups to be deleted from the operator's profile and press ENTERto complete the update (delete) process.

If all groups are deleted from the operator's profile, no resources of anytype will be authorized for the operator.

If the updated operator group information is to go into effect during thecurrent CICS session, have the operator sign on, or process the ACTO(Activate Secured Operator) function for the operator.

DOGR Display Operator GroupsPanel

Enter the user ID and press ENTER to display the groups currentlyassigned to the operator.

Purpose

Access

Assigning Groups to Operators Operator Groups Panel


AOGR ** OPERATOR GROUPS ** ADD

USER ID: _________ NAME: ____________________ FORCED REGROUP: N

- - - OPERATOR GROUPS - - - GROUP GROUP GROUP GROUP

_________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________ _________

ALERT TRANSACTION GROUP = = = > _________

CLEAR=EXIT PF3=MENU3

GK723 ENTER THE USER ID AND TRANSACTION(S) TO BE ADDED

Field Meaning

USER ID The user ID of the operator whose groups are to be displayed or modified.

NAME The name of the operator whose groups are to be displayed or modified.

FORCED REGROUP Either Y or N, specifying whether a regroup will be forced to eliminate any exceptions togroup-defined security that were defined by adding or deleting individual resources from theoperator profile. Y forces a regroup; N does not.

For example, suppose you had run AOTR to add a transaction after adding one or moregroups to an operator. BIM-ALERT/CICS remembers that the transaction is authorized forthe operator in addition to the resources authorized by the operator's assigned groups. Toeliminate the additional transaction and modify the operator's security profile to include onlygroup-defined security, enter Y in the FORCED REGROUP field. The operator's profile willbe reconfigured to eliminate all exceptional conditions.

OPERATOR GROUPS Defines the groups assigned to the operator. Up to 32 groups of resources can be assigned toeach operator.

ALERTTRANSACTIONGROUP

Defines the group in which the alert transactions for this operator are defined. Because onlysix alert transactions can be defined for an operator, any alert transactions for an operator withgroups assigned must be in the same group. This lets BIM-ALERT avoid deciding which sixtransactions to use if the groups assigned to the operator contain more than six alerttransactions. The alert transaction group can also contain normal authorized transactions.

Sample Panel

Field Descriptions

Operator Groups Panel Assigning Groups to Operators


7-1

7

Activation and Deactivation of SecuredResources

This chapter explains how to activate and deactivate security for resources.

Introduction....................................................................................................................7-2About Activation and Deactivation............................................................................7-2

Activating or Deactivating Terminals ............................................................................7-3Activate Secured Terminal Panel...............................................................................7-3Deactivate Secured Terminal Panel ...........................................................................7-5

Activating or Deactivating Operators.............................................................................7-6Activate Secured Operator Panel ...............................................................................7-6Deactivate Secured Operator Panel ...........................................................................7-7

Activating or Deactivating Transactions ........................................................................7-8Activate Secured Transaction Panel ..........................................................................7-8Deactivate Secured Transaction Panel.......................................................................7-9

Activating or Deactivating Programs ...........................................................................7-10Activate Secured Program Panel .............................................................................7-10Deactivate Secured Program Panel ..........................................................................7-11

Activating or Deactivating Files...................................................................................7-12Activate Secured File Panel .....................................................................................7-12Deactivate Secured File Panel .................................................................................7-14

Activating or Deactivating Maps..................................................................................7-15Activate Secured Map Panel....................................................................................7-15Deactivate Secured Map Panel ................................................................................7-16

Activating or Deactivating Field-Level Resources.......................................................7-17Activate Secured Field Resource Panel ...................................................................7-17Deactivate Secured Field Resource Panel................................................................7-19

About Activation and Deactivation Introduction


Introduction

About Activation and DeactivationThe purpose of the activation and deactivation functions is to alter the initial securityinformation used during BIM-ALERT/CICS start-up by allowing new resources to beimmediately added to security or current resources to be immediately updated or deleted whileCICS is still active.

All secured resources including terminals, operators, transactions, programs, files, maprestrictions, and field-level resources can be activated or deactivated.

The activation process permits new resources to be secured or current resources to bemodified during the current CICS session. This process replaces any information loaded inthe current CICS session with the information currently on file for the system, terminal, oroperator resources. Thus, if a new resource is to be added or a current resource is to bemodified, use the appropriate BIM-ALERT/CICS administrative function to accomplish this.Then complete the activation process to update the resource during the current CICS session.

The number of new resources that can be activated is limited by the number of extra entriesspecified in the EXTRA ENTRIES field of the System Parameters (UPAR) panel (see page 8-6).

The deactivation process immediately removes a resource from any further securitymonitoring by changing its status from active to disabled. Deactivating a resource withoutalso changing its status on file disables the resource only for the current CICS session. Todisable a resource permanently and immediately, change the status of the resource on file todisabled and also deactivate the resource.

If a system resource (such as a transaction) is deactivated, it is no longer monitored by thesecurity system. Thus, any terminal or operator can access that resource. If a terminalresource is deactivated, BIM-ALERT defaults to the security process supplied through CICS.Deactivating an operator forces the operator to a signed-off status. It does not prohibit theoperator from logging on to the system unless the operator's status has been changed to D orK. (Of course, even a disabled and deactivated operator could still access CICS through aterminal that does not require operator sign-on.)

Purpose ofActivation andDeactivation

Activation

Deactivation

Activating or Deactivating Terminals Activate Secured Terminal Panel

Chapter 7. Activation and Deactivation of Secured Resources 7-3

Activating or Deactivating Terminals

Activate Secured Terminal Panel

Use the Activate Secured Terminal panel to activate a new terminal's security information orto update an existing terminal's security information during the current CICS session. Use thispanel to perform the following functions:

• Re-activate a terminal that has been prohibited system access because it has exceededthe maximum number of attempted violations.

• Activate security processing for a terminal that has been added to the security fileduring the current CICS session.

• Activate security processing during the current CICS session for a terminal that hasbeen previously added to the Terminal Security Information file with a D (disabled)status. If the terminal is to be permanently activated, change the status to A (active) onthe security file using the UTSI transaction.

• Place updates to an existing terminal's security information into effect during the currentCICS session. Update the terminal's security information on the security file before theterminal is activated.

• If a terminal's security information is updated on the security file but is not activated,the updated information is not effective until BIM-ALERT/CICS is reinitialized and theterminal security table is refreshed.

Any number of existing terminals can be updated and activated during a single CICS session.The number of new terminals that can be activated during a CICS session is limited by numberof extra entries specified in the EXTRA ENTRIES field of the System Parameters (UPAR)panel (see page 8-6).

To display the Activate Secured Terminal panel, do one of the following:

• Move the cursor to the appropriate field on the BIM-ALERT/CICSTerminal/Operator/Group Functions menu and press ENTER.

• Enter ACTT (Activate Secured Terminal) on any security panel.

Purpose

Number Allowed

Access

Activate Secured Terminal Panel Activating or Deactivating Terminals


ACTT ** ACTIVATE SECURED TERMINAL ** ACTIVATE

ENTER THE TERMINAL IDENTIFICATION OF THE TERMINAL TO BE ACTIVATED: __________

Instead of using the Activate Secured Terminal panel, you can use the following transactionsstandalone to activate terminals and operators, to check who is logged onto CICS, and tosearch the security database for userids:

• ACTT• ACTO• USER• SRCH

You can set up these transactions to be accessed independently of the SCTY securitytransaction. Take these steps to make these functions act as independent transactions:

Step Action

1 Define the ACTT, ACTO, SRCH, or USER function using either of the followingmethods:• CEDA• Updating the Program Control Table (PCT) for this CICS region

Each transaction must point to program S1S566U.

2 Use the SCTY ASTR transaction to add the ACCT, ACTO, or USER transactionIDs to BIM-ALERT/CICS as secured resources.

3 Add these transactions to the user profiles of the CICS user requiring thesefunctions.

Sample Panel

Alternative toUsing the ActivateSecured TerminalPanel

Activating or Deactivating Terminals Deactivate Secured Terminal Panel


Deactivate Secured Terminal Panel

Use the Deactivate Secured Terminal panel to immediately remove a terminal from any furthersecurity monitoring by BIM-ALERT/CICS during the current CICS session.

The deactivation process temporarily removes the terminal from any further securitymonitoring by BIM-ALERT/CICS. After a terminal has been deactivated, security processingdefaults to the IBM-supplied version of CICS security. To permanently deactivate a terminal'ssecurity from BIM-ALERT/CICS monitoring, change the status of the terminal from A(active) to D (disabled) using the UTSI transaction.

To display the Deactivate Secured Terminal panel, do one of the following:


• Enter DATM (Deactivate Secured Terminal) on any security panel.

DATM ** DEACTIVATE SECURED TERMINAL ** DEACTIVATE

ENTER THE TERMINAL IDENTIFICATION OF THE TERMINAL TO BE DEACTIVATED: __________

Purpose

Usage Note

Access

Sample Panel

Activate Secured Operator Panel Activating or Deactivating Operators


Activating or Deactivating Operators

Activate Secured Operator Panel

Use the Activate Secured Operator panel to activate a new operator's security information, orupdate an existing operator's security information by forcing a new sign-on. Use this panel toperform any of the following functions:

• Activate security information for a new operator.

• Re-activate an operator that has been prohibited system access because the maximumnumber of attempted violations was exceeded.

• Force an operator to sign on again and thereby put into effect all updates to his or herprofile. If an operator's security information is updated in the security file while he orshe is signed on but the operator is not activated, the updated information will not gointo effect until the operator signs off and then signs on again.

Any number of operators may be added, updated, activated, or deactivated during a singleCICS session.

To display the Activate Secured Operator panel, do one of the following:


• Enter ACTO (Activate Secured Operator) on any security panel.

ACTO ** ACTIVATE SECURED OPERATOR ** ACTIVATE

ENTER THE USER ID OF THE OPERATOR TO BE ACTIVATED: _________

Purpose

Number Allowed

Access

Sample Panel

Activating or Deactivating Operators Deactivate Secured Operator Panel


Deactivate Secured Operator Panel

Use the Deactivate Secured Operator panel to immediately sign an operator off the CICSsystem.

The deactivation process forces an operator to a signed-off status. It does not prohibit theoperator from accessing the system. To prohibit an operator from logging on, theadministrator must take the steps shown in the following table:

Step Action

1 Execute the UAUP function and update the operator's status to D (Disabled) or K(Keep but prohibit sign-on).

2 Execute the DAOP function to force the operator off the system immediately. Theoperator will not be able to log back on until his or her status is changed back to A(Active) by the administrator.

To display the Deactivate Secured Operator panel, do one of the following:


• Enter DAOP (Deactivate Secured Operator) on any security panel.

DAOP ** DEACTIVATE SECURED OPERATOR ** DEACTIVATE

ENTER THE USER ID OF THE OPERATOR TO BE DEACTIVATED: _________

Purpose

Prohibiting Access

Access

Sample Panel

Activate Secured Transaction Panel Activating or Deactivating Transactions


Activating or Deactivating Transactions

Activate Secured Transaction Panel

Use the Activate Secured Transaction panel to activate a new transaction's securityinformation or update an existing transaction's security information during the current CICSsession. Use this panel to perform the following functions:

• Activate security processing for a transaction that has been added using ASTR duringthe current CICS session.

• Activate security processing during the current CICS session for a transaction that hasbeen previously added to the file with a D (disabled) status. If the transaction is to bepermanently activated, change the status to A (active) on the file.

• Place updates to an existing transaction's security information into effect during thecurrent CICS session. Update the transaction's security information using USTR beforeactivating the new transaction security information.

If a transaction is updated using USTR but is not activated, the updated information is noteffective until BIM-ALERT/CICS is reinitialized and the transaction security table isrefreshed.

Any number of existing transactions can be updated and activated during a single CICSsession. The number of new transactions that can be activated during a CICS session iscontrolled by the EXTRA ENTRIES field of the UPAR panel.

To display the Activate Secured Transaction panel, do one of the following:

• Move the cursor to the appropriate field on the BIM-ALERT/CICS System Functionsmenu and press ENTER.

• Enter ATRN (Activate Secured Transaction) on any security panel.

ATRN ** ACTIVATE SECURED TRANSACTION ** ACTIVATE

ENTER THE TRANSACTION CODE OF THE THE TRANSACTION TO BE ACTIVATED: ____

Purpose

Number Allowed

Access

Sample Panel

Activating or Deactivating Transactions Deactivate Secured Transaction Panel


Deactivate Secured Transaction Panel

Use the Deactivate Secured Transaction panel to immediately remove a transaction from anyfurther security monitoring by BIM-ALERT/CICS during the current CICS session.

The deactivation process temporarily removes the transaction from further security monitoringduring the current CICS session. If security for a transaction is to be permanently disabled,change the status of the transaction to D (disabled) using USTR.

To display the Deactivate Secured Transaction panel, do one of the following:


• Enter DTRN (Deactivate Secured Transaction) on any security panel.

DTRN ** DEACTIVATE SECURED TRANSACTION ** DEACTIVATE

ENTER THE TRANSACTION CODE OF THE THE TRANSACTION TO BE DEACTIVATED: ____

Purpose

Usage Note

Access

Sample Panel

Activate Secured Program Panel Activating or Deactivating Programs


Activating or Deactivating Programs

Activate Secured Program Panel

Use the Activate Secured Program panel to activate a new program's security information orupdate an existing program's security information during the current CICS session. Use thispanel to perform the following functions:

• Activate security processing for a program that has been added using ASPR during thecurrent CICS session.

• Activate security processing during the current CICS session for a program that hasbeen previously added to the file with a D (disabled) status. If the program is to bepermanently activated, change the status to A (active) on the file.

• Place updates to an existing program's security information into effect during the currentCICS session. Update the program's security information using USPR before activatingthe program's security information.

Any number of existing programs can be updated and activated during a single CICS session.The number of new programs that can be activated during a CICS session is controlled by theEXTRA ENTRIES field on the UPAR panel.

If a program is updated using USPR but is not activated, the updated information is noteffective until BIM-ALERT/CICS is reinitialized and the program security table is refreshed.

To display the Activate Secured Program panel, do one of the following:


• Enter APRG (Activate Secured Program) on any security panel.

APRG ** ACTIVATE SECURED PROGRAM ** ACTIVATE

ENTER THE NAME OF THE PROGRAM TO BE ACTIVATED: ________

Purpose

Number Allowed

Usage Note

Access

Sample Panel

Activating or Deactivating Programs Deactivate Secured Program Panel


Deactivate Secured Program Panel

Use the Deactivate Secured Programs panel to immediately remove a program from anyfurther security monitoring by BIM-ALERT/CICS during the current CICS session.

The deactivation process removes the program from further security monitoring onlytemporarily, during the current CICS session. If security for a program is to be permanentlydisabled, change the status of the program to D (disabled) using USPR.

To display the Deactivate Secured Program panel, do one of the following:


• Enter DPRG (Deactivate Secured Program) on any security panel.

DPRG ** DEACTIVATE SECURED PROGRAM ** DEACTIVATE

ENTER THE NAME OF THE PROGRAM TO BE DEACTIVATED: ________

Purpose

Usage Note

Access

Sample Panel

Activate Secured File Panel Activating or Deactivating Files


Activating or Deactivating Files

Activate Secured File Panel

Use the Activate Secured File panel to activate a new file's security information or update anexisting file's security information during the current CICS session. Use this panel to performthe following functions:

• Activate security processing for a file that has been added using ASFL during thecurrent CICS session.

• Activate security processing during the current CICS session for a file that has beenpreviously added to the file with a D (disabled) status. If the file is to be permanentlyactivated, change the status to A (active) on the file.

• Place updates to an existing file's security information into effect during the currentCICS session. Update the file's security information using USFL before activating theexisting security information.

DL/I secured resources are activated by entering the PSB or segment name instead of thefilename.

Any number of existing files can be updated and activated during a single CICS session. Thenumber of new files that can be activated during a CICS session is controlled by the EXTRAENTRIES field on the UPAR panel.

If a file is updated using USFL but is not activated, the updated information is not effectiveuntil BIM-ALERT/CICS is reinitialized and the file security table is refreshed.

To display the Activate Secured File panel, do one of the following:


• Enter AFIL (Activate Secured File) on any security panel.

Purpose

DL/I SecuredResources

Number Allowed

Usage Note

Access

Activating or Deactivating Files Activate Secured File Panel


AFIL ** ACTIVATE SECURED FILE ** ACTIVATE

ENTER THE NAME OF THE FILE TO BE ACTIVATED: ________

Sample Panel

Deactivate Secured File Panel Activating or Deactivating Files


Deactivate Secured File Panel

Use the Deactivate Secured File panel to immediately remove a file from any further securitymonitoring by BIM-ALERT/CICS during the current CICS session.

DL/I secured resources are deactivated by entering the PSB or segment name instead of thefilename.

The deactivation process removes the file from further security monitoring only temporarily,during the current CICS session. If security for a file is to be permanently disabled, changethe status of the file to D (disabled) using USFL.

To display the Deactivate Secured File panel, do one of the following:


• Enter DFIL (Deactivate Secured File) on any security panel.

DFIL ** DEACTIVATE SECURED FILE ** DEACTIVATE

ENTER THE NAME OF THE FILE TO BE DEACTIVATED: ________

Purpose

DL/I SecuredResources

Usage Note

Access

Sample Panel

Activating or Deactivating Maps Activate Secured Map Panel


Activating or Deactivating Maps

Activate Secured Map Panel

Use the Activate Secured Map panel to activate a new map's security information or update anexisting map's security information during the current CICS session. Use this panel to performthe following functions:

• Activate security processing for a map that has been added using ASMP during thecurrent CICS session.

• Activate security processing during the current CICS session for a map that has beenpreviously added to the file with a D (disabled) status. If the map is to be permanentlyactivated, change the status to A (active) on the file.

• Place updates to an existing map's security information into effect during the currentCICS session. Update the map's security information using USMP before activating themap's security information.

Any number of existing maps can be updated and activated during a single CICS session. Thenumber of new maps that can be activated during a CICS session is controlled by the EXTRAENTRIES field on the UPAR panel.

If a map is updated using USMP but is not activated, the updated information is not effectiveuntil BIM-ALERT/CICS is reinitialized and the map security table is refreshed.

To display the Activate Secured Map panel, do one of the following:


• Enter AMAP (Activate Secured Maps) on any security panel.

AMAP ** ACTIVATE SECURED MAP ** ACTIVATE

ENTER THE MAP NAME: _______ AND REFERENCE NUMBER: ____ OF THE MAP TO BE ACTIVATED

Purpose

Number Allowed

Usage Note

Access

Sample Panel

Deactivate Secured Map Panel Activating or Deactivating Maps


Deactivate Secured Map Panel

Use the Deactivate Secured Map panel to immediately remove a map from any further securitymonitoring by BIM-ALERT/CICS during the current CICS session.

The deactivation process removes the map from further security monitoring only temporarily,during the current CICS session. If security for a map is to be permanently disabled, changethe status of the map to D (disabled) using USMP.

To display the Deactivate Secured Map panel, do one of the following:


• Enter DMAP (Deactivate Secured Maps) on any security panel.

DMAP ** DEACTIVATE SECURED MAP ** DEACTIVATE

ENTER THE MAP NAME: _______ AND REFERENCE NUMBER: ____ OF THE MAP TO BE DEACTIVATED

Purpose

Usage Note

Access

Sample Panel

Activating or Deactivating Field-Level Resources Activate Secured Field Resource Panel


Activating or Deactivating Field-Level Resources

Activate Secured Field Resource Panel

Use the Activate Secured Field Resource panel to activate a new field-level resource's securityinformation or update an existing field-level resource's security information during the currentCICS session. Use this panel to perform the following functions:

• Activate security processing for a field resource that has been added using ASFF orASFM during the current CICS session.

• Activate security processing during the current CICS session for a field resource thathas been previously added to the file with a D (disabled) status. If the field resource isto be permanently activated, change the status to A (active) on the file.

• Place updates to an existing field resource's security information into effect during thecurrent CICS session. Update the field resource's security information using USFF orUSFM before activating the field resource's security information.

Normally, any number of existing field-level resources can be updated and activated during asingle CICS session. However, if multiple segments are added to an existing resource withlong data fields, then you may not be able to activate the resources during the current CICSsession.

The number of new field-level resources that can be activated during a CICS session iscontrolled by the EXTRA ENTRIES field on the UPAR panel, and the number and size of thesegments on the field-level resource.

If a field resource is updated using USFF or USFM but is not activated, the updatedinformation is not effective until BIM-ALERT/CICS is reinitialized and the field resourcesecurity table is refreshed.

To display the Activate Secured Field Resource panel, do one of the following:


• Enter AFLD (Activate Secured Field Resource) on any security panel.

Purpose

Number Allowed

Usage Note

Access

Activate Secured Field Resource Panel Activating or Deactivating Field-Level Resources


AFLD ** ACTIVATE SECURED FIELD RESOURCE ** ACTIVATE

ENTER THE RESOURCE NAME: ________ AND REAL NAME: ________ OF THE RESOURCE TO BE ACTIVATED

Sample Panel

Activating or Deactivating Field-Level Resources Deactivate Secured Field Resource Panel


Deactivate Secured Field Resource Panel

Use the Deactivate Secured Field Resource panel to immediately remove a field resource fromany further security monitoring by BIM-ALERT/CICS during the current CICS session.

The deactivation process removes the field resource from further security monitoring onlytemporarily, during the current CICS session. If security for a field resource is to bepermanently disabled, change the status of the field resource to D (disabled) using USFF orUSFM.

To display the Deactivate Secured Field Resource panel, do one of the following:


• Enter DFLD (Deactivate Secured Field Resource) on any security panel.

DFLD ** DEACTIVATE SECURED FIELD RESOURCE ** DEACTIVATE

ENTER THE RESOURCE NAME: ________ AND REAL NAME: ________ OF THE RESOURCE TO BE DEACTIVATED

Purpose

Usage Note

Access

Sample Panel

Deactivate Secured Field Resource Panel Activating or Deactivating Field-Level Resources


8-1

8

System Parameters

This chapter describes BIM-ALERT/CICS system parameters.

Global System Parameters Panel....................................................................................8-2Using The Panel.........................................................................................................8-2Sample Panel .............................................................................................................8-3Field Descriptions......................................................................................................8-4

Global System Parameters for Terminals and Operators..............................................8-13Using the Panel ........................................................................................................8-13Sample Panel ...........................................................................................................8-14Field Descriptions....................................................................................................8-15

System Security Specifications Panel...........................................................................8-26Using the Panel ........................................................................................................8-26Sample Panel ...........................................................................................................8-27Changing System Security Specifications................................................................8-28Field Descriptions....................................................................................................8-29

Using The Panel Global System Parameters Panel


Global System Parameters Panel

Using The Panel

Use the Global System Parameters panel to specify the system parameters to be used duringsecurity processing. These parameters are global and apply to the entire CICS system usingthis S1SCTY file.

Specify these system parameters after BIM-ALERT/CICS has been installed. The parameterscan be changed at any time during CICS processing. By entering a Y in the IMPLEMENTCHANGES IMMEDIATELY? field, all parameters except the following can be put intoeffect immediately, without reinitializing the BIM-ALERT/CICS security tables:

• USER EXITS REQ• DYN. TERMINALS• DUMMY TERM NAME• EXTRA ENTRIES• CONTROL SUFFIX

To the right of each field on the Global System Parameters panel is a response field. Thisfield provides information so that you can quickly correct errors. All fields are validated eachtime the panel is changed. If message GK110 is displayed at the bottom of the panel, youmust press ENTER to update again. No input is accepted while GK110 is displayed.Response messages are described with each field below. The normal response is <-- VALID.

To display the System Parameter panel, do one of the following:


• Enter one of the following transaction codes on any security panel:

Enter This Transaction To Display This Panel

DPAR Display System Parameters Panel

UPAR Update System Parameters Panel

Purpose

Changing SystemParametersImmediately

Response Field

Access

Global System Parameters Panel Sample Panel

Chapter 8. System Parameters 8-3

Sample Panel

UPAR 5.0A BIM-ALERT/CICS SYSTEM PARAMETERS UPDATE

<= = = VIOLATION INFORMATION = = => <= = = = PASSWORD INFORMATION = = = => MAX VIOLATIONS ... ( 010 ) NEW PSWD NOTIFICATION ( 005 ) MAX CONSECUTIVE .. ( 003 ) ASSIGNED BY BIM-ALERT ( YES ) DISP. ON CONSOLE . ( NO )

<= = INITIALIZATION INFORMATION = => <= = = PROCESSING INFORMATION = = => CONTROL SUFFIX ..... ( 1 ) SECURE ALL TERMINALS ( NO ) EXTRA ENTRIES .... ( 010 ) SECURE ALL TRANS .... ( NO ) USER EXITS REQ ... ( NO ) SECURE ALL PROGRAMS . ( NO ) DYN. TERMINALS . ( 00020 ) SECURE ALL FILES .... ( NO ) DUMMY TERM NAME . ( L080 ) FORCE DELAY . ( 00 HR 00 MIN) DATE FORMAT ........ ( U ) IF FORCED DISPLAY .. ( CSSN ) OPER STAT / MAX VIOL .. ( V ) GROUP STAT / MAX VIOL . ( V ) SIGNON MESSAGE DELAY .. ( 3 ) UNSEC TERM PGM . ( ________ ) DEFAULT ADMIN . ( A ) IMPLEMENT CHANGES IMMEDIATELY? ============> N ENTER "X" FOR TERMINAL / OPERATOR FUNCTIONS ===> _ GK703 ENTER PROCESSING PARAMETER UPDATES ... PRESS ENTER

Field Descriptions Global System Parameters Panel


Field Descriptions

Use these fields to specify the maximum number of violations allowed per terminal.

Enter the maximum number of violations that can occur on any terminal during a singleexecution of CICS. When this number of violations occur on a terminal, the terminal is placedin locked status and will display a message stating that maximum violations have beenexceeded. This value should be increased if CICS is up for extended periods of time. A goodrule of thumb for this value is to determine how many violations you think is reasonable foreach day and simply multiply by the number of days CICS is to be running. For example, ifCICS stays up for 30 days, a value of 150 allows an average of five violations per day.

A terminal in locked status can be returned to normal operation by any administrator byrunning the ACTT transaction. This resets the violation counter and clears any operatorsigned on to the terminal. Terminals in this status can also be located with the USERtransaction of BIM-ALERT/CICS by entering a function of MA. Refer to the description ofthe Display Current Users panel on page 9-57 for more information.

Response:NOT NUMER. Your response is not numeric. Enter a number from 1 to 999.

Enter the number of consecutive violations that can occur on any terminal. This count is reseteach time a successful event occurs. This value allows you to prevent unlimited attempts atbreaking the security of your system. When this number is reached, the terminal is placed inlocked status and will display a message stating that maximum consecutive violations havebeen exceeded. If BIM-ALERT/CICS can identify the user making the violations, the userwill be disabled with status V. Any future attempt by the user to use the CICS system willresult in the user receiving a message indicating that he has been disabled due to maximumviolations exceeded. Any administrator can reinstate the user by running the ACTOtransaction to activate the operator.

Responses:NOT NUMER. Your response is not numeric. Enter a number from one to nine.

MAX IS 009 The maximum value for this field has been exceeded. Enter a numberbetween one and nine.

This field specifies whether BIM-ALERT/CICS should route violation messages to theoperator console. The default value N specifies that no console logging is to occur.

Response:NOT Y OR N Your response must be Y (YES) or N (NO).

VIOLATIONINFORMATION

MAX VIOLATIONS

MAXCONSECUTIVE

DISP. ONCONSOLE

Global System Parameters Panel Field Descriptions


Use these fields to specify password information.

Enter the number of times you want BIM-ALERT/CICS to notify terminals and operators ofnew passwords that have been generated by BIM-ALERT/CICS. If you specify 0, you mustdevise some way to distribute passwords to your users. A reasonable number is 3. Themaximum number is 999. This number is decremented each time the operator or terminal isnotified of the new password. When this number reaches 0, no additional notifications aremade. If the user changes his password at sign-on time, no notifications will be issuedregardless of the number specified for the new password notification count. This can be anynumber between 0 and 999.

Response:NOT NUMER. Your response is not numeric. Enter a number from 0 to 999.

This field specifies the action that BIM-ALERT/CICS should take when a user's password hasexpired. Y directs BIM-ALERT/CICS to generate a new password and display it to the user(if he requests it). N directs BIM-ALERT/CICS to issue a message when the operator tries tosign on stating that his password has expired and he needs to reassign one. The default is Y.

Response:NOT Y OR N Your response must be Y (Yes) or N (No).

Use these fields to specify initialization information.

This is the numeric suffix of the control module that is used to define an MRO complex. AllCICS partitions using a common BIM-ALERT/CICS security file will make up an MROcomplex. If you are not using MRO, you would normally specify zero for the suffix number.

For example, you could have a terminal owning region (TOR) and four application owningregions (AORs) running under CONTROL SUFFIX two. Another MRO complex could berunning under CONTROL SUFFIX seven. This allows you to have both test and productionsystems running at the same time.

The maximum number of MRO complexes on a single CPU is nine. One copy of the BIM-ALERT security tables exists for each active MRO complex. However, a single complex withfive CICS partitions would require only a single copy of the security tables and all fivepartitions would share that copy.

If you want to force BIM-ALERT/CICS to build the security tables in the SVA GETVIS arearather than the CICS partition GETVIS area, you can use a non-zero CONTROL SUFFIX todo so, even if you are not running MRO.

PASSWORDINFORMATION

NEW PSWDNOTIFICATION

ASSIGNED BYBIM-ALERT

INITIALIZATIONINFORMATION

CONTROL SUFFIX



Responses:NOT M.R.O. You have entered a zero for the control suffix field. BIM-ALERT/CICS

will build the security tables in partition GETVIS.

S1SCNTRx ? The MRO control module S1SCNTRx (where x is the number you haveentered as the control suffix) cannot be found. Check the installationoutput to be sure you installed the S1SCNTRx module you specified(S1SCNTR1-S1SCNTR9 should be in the SVA). Also make sure themodule is in a library that is available to CICS.

Enter the number of extra entries to be reserved in each of the BIM-ALERT/CICS tables.This number sets the limit on the number of new resources that can be activated while CICS isactive. Note that this applies to new resources only.

There is no limit to the number of times you can activate and deactivate resources available toBIM-ALERT/CICS when security was activated. The default is 10. If your CICS system isup 24 hours a day and does not come down for long periods of time, you may want to specifya larger number. Remember that extra entries take the same amount of storage as real entries.You want the smallest number possible to reduce system storage requirements.

Responses:NOT NUMER. Your response is not numeric. Enter a number from 1 to 999.

IF 1ST MRO This is an informational message. This parameter will take effect onlywhen the security tables are rebuilt. If 0 is specified for the CONTROLSUFFIX, the tables are rebuilt when CICS is cycled. If a value between1 and 9 is specified, the tables are built in the SVA and must be releasedbefore the changes will take effect. See page 12-14 for moreinformation about releasing shared BIM-ALERT/CICS tables.

BIM-ALERT/CICS provides a number of user exit points. All of the exit points are activatedby answering this single question with a YES. If you answer NO, normal BIM-ALERT/CICSprocessing will occur, and no exits of any type will be activated. This reduces the overheadand storage required to perform normal security.


This field specifies the number of terminal table slots that BIM-ALERT/CICS should allocatein order to dynamically secure undefined terminals. The default is 00000. This numbershould be at least as large as the maximum number of users concurrently logged on to theCICS system. All dynamically allocated slots are available for reuse when a terminaldisconnects and returns to VM or VTAM. Access to the CICS system is denied to anundefined terminal if all allocated terminal table slots are in use.

EXTRA ENTRIES

USER EXITS REQ

DYN. TERMINALS



If 00000 is specified for DYN. TERMINALS, the tables are built using only the definedterminals. In this mode, no undefined terminals are secured. The specified number ofEXTRA ENTRIES is included in the table to add and activate new terminals. If this numberis changed, the new number is not effective until the security table is rebuilt. If the table isbuilt with a control suffix other than zero, you must run S1U010 to clear the tables before thenew number of entries is effective.

If a terminal is disconnected and returns to the VM logo or the VTAM application menu, thatterminal's slot is freed and is available for use by the next undefined terminal entering thesystem. The slot is cleared regardless of whether the disconnect resulted from inactive timelimit processing, a user entering CSSF LOGOFF (VTAM), or a transaction issuing a diagnosecommand to reset the terminal to VM.

Which Entries Can Be Released?Terminal profile entries that are specifically defined in the BIM-ALERT/CICS security fileare not eligible for reuse. Only those entries that were dynamically placed in the table can bereleased. All slots are cleared if the tables are cleared.

Before Implementing Dynamic Terminal SecurityBefore you implement dynamic terminal security, you should determine the maximum numberof users that could be logged on to CICS at any time. The terminal table entries that aredynamically added are available for reuse. Therefore, accurate statistics of maximumconcurrent users can save a considerable amount of storage when the terminal and operatortables are allocated. All terminal and operator table storage is allocated at BIM-ALERT/CICSinitialization, and it is not freed for the duration of the CICS session.

For example, assume that there are 10 terminals in your shop that are authorized to runsensitive data. Some of the characteristics of these terminals (such as inactive time limit) needto be more restrictive than those of the dummy entry. Therefore, it is necessary to specificallydefine these terminals to BIM-ALERT/CICS with the ATSI function.

The remaining terminals in your shop (4000) are all eligible to be modeled after the dummyentry, but your statistics show that the maximum number of users ever concurrently logged onwas 852. The 10 sensitive terminals are specifically defined and are added to the numberspecified for DYN. TERMINALS in order to allocate the correct number of entries.

If we assume that all of the users at maximum load (852) were signed on to dynamically addedterminals and add some as a cushion, we might specify 890 as the number of dynamicterminals. Specifying 890 yields a total of 901 terminal table entries (890 dynamic slots + 10specific terminals + 1 dummy entry).

Recommendation: If the table should fill, no new terminals will be able to access the systemuntil one of the dynamically added terminals disconnects to VM or VTAM, thus freeing upthat slot for reuse. Therefore, you should specify some cushion for unexpected peak loads.

Responses:NOT NUMER. Your response is not numeric. Enter a number from 00000 to 99999.

IF 1ST MRO This is an informational message. This parameter will take effect onlywhen the security tables are rebuilt. If 0 is specified for the CONTROLSUFFIX, the tables are rebuilt when CICS is cycled. If a value between1 and 9 is specified, the tables are built in the SVA and must be released



before the changes will take effect. See page 12-14 for more informationabout releasing shared BIM-ALERT/CICS tables.

Enter the terminal ID of the model terminal that is to be used when a terminal is dynamicallysecured. The model terminal can be any terminal profile defined in the BIM-ALERT/CICSsecurity file. All undefined terminals that are secured dynamically are assigned the samecharacteristics as the dummy entry.

Responses:IF 1ST MRO This is an informational message. This parameter will take effect only

when the security tables are rebuilt. If 0 is specified for the CONTROLSUFFIX, the tables are rebuilt when CICS is cycled. If a value between1 and 9 is specified, the tables are built in the SVA and must be releasedbefore the changes will take effect. See page 12-14 for more informationabout releasing shared BIM-ALERT/CICS tables.

TERM NFND The terminal selected as a dummy terminal must be a terminal definedon the BIM-ALERT security file. The terminal ID you specified couldnot be found on the file.

Specify the format in which BIM-ALERT/CICS displays and validates dates. Use one of thefollowing codes to select a format:

U MM/DD/YY (default)E DD/MM/YYC YY/MM/DD

Response:U, C, E REQD Your response must be U, C, or E. All other responses are invalid.

Use these fields to specify how BIM-ALERT/CICS is to process information.

BIM-ALERT/CICS allows an installation to phase in the implementation of security. One ofthe techniques used is to define security on only a few terminals to test your security setup. Inthis mode you must specify N in this field so that BIM-ALERT/CICS will pass control to theprogram specified in the UNSEC TERM PGM field when CSSN is entered on a terminal notdefined to BIM-ALERT/CICS.

After you have created profiles for all your terminals, it is possible to prevent the systemprogrammer from defining new terminals that are unknown to BIM-ALERT/CICS. In thismode you specify Y in this field. If CSSN is entered on a terminal unknown to BIM-ALERT/CICS when all terminals must be secured, the terminal will receive a message that itis unsecured and no transactions will be allowed to run on that terminal until it is added toBIM-ALERT/CICS as a secured terminal.

DUMMY TERMNAME

DATE FORMAT

PROCESSINGINFORMATION

SECURE ALLTERMINALS




Specify whether or not to secure transactions that are not specifically secured.


Specify whether or not to secure programs that are not specifically secured. Specifying YESfor PROG type resources is not recommended, because you would have to secure all maps andprograms to have BIM-ALERT/CICS active. This is not necessary and will use large amountsof storage.


Specify whether or not to secure files that are not specifically secured.


Enter the number of hours and minutes to be used as a second inactive time limit. At the endof this period of inactivity, the terminal or operator will be signed off BIM-ALERT/CICS.This provides the ability to have a two-stage timeout. If you specify zero hours and zerominutes, BIM-ALERT/CICS signs off the user or terminal when the inactive time limitspecified on the ATSI or AAUP panel is exceeded. If a nonzero value is entered, BIM-ALERT/CICS saves the user's panel as it was at the end of the initial time out value specifiedon the Terminal or Operator Security Information panel. If the operator enters his passwordbefore the FORCE DELAY interval expires, he will be returned to his original application andcan continue normal processing.

Response:NOT NUMER. Your response is not numeric. Enter a number between 00 and 23 for

hours and 00 and 59 for minutes.

MAX IS 023 The hours must be a number between 00 and 23.

MAX IS 059 The minutes must be a number between 00 and 59.

If a terminal or operator is forced off the system due to an inactive time interval, BIM-ALERT/CICS can display a number of different panels. To display the Terminal Sign-onpanel specify TSSN, to display the Operator Sign-on panel, specify CSSN, to disconnect to

SECURE ALLTRANS

SECURE ALLPROGRAMS

SECURE ALLFILES

FORCE DELAY

IF FORCEDDISPLAY



VTAM, specify VTAM, to return to the VM logo, specify VM. For the VM disconnect tooccur on VTAM terminals, the last three characters of the terminal ID must be the same as thecuu of the device (for example, if the device address as defined to VTAM is 080, the terminalID may be L080, M080, N080, or any other four-character string ending with '080'). If youwant to have the panel cleared, enter BLNK. If you do not want any inactive time-limitprocessing to occur, specify NONE.

Response:BAD REPLY The value you entered is not one of the valid responses listed above.

This field controls the status of the operator record when BIM-ALERT/CICS detectsmaximum violations. Specify one of the following:

A The operator record is not modified and the operator can go to another terminal andsign on. The terminal is placed in secured status and is unavailable for use until itis activated by an administrator using the ACTT transaction.

V The operator record is updated and the operator is not allowed on the system untilhe is activated by an administrator using the ACTO transaction. This prevents anoperator from entering maximum violations on one terminal after another.

Response:BAD REPLY The value you entered is not A or V.

This field is the same as OPER STAT / MAX VIOL above, except that it applies only toGROUP SIGNON records (that is, sign-on records that are shared by multiple operators).This field allows you to keep group sign-ons active even if the maximum number of violationsare detected. This is desirable because you do not know which operator in the group actuallycaused the violations. Group sign-ons are not recommended since you do not have positiveidentification of the operator.

Response:BAD REPLY The value you entered is not A or V.

BIM-ALERT/CICS displays messages to the operator at sign-on time to validate passwordupdates. If you have selected the sign-on time extension facility using the POST-SIGN-ONfield, it is possible that your user program will write a panel on top of the BIM-ALERT/CICSmessages before the operator is able to read them.

This field specifies the number of seconds (from zero to nine) that BIM-ALERT/CICS delaysbefore calling your user program. This gives your operators time to read the BIM-ALERT/CICS messages. This delay will occur only if a message about passwords isdisplayed; otherwise, no delay occurs.

Responses:NOT NUMER. Your response is not numeric. Enter a number from zero to nine.

OPER STAT / MAXVIOL

GRP STAT / MAXVIOL

SIGNON MESSAGEDELAY



MAX IS 009 The maximum value for this field has been exceeded. Enter a numberfrom zero to nine.

The normal action for BIM-ALERT/CICS when someone tries to sign on to an unsecuredterminal is to give control to the IBM sign-on program DFHSNP. If you have another securityproduct installed on your system while you are trying BIM-ALERT/CICS, this default actionmay be undesirable.

Use this field to enter the name of the program to receive control if a terminal is not underBIM-ALERT/CICS control. This allows BIM-ALERT/CICS to give control to any programyou choose. You may want to specify DFHSNP in this field as documentation. It is notrequired since this is the default if nothing is specified. The program entered must be in theIBM PPT and will receive control via an XCTL.

Responses:NOT ACTV All underscore characters (_) were entered. This means this facility is

not active. This is the method used to tell BIM-ALERT/CICS not togive control to a user-written module that is causing ABENDs orotherwise unacceptable results. After the user code has been correctedand a new copy made available to CICS using the CEMT facility, BIM-ALERT/CICS can be told to use your program by entering the programname again. You must specify Y in the IMPLEMENT CHANGESIMMEDIATELY? field.

NOT IN PPT The program named cannot be found in the IBM CICS PPT. Theprogram must be a CICS program and must reside in the PPT.

This field identifies the administrator ID to be logged in all audit records and to own allterminal and operator profiles added when BIM-ALERT/CICS is not active. By default, thisfield contains an A, which identifies the default administrator profile added when the BIM-ALERT/CICS security file is defined.

Specify any valid BIM-ALERT/CICS main administrator ID already defined on the securityfile.

Responses:OPER NFND The user ID entered could not be located on the BIM-ALERT/CICS

security file.

NOT AN ADM The user ID entered was located on the BIM-ALERT/CICS security file,but it is not defined as a main administrator.

Any time you change fields using the UPAR panel, the changes are recorded in the securityfile. The next time you initialize BIM-ALERT/CICS, the values will be used to define yoursecurity needs. This allows you to change values without having them take effect during thecurrent CICS session. If you want a change to be effective immediately, enter Y in this field.

UNSEC TERM PGM

DEFAULT ADMIN

IMPLEMENTCHANGESIMMEDIATELY?



This is useful when changing logos or sign-on time modules. All changes except CONTROLSUFFIX, USER EXITS REQ, DYN. TERMINALS, DUMMY TERM NAME, and EXTRAENTRIES can be implemented immediately as often as needed during a single CICS session.

Responses:REQ ISSUED All fields on the UPAR panel passed the validity checks and were saved

in the security file. Your request has been sent to BIM-ALERT/CICSfor immediate action. These values will be used the next time BIM-ALERT/CICS is initialized.

FILE CHGED Your changes have been saved in the security file, but BIM-ALERT/CICS has not been requested to change the existing parameters.These values will be used the next time BIM-ALERT/CICS is initialized.

Enter an X in this field if you want to see the panel that displays the global system parametersrelating to terminals and operators.

ENTER "X" FORTERMINAL /OPERATORFUNCTIONS

Global System Parameters for Terminals and Operators Using the Panel


Global System Parameters for Terminals and Operators

Using the Panel

Use the Global System Parameters for Terminals and Operators panel to specify the systemparameters relating to terminals and operators. These parameters are global and apply to theentire CICS system using this S1SCTY file.

Specify these parameters after BIM-ALERT/CICS has been installed. The parameters may bechanged at any time during CICS processing. By entering Y in the IMPLEMENT CHANGESIMMEDIATELY? field, all parameters can be changed while CICS is up.

To the right of each field is a response field. This field provides information so that you canquickly correct errors. All fields are validated each time the Terminal and Operator SystemParameter panel is changed. If message GK110 is displayed at the bottom of the panel, youmust press ENTER to update again. No input is accepted while GK110 is displayed.Response messages are described with each field below. The normal response is <-- VALID .

To display the Terminal and Operator System Parameter panel, do one of the following:




DTOP Display Terminal/Operator Parameters

UTOP Update Terminal/Operator Parameters

Purpose

Changing SystemParametersImmediately

Response Field

Access

Sample Panel Global System Parameters for Terminals and Operators


Sample Panel

UTOP 5.0A BIM-ALERT/CICS SYSTEM PARAMETERS UPDATE

TERMINAL CONTROLS

LOGO ........ ( BIMLOGO ) MESSAGE FILE .... ( S1SMS## )POST SIGNON . ( ________ ) POST SIGNOFF ... ( ________ )PASSWORD PERIOD . ( 090 ) PASSWORD MASK . ( ******** )PASSWORD HISTORY ( 002 ) LOG ON/OFF RECORDS . . ( YES )PRINT PROFILES ...( NO ) DEFAULT AUTHORITY .. ( ALL )

OPERATOR CONTROLS

POST SIGNON . ( ________ ) POST SIGNOFF ... ( ________ )PASSWORD PERIOD . ( 050 ) PASSWORD MASK . ( ******** )PASSWORD HISTORY ( 010 ) LOG ON/OFF RECORDS .. ( YES )PRINT PROFILES ... ( YES ) DEFAULT AUTHORITY .. ( NONE )BATCH PSWD PERIOD. ( 999 )

IMPLEMENT CHANGES IMMEDIATELY? ==> YENTER "X" FOR SYSTEM FUNCTIONS ==> _

GK110 PARAMETER SPECIFICATIONS UPDATE COMPLETE

Global System Parameters for Terminals and Operators Field Descriptions


Field Descriptions

This section allows you to define the BIM-ALERT/CICS parameters used to control terminalsecurity.

Both the terminal and operator sign-on panels of BIM-ALERT/CICS provide a logo area foryour use. This logo area is 20 lines deep and 79 characters wide. This area can be used todisplay your company logo or any other message you want. BIM-ALERT/CICS provides theALRTLOGO macro to generate logos. Each logo generated must be placed in a libraryavailable to BIM-ALERT/CICS and must have a unique name. At each sign-on BIM-ALERT/CICS tries to merge the logo you specify into the sign-on panel before it is displayedto the terminal. We distribute a sample logo, named BIMLOGO, with BIM-ALERT/CICS sothat you may try this feature. If you do not want logos, enter all underscore characters and thisfeature becomes inactive.

BIM-ALERT/CICS also provides the ability to send a different logo based on which terminalis signing on to the system. This is very helpful if you are running a CICS system for morethan one division or company. In order to do this, you must specify a logo name here and alsoenter a two-character suffix on the Terminal Security Information panel using ATSI. Usingthis approach, BIM-ALERT/CICS would first find the base logo name (the one you specifyhere) and then take the suffix from the ATSI panel and build the logo name to be used. Thislogo would then be sent to the terminal.

For example, suppose we have a single CICS system serving the corporate office as well asthree divisions of our company. We would like to have a different logo appear at eachdivision to make them feel special, but we want our own logo at the corporate office. Here iswhat we need to do. We must create four separate logos using the ALRTLOGO macro. Let'scall them LOGOHQ for headquarters, LOGOD1 for division 1, LOGOD2 for division 2, andLOGOD3 for division 3. We enter LOGOHQ on the UPAR panel to tell BIM-ALERT/CICSthat we want to use logos and LOGOHQ is the default logo. Next we enter D1 as the logosuffix on all the division 1 terminals, D2 as the logo suffix on all the division 2 terminals, andD3 as the logo suffix on all the division 3 terminals.

No suffix is required on the headquarters terminals since they will use the LOGOHQ logo bydefault. Any sign-on would produce the results we wanted. Notice that the last two nonblankcharacters are always replaced with the suffix from the terminal panel. This means that thelogo names must all be the same length. In this example they are all six-character names.

HELPLOGO and Help Panels:You can create different help panels to match each logo by using the logo name HELPLOGO.The last two characters of HELPLOGO must match the logo suffix of the logo name. Forexample, if the logo name is LOGOD1, define the help panel as HELPLOD1. See thedescription of how to generate BIM-ALERT/CICS logos on page 9-29 for more informationon HELPLOGO. It is possible to change the sign-on panel field names with each logo that isused. Refer to the description of how to generate BIM-ALERT/CICS logos on page 9-29 formore information.

TERMINALCONTROLS

LOGO

Customizing Logos

Field Descriptions Global System Parameters for Terminals and Operators


Responses:NOT A LOGO BIM-ALERT/CICS has located the module indicated but it does not

contain a logo. Be sure the module was created using the ALRTLOGOmacro.

PHASE NFND BIM-ALERT/CICS cannot locate the module indicated in any of thelibraries available in the search chains. Check that the name of themodule is correct and that it exists in a library available to BIM-ALERT/CICS.

Messages produced by BIM-ALERT/CICS (messages and violations for both administratorsand operators) are extracted from one or more VSAM files. Use the message file field tospecify the name of the default message file, as defined in the FCT. You can have separatemessage files for different languages, and you can have alternate message sets to be broadcastto different terminals and/or operators.

You define alternate message files much like you define alternate logos, as described in theprevious section. The two-character suffix in the message suffix field on the TerminalSecurity Information panel must match the last two characters of the message file field. Forexample, suppose a corporate office is located in the USA, with division 1 in France, division2 in Germany, and division 3 in Italy. The corporate office would use the default message fileS1SMS## for messages in English as defined on UTOP. Then enter D1 as the message suffixon all division 1 terminals, D2 as the message suffix on all division 2 terminals, and D3 as themessage suffix on all division 3 terminals. S1SMS##, S1SMSD1, S1SMSD2, and S1SMSD3must all be defined in the FCT. The name of the file to access will be constructed by themessage processor by using the first five characters from UTOP (S1SMS) and appending thesuffix (##, D1, D2, or D3).

You can associate a message suffix with an operator as well as a terminal. The suffix on themessage file field must match the value in the message suffix field on the Operator SecurityInformation panel.

Response:NOT IN FCT The filename you have specified is not in the FCT.

Enter the name of a user program that is to receive control any time a terminal sign-on iscompleted. This program must reside in the PPT and will receive control via a CICS XCTLcommand. This can be the first of many programs that run to perform user-specific tasks. Ifterminal sign-on does not need to be extended, enter underscores (_) to bypass this feature.


not active. This is the method used to tell BIM-ALERT/CICS not togive control to a user-written module that is causing ABENDs orotherwise unacceptable results. After the user code has been correctedand a new copy made available to CICS using the CEMT facility, BIM-ALERT/CICS can be told to use your program by entering the program

MESSAGE FILE

POST SIGNON



name again. You must specify Y in the IMPLEMENT CHANGESIMMEDIATELY? field.

NOT IN PPT The program named cannot be found in the IBM CICS PPT. Theprogram must be a CICS program and must reside in the PPT. Refer tothe description of post-sign-on processing on page 11-8 for moreinformation.

Enter the name of a user program that is to receive control any time a terminal sign-off iscompleted. This program must reside in the PPT and will receive control via a CICS XCTLcommand. This can be the first of many programs that run to perform user-specific tasks. Ifoperator sign-off does not need to be extended, enter underscores (_) to bypass this feature.



NOT IN PPT The program named cannot be found in the IBM CICS PPT. Theprogram must be a CICS program and reside in the PPT.

Enter the number of days terminal passwords are to be in effect. After this number of days,BIM-ALERT/CICS will change the terminal password and notify the terminal that thepassword has been changed.

If the number of days entered is 999, BIM-ALERT/CICS will never change any terminalpassword. This means you must control all terminal passwords manually using the UTSItransaction. BIM-ALERT/CICS will never generate a new password.

If a new password is entered with UTSI, it must be used for terminal sign-ons once itseffective date has been reached. Until the new password effective date is reached, thepassword field must be used for sign-ons even if it is expired (that is, was assigned more than999 days earlier).

BIM-ALERT/CICS will not distribute new passwords when the period is equal to 999. Youmust distribute the new password prior to the new password effective date or the terminalcannot be signed on.

Responses:NOT NUMER. Your response is not numeric. Enter a number between 1 and 999.

NEVER CHNG Your response was 999. BIM-ALERT/CICS will never generate ordistribute terminal passwords as long as this response is displayed. This

POST SIGNOFF

PASSWORDPERIOD



response serves as a warning. This method of operation is notrecommended.

Enter the eight-character mask pattern that describes the terminal passwords. This maskallows you to specify the length of passwords and which positions contain letters, numbers,blanks, and so forth. Valid mask characters are:

A This position must contain a letter from A through Z.

C This position must contain a consonant.

N This position must contain a number from zero through nine.

X This position can contain any nonblank character.

* This position can contain any character. This is a wildcard matchingcharacter.

. (period) This position must contain a blank.

Specify a mask of NNNN.... if you want BIM-ALERT/CICS to generate four-characternumeric codes. Users must supply four-character passwords if they want to change thepassword at sign-on.

The period (.) mask character on the end of the mask is used to change the length of thepasswords. Period mask characters in the middle of a mask simply force blanks at thatposition. This means a mask of ....NNNN is really an eight-position code with the first fourcharacters always equal to blanks.

If you want passwords that do not contain vowels in the first four positions and do containnumbers in the last four positions, specify a mask of CCCCNNNN and BIM-ALERT/CICSenforces this standard on all new passwords.

If you change the mask, all current passwords remain valid. Only new passwords have tomatch the new format. This makes it easy for you to implement password standards withoutcontacting each user. The format is displayed in an error message if a valid user attempts tochange a password without matching the format. The password update is ignored until thecorrect format is entered.

The password mask can be changed at any time. If you want the changes to be effectiveimmediately, specify Y in the IMPLEMENT CHANGE IMMEDIATELY? field.

BIM-ALERT honors uppercase and lowercase letters in password masks. That means that if,for example, you specify AaAaAaAa as a password mask, BIM-ALERT generates a passwordlike RoTtEnQx. This is a problem for operators or terminals that cannot enter lowercase input.If you have any question about what type of terminals are available, always enter the passwordmasks in uppercase. BIM-ALERT will check the password entered and will try it in uppercaseif it does not match. Therefore, your operators will not have to enter passwords in uppercase,but terminals that can enter only uppercase characters will still be able to sign on.

PASSWORD MASK



Responses:INVLD MASK Your response contains invalid mask characters. You may specify only

the characters A, C, ., X, *, and N as mask characters. Check your maskand specify the correct pattern characters.

BLANK CODE Your response contains eight periods (.). This would result in acompletely blank password. This is not permitted by BIM-ALERT/CICS. At least one nonblank mask character must be specified.

This field, under both the terminal and operator controls, is used to define how many previouspasswords BIM-ALERT/CICS maintains in order to prevent repetitious use of passwords.This value must be between 2 and 50.


MIN IS 002 Your response is less than 2. The minimum number of rememberedcodes is 2.

MAX IS 50 Your response is greater than 50. The maximum number of rememberedcodes is 50.

This field controls logging of terminal sign-on and sign-off records. If you specify Y, eachtime a terminal sign-on is complete, BIM-ALERT/CICS logs this event in the security log file.This information can be reported using the batch program S1B190 with the SIGN controlcard.

If you specify N, the sign-on record is not logged. This can result in substantial savings in logfile disk space because sign-on and sign-off occur more frequently than violations in mostsystems.


This field controls the authorization for the S1B560 batch report to print terminal profiles, forthe S1U560 batch utility to add terminals to the security file, and for the S1U500, S1U510,S1U520, and S1U530 utilities to add resources to or delete resources from terminals. Thisallows operations to have the JCL necessary to run the jobs, but it allows the JCL to work onlyif a main administrator has authorized it. This reduces the procedural problems normallyassociated with batch security reports.

Any authorization given will be in effect only until midnight of the day the report isauthorized. This means, for example, that if you authorize printing of the terminal report at10:15 p.m. on Thursday, this authorization would be valid only for 1 hour and 45 minutes.This protects you against accidental authorizations. The three possible responses are asfollows:

PASSWORDHISTORY

LOG ON/OFFRECORDS

PRINT PROFILES



YES Authorizes the S1B560 report or the S1URESRC, S1UGROUP, S1U550,or S1U560 utilities to be run as many times as needed until midnight of theday the authorization was given. CICS may be up or down and BIM-ALERT/CICS may be active or inactive. The security file and the auditfile must be closed to run the utilities starting with S1U.

ONE Authorizes the S1B560 report or the S1URESRC, S1UGROUP, S1U550,or S1U560 utilities to be run one time before midnight of the day theauthorization was given. CICS must be down or the S1SCTY file (and forS1Uxxx jobs the S1SAUDT file also) must be closed since the jobs willattempt to open the file as I/O. If your CICS system stays up pastmidnight, you will have to use the YES option since you will not be able toclose the S1SCTY file (no one can sign on if the S1SCTY file is closed).If you have the ability to close the file or bring down CICS, the ONEoption provides the maximum amount of security since the report can berun only once.

NO Revokes all authority to print the report. This is used along with the YESoption to allow printing with CICS up and then to prevent printing as soonas the batch job has ended.

Response:BAD REPLY Your response is not YES, NO, or ONE. Correct and press ENTER.

This field allows you to control how much authority a terminal will have when it is initiallyadded to the system. The default is ALL, which means the terminal would be allowed to runall transactions, programs, files, maps, and field-level resources. If you specify NONE, theterminal will have no authority until it is specifically granted by the security administrator.

If You Delete All Resources From a TerminalIf you delete the last resource from a terminal, the setting of DEFAULT AUTHORITY takeseffect. For example, if the default is ALL, deleting the last resource from a terminal does notlimit that terminal's control, but instead gives that terminal authority to run all transactions,programs, files, maps, and field-level resources.

Response:ALL / NONE Your response must be ALL or NONE.

This section allows you to define the BIM-ALERT/CICS parameters used to control operatorsecurity.

Enter the name of a user program that is to receive control any time an operator sign-on iscompleted. This program must reside in the PPT and will receive control via a CICS XCTLcommand. This can be the first of many programs that run to perform user specific tasks. Ifoperator sign-on does not need to be extended, enter underscores (_) to bypass this feature.

DEFAULTAUTHORITY

OPERATORCONTROLS

POST SIGNON





NOT IN PPT The program named cannot be found in the IBM CICS PPT. Theprogram must be a CICS program and must reside in the PPT. Refer tothe description of post-sign-on processing on page 11-8 for moreinformation.

Enter the name of a user program that is to receive control any time an operator sign-off iscompleted. This program must reside in the PPT and will receive control via a CICS XCTLcommand. This can be the first of many programs that run to perform user specific tasks. Ifoperator sign-off does not need to be extended, enter underscores (_) to bypass this feature.



NOT IN PPT The program named cannot be found in the IBM CICS PPT. Theprogram must be a CICS program and must reside in the PPT.

Enter the number of days operator passwords are to be in effect. After this number of daysBIM-ALERT/CICS will change the operator password and notify the operator that thepassword has been changed.

If a new password is entered with UAUP, it must be used for operator sign-ons once itseffective date has been reached. Until the new password effective date is reached, thepassword field must be used for sign-ons even if it is expired (that is, was assigned more than999 days earlier).

BIM-ALERT/CICS will not distribute new passwords when the period is equal to 999. Youmust distribute the new password prior to the new password effective date or the operator willbe unable to sign on.


POST SIGNOFF

PASSWORDPERIOD



NEVER CHNG Your response was 999. BIM-ALERT/CICS will never generate ordistribute operator passwords as long as this response is displayed. Thisresponse serves as a warning. This method of operation is notrecommended.

Enter the eight-character mask pattern that describes the operator passwords. This maskallows you to specify the length of passwords and which positions contain letters, numbers,blanks, and so forth. Valid mask characters are:

A This position must contain a letter from A through Z.

C This position must contain a consonant.

N This position must contain a number from zero through nine.

X This position can contain any nonblank character.

* This position can contain any character. This is a wildcard matchingcharacter.

. (period) This position must contain a blank.

Specify a mask of NNNN.... if you want BIM-ALERT/CICS to generate four-characternumeric codes. Users must supply four-character numeric passwords if they want to changethe password at sign-on.

The period (.) mask character on the end of the mask is used to change the length of thepasswords. Period mask characters in the middle of a mask simply force blanks at thatposition. This means a mask of ....NNNN is really an eight-position code with the first fourcharacters always equal to blanks.

If you want passwords that do not contain vowels in the first four positions and do containnumbers in the last four positions, specify a mask of CCCCNNNN and BIM-ALERT/CICSenforces this standard on all new passwords.

If you change the mask, all current passwords remain valid. Only new passwords need tomatch the new format. This makes it easy for you to implement password standards withoutcontacting each user. The format is displayed in an error message if a valid user attempts tochange a password without matching the format. The password update is ignored until thecorrect format is entered.

The password mask can be changed at any time. If you want the changes to be effectiveimmediately, specify Y in the IMPLEMENT CHANGES IMMEDIATELY? field.

Responses:INVLD MASK Your response contains invalid mask characters. You may specify only

the characters A, C, ., X, *, and N as mask characters. Check your maskand specify the correct pattern characters.

PASSWORD MASK



BLANK CODE Your response contains eight periods (.). This would result in acompletely blank password. This is not permitted by BIM-ALERT/CICS. At least one nonblank mask character must be specified.

This field, under both the terminal and operator controls, is used to define how many previouspasswords BIM-ALERT/CICS maintains in order to prevent repetitious use of passwords.This value must be between 2 and 50.


MIN IS 002 Your response is less than 2. The minimum number of rememberedcodes is 2.

MAX IS 50 Your response is greater than 50. The maximum number of rememberedcodes is 50.

This field controls logging of operator sign-on and sign-off records. If you specify Y, eachtime an operator sign-on is complete, BIM-ALERT/CICS logs this event in the security logfile. This information can be reported using the batch program S1B192 with the SIGN controlcard.

If you specify N, the sign-on record is not logged. This can result in a substantial savings inlog file disk space because logons and logoffs occur more frequently than violations in mostsystems.


This field controls the authorization to the S1B550 batch report to print operator profiles, theS1U550 batch utility to add operators to the file, and the S1U500, S1U510, S1U520, orS1U530 utilities to add resources to or delete resources from operators. This allowsoperations to have the JCL necessary to run the jobs, but allows the JCL to work only if amain administrator has authorized it. This reduces the procedural problems normallyassociated with batch security reports.

Any authorization given will be in effect only until midnight of the day the report isauthorized. That means, for example, that if you authorize printing the operator report at10:15 p.m. on Thursday, this authorization would be valid for only 1 hour and 45 minutes.This protects you against accidental authorizations. The three possible responses are asfollows:

YES Authorizes the S1B550 report or the S1URESRC, S1UGROUP, orS1U550 utilities to be run as many times as needed until midnight of theday the authorization was given. CICS may be up or down and BIM-

PASSWORDHISTORY

LOG ON/OFFRECORDS

PRINT PROFILES



ALERT/CICS may be active or inactive. The security file and the auditfile must be closed to run the utilities starting with S1U.

ONE Authorizes the S1B550 report or the S1URESRC, S1UGROUP, orS1U550 utilities to be run one time before midnight of the day theauthorization was given. CICS must be down or the S1SCTY file (and forS1Uxxx jobs the S1SAUDT file also) must be closed since the jobs willattempt to open the file as I/O. If your CICS system stays up pastmidnight, you will have to use the YES option since you will not be able toclose the S1SCTY file (no one can sign on if the S1SCTY file is closed).If you have the ability to close the file or bring down CICS, the ONEoption provides the maximum amount of security because the report canbe run only once.

NO Revokes all authority to print the report. This is used along with the YESoption to allow printing with CICS up and then to prevent printing as soonas the batch job has ended.

Response:BAD REPLY Your response is not YES, NO, or ONE. Correct and press ENTER.

This field allows you to control how much authority an operator will have when he is initiallyadded to the system. The default is ALL, which means the operator would be allowed to runall transactions, programs, files, maps, and field-level resources. If you specify NONE, theoperator will have no authority until it is specifically granted by the security administrator.

If You Delete All Resources From An OperatorIf you delete the last resource from an operator, the setting of DEFAULT AUTHORITY takeseffect. For example, if the default is ALL, removing the last resource from an operator doesnot further limit that operator's control, but instead gives that operator authority to run alltransactions, programs, files, maps, and field-level resources.

Response:ALL / NONE Your response must be ALL or NONE.

Enter the number of days a batch user’s password is to be in effect. After this number of days,the password will expire. If you enter a password period of 999, the password will neverexpire.


NEVER CHNG Your response was 999. This response serves as a warning. Thismethod of operation is not recommended.

DEFAULTAUTHORITY

BATCH PSWDPERIOD



Any time you change fields using the UTOP panel, the changes will be recorded in thesecurity file. The next time you initialize BIM-ALERT/CICS, the values will be used todefine your security needs. This allows you to change values without having them take effectduring the current CICS session. If you want a change to be effective immediately, enter Y inthis field. This is useful when changing logos or sign-on time modules.

Responses:REQ ISSUED All fields on the UTOP panel passed the validity checks and were saved

in the security file. Your request has been sent to BIM-ALERT/CICSfor immediate action. These values will also be used the next time BIM-ALERT/CICS is initialized.

FILE CHGED Your changes have been saved in the security file, but BIM-ALERT/CICS has not been requested to change the existing parameters.These values will be used the next time BIM-ALERT/CICS is initialized.

Enter an X in this field to display the System Parameters panel, which contains global systemparameters.

IMPLEMENTCHANGESIMMEDIATELY?

ENTER "X" FORSYSTEMFUNCTIONS

Using the Panel System Security Specifications Panel


System Security Specifications Panel

Using the Panel

Specify security specifications for BIM-ALERT/CICS after the system is installed and allsecured resources have been defined. Changes can be made to the current options or thepermanent options while CICS is active. However, changes to the current options affect onlythe current CICS session and are not in effect during the next CICS session unless the changesare also made to the permanent options. Updates to the permanent options change only thespecifications that are on file for BIM-ALERT/CICS. If an update is made to the permanentoptions but not to the current options, the current CICS session is not affected. However, thenext time CICS is initialized, the new specifications take effect.

If all security specifications are set to OFF, no security processing is performed by BIM-ALERT/CICS.

Only the terminal used to turn security completely off can be used to run UCOP to turnsecurity back on. (This is the only place the main administrator is signed on.) Once any partof BIM-ALERT/CICS security is active, any secured terminal on which a main administratorcan sign on can be used to administer security.

There are two methods of activating BIM-ALERT/CICS: manually, using the UCOP panel tochange the current options, or automatically, using the UPOP transaction to set the permanentoptions on the S1SCTY file and then using the PLTPI table entry to read the permanentoptions during CICS initialization. The UPOP values can be used only at CICS initialization;any other changes must be made using UCOP.

To display the System Security Specifications panel, do one of the following:




UCOP Update Current Options

DCOP Display Current Options

UPOP Update Permanent Options

DPOP Display Permanent Options

Purpose

Terminals Used ForSecurity

Methods forActivatingBIM-ALERT

Access

System Security Specifications Panel Sample Panel


Sample Panel

** SYSTEM SECURITY SPECIFICATIONS **

-SYSTEM- ON OFFTRANSACTION SECURITY ............... ( ) ............... ( )PROGRAM SECURITY ............... ( ) ............... ( )FILE ACCESS SECURITY ............... ( ) ............... ( )

-TERMINAL-TRANSACTION SECURITY ............... ( ) ............... ( )PROGRAM SECURITY ............... ( ) ............... ( )FILE ACCESS SECURITY ............... ( ) ............... ( )MAP DISPLAY SECURITY ............... ( ) ............... ( )FIELD LEVEL SECURITY ............... ( ) ............... ( )

-OPERATOR-TRANSACTION SECURITY ............... ( ) ............... ( )PROGRAM SECURITY ............... ( ) ............... ( )FILE ACCESS SECURITY ............... ( ) ............... ( )MAP DISPLAY SECURITY ............... ( ) ............... ( )FIELD LEVEL SECURITY ............... ( ) ............... ( )

-MESSAGES-VIOLATION AUDITING ............... ( ) ............... ( )TERMINAL SCHEDULING ............... ( ) ............... ( )

Changing System Security Specifications System Security Specifications Panel


Changing System Security Specifications

To turn a security option on or off, enter an X in the ON or OFF column as shown in thefollowing panel:

** SYSTEM SECURITY SPECIFICATIONS **

-SYSTEM- ON OFFTRANSACTION SECURITY ............... ( X ) ............... ( )PROGRAM SECURITY ............... ( ) ............... ( X )FILE ACCESS SECURITY ............... ( X ) ............... ( )

-TERMINAL-TRANSACTION SECURITY ............... ( X ) ............... ( )PROGRAM SECURITY ............... ( X ) ............... ( )FILE ACCESS SECURITY ............... ( X ) ............... ( )MAP DISPLAY SECURITY ............... ( X ) ............... ( )FIELD LEVEL SECURITY ............... ( X ) ............... ( )

-OPERATOR-TRANSACTION SECURITY ............... ( X ) ............... ( )PROGRAM SECURITY ............... ( ) ............... ( X )FILE ACCESS SECURITY ............... ( X ) ............... ( )MAP DISPLAY SECURITY ............... ( X ) ............... ( )FIELD LEVEL SECURITY ............... ( X ) ............... ( )

-MESSAGES-VIOLATION AUDITING ............... ( X ) ............... ( )TERMINAL SCHEDULING ............... ( ) ............... ( X )

When you enter the UCOP transaction, a panel like the following is displayed to confirm theaction taken by BIM-ALERT/CICS:

** SYSTEM SECURITY STATUS **

-SYSTEM- TRANSACTION SECURITY ......... ACTIVATED PROGRAM SECURITY ......... INACTIVE FILE ACCESS SECURITY ......... ACTIVATED

-TERMINAL- TRANSACTION SECURITY ......... ACTIVATED PROGRAM SECURITY ......... ACTIVATED FILE ACCESS SECURITY ......... ACTIVATED MAP DISPLAY SECURITY ......... ACTIVATED FIELD SECURITY ......... ACTIVATED

-OPERATOR- TRANSACTION SECURITY ......... ACTIVATED PROGRAM SECURITY ......... INACTIVE FILE ACCESS SECURITY ......... ACTIVATED MAP DISPLAY SECURITY ......... ACTIVATED FIELD SECURITY ......... ACTIVATED

-MESSAGES- VIOLATION AUDITING ......... ACTIVATED TERMINAL SCHEDULING ......... INACTIVE

At this point, press CLEAR and enter another transaction code to continue processing.

System Security Specifications Panel Field Descriptions


Field Descriptions

Specifies whether the access times for transactions, programs, and files are to be in effect andalso if the access type for files is to be checked at this level.

Specifies whether BIM-ALERT/CICS is to verify a terminal's authorization to accesstransactions, programs, files, and field-level resources, and also whether map restrictions areto be in effect for terminals. This level of security can be in effect regardless of whetherterminal sign-on is required.

Specifies whether BIM-ALERT/CICS is to verify an operator's authorization to accesstransactions, programs, files, and field-level resources, and also whether map restrictions areto be in effect for operators. This level of security is applied only to terminals that require anoperator sign-on.

Violation auditing specifies whether attempted violations are to be reported real-time to theviolation reporting terminal or associated terminal printer that may be assigned to a terminal.

Terminal scheduling specifies whether terminals that are placed in and taken out of serviceaccording to their scheduled access times are made to display one of the following messages:

************************************** * * * THIS TERMINAL HAS BEEN PLACED: * * * * -- IN SERVICE -- * * * * SCHEDULED ACCESS TIME IS FROM: * * * * 07:00 TO 17:03 * * * **************************************

************************************** * * * THIS TERMINAL HAS BEEN PLACED: * * * * -- OUT OF SERVICE -- * * * * SCHEDULED ACCESS TIME IS FROM: * * * * 07:00 TO 17:03 * * * **************************************

This does not affect the time restrictions that have been placed on a terminal. It does,however, allow an installation to prevent the scheduling message from being sent to anunattended terminal and having the message "burn" into the phosphorus because the messagewas displayed all weekend. To prevent the messages from being sent, specify terminalscheduling OFF.

SYSTEM

TERMINAL

OPERATOR

MESSAGES

Field Descriptions System Security Specifications Panel


In a VM environment, the TERMINAL SCHEDULING field is also useful to turn off terminalscheduling messages to prevent terminals that have not been dialed to the CICS session frombeing placed out of service by IBM terminal error program DFHTEP. Network administratorintervention would be required to correct this. By not using these messages, you can avoidthis situation.

9-1

9 Administrative Facilities

This chapter describes the BIM-ALERT/CICS administrative facilities.

Introduction....................................................................................................................9-3About This Chapter....................................................................................................9-3

Administrator Maintenance............................................................................................9-4Overview....................................................................................................................9-4Change Operator Administration Panel .....................................................................9-5Reclaim Operator Ownership Panel...........................................................................9-8Change Terminal Administration Panel ...................................................................9-10Reclaim Terminal Ownership Panel ........................................................................9-13

Inactive Time Limit Processing....................................................................................9-15Introduction .............................................................................................................9-15S140 Task ................................................................................................................9-17Conversational Tasks...............................................................................................9-18

User-Callable Interfaces...............................................................................................9-19Introduction .............................................................................................................9-19Command-Level Interface .......................................................................................9-19Macro-Level Interface .............................................................................................9-23

Securing BIM-ALERT Functions and UFO Resources ...............................................9-24Securing BIM-ALERT Functions ............................................................................9-24Securing UFO Resources.........................................................................................9-25

Setting Up an Interface with CA-ALERT for VM .......................................................9-26Introduction .............................................................................................................9-26Updating CA-ALERT for VM Security Files ..........................................................9-27

Generating BIM-ALERT/CICS Logos.........................................................................9-29Introduction .............................................................................................................9-29How Logo Names are Generated .............................................................................9-29Customizing Logos ..................................................................................................9-30


Maintaining BIM-ALERT/CICS Messages..................................................................9-34Introduction..............................................................................................................9-34Tailor BIM-ALERT Administrator Messages Panel................................................9-35Maintaining Message Text.......................................................................................9-36Maintaining Variables..............................................................................................9-37Using Multiple Message Files..................................................................................9-39

Parameter-Driven Sign-On and Sign-Off Processing ...................................................9-41Introduction..............................................................................................................9-41Operator and Terminal Sign-On from a Terminal....................................................9-42Sign-On and Sign-Off Without Operator Intervention.............................................9-43

Displaying Version Information...................................................................................9-44Display System Version Information Panel .............................................................9-44

Displaying Unsecured Transactions .............................................................................9-51Display Unsecured Transactions Panel ....................................................................9-51

Displaying Unsecured Programs ..................................................................................9-53Display Unsecured Program Panel...........................................................................9-53

Displaying Unsecured Files..........................................................................................9-55Display Unsecured File Panel ..................................................................................9-55

Displaying Current Users .............................................................................................9-57Display Current Users Panel ....................................................................................9-57

Controlling Terminal Sign-On......................................................................................9-60Terminal Sign-On Panel...........................................................................................9-60Terminal Password Distribution ..............................................................................9-61

Controlling Operator Sign-On......................................................................................9-62Operator Sign-On Panel ...........................................................................................9-62Operator Password Distribution...............................................................................9-64User Profile Search Panel ........................................................................................9-65Group Search Panel .................................................................................................9-67

Displaying Attempted Violations .................................................................................9-69Display Attempted Violations Panel ........................................................................9-69Attempted Violations Panel .....................................................................................9-71

Introduction About This Chapter

Chapter 9. Administrative Facilities 9-3

Introduction

About This Chapter

This chapter describes the administrative facilities of BIM-ALERT/CICS, including thefollowing topics:

• Panels used to change administrative ownership of operator and terminal records

• Inactive time limit processing

• User-callable interfaces

• Securing BIM-ALERT/CICS functions and UFO resources

• Setting up an interface with CA-ALERT for VM

• Generating BIM-ALERT/CICS logos

• BIM-ALERT/CICS messages

• Parameter-driven sign-on and sign-off processing

• Panels that display various system information, including

− Unsecured resources− Current users− Operator names− Group names− Attempted violations

Overview Administrator Maintenance


Administrator Maintenance

Overview

You can use the following panels to change the administrative ownership of operator andterminal records:

• Change Operator Administration panel• Reclaim Operator Ownership panel• Change Terminal Administration panel• Reclaim Terminal Ownership panel

Administrator Maintenance Change Operator Administration Panel


Change Operator Administration Panel

Use the Change Operator Administration panel to change the administrative ownership ofoperator records. The changes can be made either permanently or temporarily. Permanentchanges are helpful if a subadministrator will no longer be working with the system.Temporary changes can be used to provide coverage if a subadministrator is on vacation or isnot able to be reached for some reason. Temporary changes can be reversed by using thereclaim transaction ADRO.

To display the Change Operator Administration panel, do one of the following:

• Move the cursor to the appropriate field on the BIM-ALERT/CICS Other SecurityFunctions menu and press ENTER.

• Enter ADCO on any security panel.

When the panel is displayed, enter the current administrator user ID that you want to change,the new administrator user ID that is to replace the current administrator user ID, and anindicator of whether the change is to be temporary or permanent.

All operator records on the BIM-ALERT/CICS file will be checked, and all records thatbelong to the administrator entered in the CURRENT ADMIN field will be displayed. Youmay browse through all the records using the PF keys provided. After you are satisfied thatthe correct records were selected, enter a Y to the question about changing the file. If you donot want to change the file, simply enter an N and no changes will be made.

ADCO ** SECURED OPERATOR ADMINISTRATION ** CHANGE

ENTER THE CURRENT ADMINISTRATOR USER ID, NEW ADMINISTRATOR USER ID, AND WHETHER THE CHANGE IS TEMPORARY (T) OR PERMANENT (P).

CURRENT ADMIN: A NEW ADMIN: B CHANGE: T

RECORDS SELECTED - TOTAL 00128 PERMANENT: 00000 TEMPORARY: 00128

DO YOU WANT THE CHANGES MADE TO THE FILE? _

USER ID NAME ORIG. AD. ORIG. ADMIN. NAME A ADMIN A ADMIN E AUDIT E A ADMIN 1 ADMIN1 ____________________ ED ED ____________________

RECORDS 00001 TO 00008 OF 00128 PF7 = UP PF8 = DOWN ENTER = CHANGE

Purpose

Access

Using the Panel

Sample Panel

Change Operator Administration Panel Administrator Maintenance


Field Meaning

CURRENT ADMIN The administrator user ID that you want to change. This user ID is used as the selectioncriterion for matching operator records. It must match the administrator user ID in the recordsexactly. If you have a question about how the administrator user ID was entered, you may useDAUP to display the operator record. This user ID will be replaced by the NEW ADMIN fieldif the file is changed.

NEW ADMIN The administrator user ID that will receive control of the selected records. This user ID willreplace the current administrator in each of the selected records. The administrator user IDmust be a valid administrator on the S1SCTY file or an error will be displayed. This ensuresthat records are assigned to an administrator who can update the records.

CHANGE The type of change. Valid types are T for temporary changes and P for permanent changes. Ifa change is made as permanent, no attempt is made to save the original administrator user ID.However, a record that is owned temporarily will retain its original owner informationregardless of the change type. If a change is made as temporary, then the original ownershipinformation will be saved and can later be reclaimed using the ADRO function. Refer to theexplanation of the RECORDS SELECTED field for more information.

RECORDS SELECTED TOTAL The total number of records under control of the administrator entered inthe CURRENT ADMIN field. All records belonging to this administratorwill be available for display using the scrolling features of this panel.

PERMANENT The number of records for which the administrator entered in theCURRENT ADMIN field is the original owner. If an administrator addsa new resource under his control, this is the count that would be increased.It is normal for this field to match the total count.

TEMPORARY The number of records for which the administrator entered in theCURRENT ADMIN field is the temporary owner. This means he iscontrolling records for which he is not the original owner. This wouldhappen if ADCO were used to make a temporary change of ownership ofresources. This is useful, for example, when an administrator goes onvacation. The administrator has full power over all records displayed, buttemporary records originally belonged to another administrator.

DO YOU WANT THECHANGES MADE TOTHE FILE?

This field controls when changes are made to the file. If you want to apply the changes to thefile, enter Y. If you do not want the file updated, enter N. This allows you to view recordsowned by any administrator in your system without changing them.

(continued)

Field Descriptions

Administrator Maintenance Change Operator Administration Panel


Field Meaning

USER ID The user ID of a selected record. This user ID can be used on the DAUP panel to viewadditional information about this operator.

NAME The 20-character name field found in the operator record. It is provided to further identify theselected records.

ORIG. AD. The original administrator user ID for any record that is temporarily owned. This is theadministrator user ID that would be used in a reclaim operation. If this field is blank, therecord is permanently owned by the administrator user ID entered in the CURRENT ADMINfield.

ORIG. ADMIN. NAME The 20-character name field found in the administrator's record. It is provided to furtheridentify the administrator.

Reclaim Operator Ownership Panel Administrator Maintenance


Reclaim Operator Ownership Panel

Use the Reclaim Operator Administration panel to reclaim all operator resource records thathave been temporarily assigned from one administrator to another.

To display the Reclaim Operator Administration panel, do one of the following:


• Enter ADRO on any security panel.

When the panel is displayed, enter the administrator user ID that controls the operatorresources that you want to reclaim.

All operator records on the BIM-ALERT/CICS file will be checked and all records that havethe original administrator user ID matching the RECLAIM ADMIN field will be displayed.You may browse through all the records using the PF keys provided. After you are satisfiedthat the correct records were selected, enter a Y to the question about changing the file. If youdo not want to change the file, enter an N and no changes will be made.

Once records have been reclaimed, they will appear as permanent records for theadministrator.

Only temporarily assigned records can be reclaimed.

ADRO ** SECURED OPERATOR ADMINISTRATION ** RECLAIM

ENTER THE ADMINISTRATOR USER ID THAT IS TO RECLAIM OPERATOR RESOURCES.

RECLAIM ADMIN: A

RECORDS SELECTED - TOTAL 00128


USER ID NAME USER ID NAME A ADMIN B ADMINB E AUDIT E Z ADMINZ 1 ADMIN1 A2 TESTADMIN ED ED G2 RALF J1 JAN RG RG


Purpose

Access

Using the Panel

Sample Panel

Administrator Maintenance Reclaim Operator Ownership Panel


Field Meaning

RECLAIM ADMIN The administrator user ID that controls the operator resources that you want to reclaim. If thisadministrator has only permanent records, no matches will be found.

RECORDS SELECTED -TOTAL

The total number of records that originally belonged to this administrator and are now beingadministered by a temporary administrator.



USER ID The user ID of a selected record. This user ID can be used on the DAUP panel to viewadditional information about this operator.

NAME The 20-character name field found in the operator record. It is provided to further identify theselected records.

Field Descriptions

Change Terminal Administration Panel Administrator Maintenance


Change Terminal Administration Panel

Use the Change Terminal Administration panel to change the administrative ownership ofterminal records. The changes can be made either permanently or temporarily. Permanentchanges are helpful if a subadministrator will no longer be working with the system.Temporary changes can be used to provide coverage if a subadministrator is on vacation or isnot able to be reached for some reason. Temporary changes can be reversed by using thereclaim transaction ADRT.

To display the Change Terminal Administration panel, do one of the following:


• Enter ADCT on any security panel.

When the panel is displayed, enter the current administrator user ID that you want to change,the new administrator user ID that is to replace the current administrator user ID, and anindicator specifying whether this change is to be temporary or permanent.

All terminal records on the BIM-ALERT/CICS file will be checked and all records that belongto the administrator entered in the CURRENT ADMIN field will be displayed. You maybrowse through all the records using the PF keys provided. After you are satisfied that thecorrect records were selected, you must enter a Y to the question about changing the file. Ifyou do not want to change the file, simply enter an N and no changes will be made.

ADCT ** SECURED TERMINAL ADMINISTRATION ** CHANGE

ENTER THE CURRENT ADMINISTRATOR USER ID, NEW ADMINISTRATOR USER ID, AND WHETHER THE CHANGE IS TEMPORARY (T) OR PERMANENT (P).

CURRENT ADMIN: A NEW ADMIN: B CHANGE: T

RECORDS SELECTED - TOTAL 00021 PERMANENT: 00000 TEMPORARY: 00021


TERM OADM TERM OADM TERM OADM TERM OADM L100 AA L102 AA L200 A L202 A PAY1 ZZ PAY3 XX PAY5 CC PAY6 CC ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________ ____ _________


Purpose

Access

Using the Panel

Sample Panel

Administrator Maintenance Change Terminal Administration Panel


Field Meaning

CURRENT ADMIN The administrator user ID that you want to change. It is used as the selection criterion formatching terminal records. It must match the administrator user ID in the records exactlyincluding uppercase and lowercase. For example, XX does not match xx. If you have aquestion about how the administrator user ID was entered, you may use DTSI to display theterminal record. This user ID will be replaced by the NEW ADMIN field if the file ischanged.

NEW ADMIN The administrator user ID that will receive control of the selected records. This user ID willreplace the current administrator user ID in each of the selected records. The administratoruser ID must be a valid administrator on the S1SCTY file or an error will be displayed. Thisensures that records are assigned to an administrator that can update the records.

CHANGE The type of change. Valid types are T for temporary changes and P for permanent changes. Ifa change is made as permanent, no attempt is made to save the original administrator user ID.However, a record that is owned temporarily will retain its original owner informationregardless of the change type. If a change is made as temporary, then the original ownershipinformation will be saved and can later be reclaimed using the ADRT function. Refer to thedescription of RECORDS SELECTED below for more information.

RECORDS SELECTED TOTAL The total number of records under control of the administrator entered inthe CURRENT ADMIN field. All records belonging to thisadministrator will be available for display using the scrolling features ofthis panel.

PERMANENT The number of records for which the administrator entered in theCURRENT ADMIN field is the original owner. If an administrator addsa new resource under his control, this is the count that would beincreased. It is normal for this field to match the total count.

TEMPORARY The number of records for which the administrator entered in theCURRENT ADMIN field is the temporary owner. This means he iscontrolling records for which he was not the original owner. This wouldhappen if ADCT were used to make a temporary change of ownership ofresources. This is useful when an administrator goes on vacation. Theadministrator has full power over all records displayed, but temporaryrecords originally belonged to another administrator.

(continued)

Field Descriptions

Change Terminal Administration Panel Administrator Maintenance


Field Meaning



TERM The terminal ID of a selected record. This terminal ID can be used on the DTSI panel to viewadditional information about this terminal.

OADM The original administrator user ID for any record that is temporarily owned. This is theadministrator user ID that would be used in a reclaim operation. If this field is blank, therecord is permanently owned by the administrator user ID entered in the CURRENT ADMINfield.

Administrator Maintenance Reclaim Terminal Ownership Panel


Reclaim Terminal Ownership Panel

Use the Reclaim Terminal Ownership panel to reclaim all terminal resource records that havebeen temporarily assigned from one administrator to another.

To display the Reclaim Terminal Administration panel, do one of the following:


• Enter ADRT on any security panel.

When the panel is displayed, enter the administrator user ID of the terminal resources that youwant to reclaim.

All terminal records on the BIM-ALERT/CICS file will be checked and all records that havethe original administrator user ID matching the RECLAIM ADMIN field will be displayed.You may browse through all the records using the PF keys provided. After you are satisfiedthat the correct records were selected, enter a Y to the question about changing the file. If youdo not want to change the file, enter an N and no changes will be made.

Once records have been reclaimed, they will appear as permanent records for theadministrator.

Only temporarily assigned records can be reclaimed.

ADRT ** SECURED TERMINAL ADMINISTRATION ** RECLAIM

ENTER THE ADMINISTRATOR USER ID THAT IS TO RECLAIM TERMINAL RESOURCES.

RECLAIM ADMIN: A

RECORDS SELECTED - TOTAL 00021


- SELECTED TERMINALS - L100 L101 L102 L103 L200 L201 L202 L203 PAY1 PAY2 PAY3 PAY4 PAY5 PAY6 PAY7 PAY8 TST1 TST2 TST3 TST4 TST5 ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____


Purpose

Functions

Using the Panel

Sample Panel

Reclaim Terminal Ownership Panel Administrator Maintenance


Field Meaning

RECLAIM ADMIN The administrator user ID of the terminal resources that you want to reclaim. If thisadministrator has only permanent records, no matches will be found.

RECORDS SELECTED -TOTAL

The total number of records that originally belonged to this administrator but now are beingadministered by a temporary administrator.



SELECTEDTERMINALS

A list of all terminal records that have the designated administrator in the originaladministrator field. All records displayed will be returned to this administrator as permanentrecords if you change the file.

Field Descriptions

Inactive Time Limit Processing Introduction


Inactive Time Limit Processing

Introduction

BIM-ALERT/CICS signs off a terminal or operator and blanks the panel if the inactive timelimit defined on the terminal or operator basic profiles (ATSI/AAUP) is exceeded. Thissupport can be optionally extended to a two-level sign-off process in conjunction with theFORCE DELAY parameter on the UPAR panel, as follows:

• If the FORCE DELAY parameter is set to all zeros (the default), the normal action istaken when the defined inactive time limit is reached; the terminal or operator is signedoff and must sign on again to resume processing.

• If a FORCE DELAY value is set on the UPAR panel and the inactive time limit expires,the two-level sign-off process occurs. The information displayed on the panel is savedand encrypted. The following panel is then sent to the terminal and is displayed for thelength of time specified in FORCE DELAY:

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-** ** INACTIVE TIME LIMIT EXCEEDED ** ** ENTER PASSWORD TO CONTINUE PROCESSING ** **-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

• An operator who returns before the secondary time limit expires can enter her passwordand continue processing where she left off.

• If the operator or anyone else does not correctly enter the password within the numberof tries defined for maximum consecutive violations or if the secondary time limitexpires without a password being entered, BIM-ALERT/CICS takes the followingactions:

1. Signs off the terminal or operator2. Blanks the panel3. Discards the saved data

Using the two-level sign-off process with some terminal session managers may cause missinginterrupts. If the logical device that is dialed to CICS is toggled away when the initial inactivetime limit expires, the I/O performed to save the displayed data does not complete and causesa missing interrupt. If you are using terminal session manager products, you shouldthoroughly test this feature before using it on your production system.

If you are using the dynamic terminal security feature, BIM-ALERT/CICS may be unable toblank the panel or do any other special processing when an inactive time limit is exceeded.The terminal or operator is still signed off and must sign on again to resume processing.

About InactiveTime LimitProcessing

WARNING!

If You Use DynamicTerminal Security

Introduction Inactive Time Limit Processing


When the inactive time limit expires, however, the terminal may not be logically connected toa TCTTE entry and there may be no way for BIM-ALERT/CICS to send any data to thatterminal. If the terminal is connected to a TCTTE entry, inactive time limit processingcontinues as usual.

Conversational tasks will not participate in the two-level sign-off process. Because theterminal is in a device-busy state when the inactive time limit occurs, there is no way to breakin and save the data on the panel. The user will be able to enter his password and continue,but will have to restart the conversational task. For more information, see the description ofconversational tasks on page 9-18.

AboutConversationalTasks

Inactive Time Limit Processing S140 Task


S140 Task

The S140 task is the inactive time limit processing driver. S140 always shows as a suspendedtask when you issue the CEMT INQ TASK command. S140 activates itself every 30 secondsand scans the BIM-ALERT/CICS terminal and operator tables for inactive time limitviolations. If it finds no violations, S140 suspends itself for another 30 seconds.

If a terminal or operator has exceeded its inactive time limit, S140 starts another task (S144for two-level timeout or S145 for single-level timeout) to sign off the terminal or operator andblank the panel. When S140 starts another task, it also starts a new S140 task and ends thecurrent S140 task.

Because S140 ends only when a terminal or operator exceeds its inactive time limit, someCICS monitors report unusual S140 response time statistics. You can ignore these statisticsbecause S140 does not run on a terminal and therefore has no response time.

If S140 abends or is purged by an operator, BIM-ALERT/CICS is unable to perform inactivetime limit processing. An operator who is authorized to execute the CECI transaction canenter the following command to restart it:

CECI START TRANSID(S140)

When you start S140, do not associate it with a terminal.

Introduction

Tasks Started byS140

S140 ResponseTime Statistics

If S140 Abendsor Is Purged

Conversational Tasks Inactive Time Limit Processing


Conversational Tasks

Conversational tasks can cause problems for BIM-ALERT/CICS users if the execution of theconversational tasks lasts longer than the operator's or terminal's inactive time limit. Forexample, if an operator has an inactive time limit of five minutes and that operator runs aconversational task that takes six minutes to complete, BIM-ALERT/CICS will sign theoperator off even though the terminal has been in constant use. This happens because BIM-ALERT/CICS does not see any activity from conversational tasks.

To correct this problem, you can activate two CICS global user exits provided with BIM-ALERT/CICS. These exits are called any time a terminal I/O is detected.

To activate these exits, add the following entry to the PLTPI start-up table:

DFHPLT TYPE=ENTRY,PROGRAM=S1S141

You must also specify EXITS=YES in the DFHSIT table or as a SIT override at CICS start-up.

Failure to specify EXITS=YES in the CICS start-up parameters may result in a DFH0405abend at start-up. This has nothing to do with the USER EXITS REQ field on the SCTYUPAR panel. You may have USER EXITS REQ specified as NO and still use this feature toprevent time-out of conversational tasks.

Exit points in the violation logger S1S190 and in the inactive time-limit processor S1S145allow user cleanup after violations (including inactive time-limit violations).

User cleanup prevents a user from inadvertently entering a transaction in the middle, ensuresthat user data is cleared from the TCTUA, and so on.

Assume that a pseudo-conversational transaction writes a temporary storage record beforereturning. The temporary storage record contains information about the function that shouldbe performed next. If the task times out with the temporary storage record still out there and adifferent operator signs on to that terminal and enters the same transaction ID, processingcould resume at the point where the previous user left off.

The source for the supplied S1S900 module is cataloged during installation. It containssample code to show you how to perform certain kinds of cleanup. If you do not need thekind of cleanup provided by S1S900, optional feature #3 is provided to disable the link to it inboth S1S145 and S1S190. See page 9-47.

WhyConversationalTasks MightRequire SpecialAttention

User Exits forConversationalTask Processing

WARNING!

S1S900 UserCleanup Program

User-Callable Interfaces Introduction


User-Callable Interfaces

Introduction

The user-callable interface is supported in both command-level and macro-level programs.Each of these types of interfaces is explained in the following sections.

Command-Level Interface

The callable security interface used with BIM-ALERT/CICS allows you to validate userpasswords or to secure resources that may not be known to CICS as normal resources. Theseresources can be placed in any of the BIM-ALERT/CICS security tables if the resource nameis no longer than the maximum allowed for the specific table. For example, transactionresources can be from one to four characters, while programs and files can be from one toeight characters.

To invoke the user-callable interface, your program must build a parameter list containing areturn code field, the type of resource (for example, FL for files), the name of the resource, thetype of request (that is, I for inquiry, browse, or read; or U for add, update, or delete), and anaction code. This parameter list should be built in the program COMMAREA. If yourCOMMAREA contains data other than the callable interface parameter list, the callableinterface parameter list must be at the beginning of the COMMAREA.

Once the parameter list is built, you can invoke the user-callable interface by linking toS1S199 and passing the COMMAREA. S1S199 will examine the parameter list and call theappropriate monitor to do the actual checking.

The results of the check are moved into the return code field of the COMMAREA and controlis returned to your program by S1S199.

If the resources that you are checking are not defined to CICS (in the PCT, PPT, or FCT), youmust add them to BIM-ALERT/CICS as preloaded (status P) resources.

The user-callable interface does not restrict the type of resource you can validate. Forexample, you could check a transaction and two program resources by using three separatecalls to the callable interface program (S1S199) at the same logical point in your user code.This allows you to stack security requests and provides a great deal of flexibility.

Purpose

Invoking the User-Callable Interface

Resources YouCan Validate

Command-Level Interface User-Callable Interfaces


Positive return codes from the interface indicate the actual reason a resource is being rejected.

Negative numbers are used when BIM-ALERT/CICS is unable to perform the requestedsecurity check. There are only a few of these (-1 to -6) since BIM-ALERT/CICS does not doI/O to perform security and therefore VSAM return codes are not needed. A return code ofzero means access is permitted.

The current list of the values and the meanings are shown in the following table. You can usethis information to make decisions about what messages you would like to display to the user.It is also the information that determines what action you will take concerning whether or notthe program can continue.

Return Code Meaning

+128 (X'0080') Terminal not secured.

+120 (X'0078') Possible map alteration (size error).

+104 (X'0068') Unauthorized administrator for resource.

+072 (X'0048') Operator not authorized to update this file.

+070 (X'0046') Operator not authorized this file.

+068 (X'0044') Operator not authorized to update any file.

+066 (X'0042') Terminal not authorized to update this file.

+064 (X'0040') Terminal not authorized this file.

+056 (X'0038') Terminal not authorized to update any file.

+054 (X'0036') File is INQUIRY only.

+052 (X'0034') File scheduled access times expired.

+050 (X'0032') Operator not authorized for this program.

+048 (X'0030') Terminal not authorized for this program.

+040 (X'0028') Program scheduled access times expired.

+038 (X'0026') Operator not authorized for this transaction.

(continued)

Return Codes

User-Callable Interfaces Command-Level Interface


Return Code Meaning

+036 (X'0024') Terminal not authorized for this transaction.

+032 (X'0020') Transaction scheduled access times expired.

+024 (X'0018') Operator inactive time limit exceeded.

+022 (X'0016') Operator not within scheduled access times.

+020 (X'0014') Operator prohibited from system access.

+018 (X'0012') Operator not signed on.

+016 (X'0010') Terminal inactive time limit exceeded.

+008 (X'0008') Terminal not signed on.

+006 (X'0006') Terminal not within scheduled access times.

+005 (X'0005') Maximum consecutive violations detected.

+004 (X'0004') Maximum violations detected.

+000 (X'0000') Access is authorized.

-1 (X'FFFF') Named resource not found.

-2 (X'FFFE') Security facility for this request is not active.

-3 (X'FFFD') Terminal not secured to BIM-ALERT/CICS.

-4 (X'FFFC') BIM-ALERT/CICS not in this system.

-5 (X'FFFB') Parameter list invalid: invalid length or resource type not TR, PR, FL,or SC.

-6 (X'FFFA') Resource was found but has disabled status.

Command-Level Interface User-Callable Interfaces


The following table shows the possible values that can be used in a call to BIM-ALERT/CICSsecurity. The ACCESS TYPE field is valid only if the resource type is FL; it is ignored by allother monitors.

Offset Type Length Description

+0 H 2 Return code:

Positive Deny (Hex reason). For a list of possible hexreasons, see page 9-20.

Zero Access allowed.

Negative Error access unknown.

+2 C 2 Resource type:

TR Transaction.PR Program.FL File.SC Password (Password).

+4 C 8 Resource name or password (left justified, blank filled).

+C C 1 Access type (files only):

I Inquiry, read, browse.U Update, add, delete.

+D C 1 Action type:

V Validate only and return.

Parameter ListFormat

User-Callable Interfaces Macro-Level Interface


Macro-Level Interface

A macro-level program cannot pass validation data to the user-callable interface via aCOMMAREA, so the calling program must perform the functions of the interface programthat the command-level call (S1S199) links to.

The functions that the calling program must perform are as follows:

• It must pass the parameter list via temporary storage services. The format of the list isthe same as the format described in the table on page 9-22. The name of the temporarystorage queue is built by using the terminal ID as the first four characters of the nameand the literal SCTY as the last four characters (for example, L2D0SCTY). The queueentry passed to perform the validation must be the only entry in the queue.

• It must determine which of the callable interface modules to call. If the resource isdefined in the BIM-ALERT/CICS transaction table, you must issue a LINK to S1S200to perform the validation. If the resource is defined in the program security table, youmust call S1S210 to do the validation. If the resource in question is defined to BIM-ALERT/CICS as a file, then you must call S1S220 to validate the user's authority. Youmust call S1S282 to perform a password validation.

• It must read the temporary storage queue when the callable interface module returnscontrol to determine whether the authority should be granted. The return code is passedback in the queue with the same values as those discussed previously. Also, the callingprogram should purge the queue after it examines the return code.

Introduction

FunctionsPerformed byCalling Program

Securing BIM-ALERT Functions Securing BIM-ALERT Functions and UFO Resources


Securing BIM-ALERT Functions and UFO Resources

Securing BIM-ALERT Functions

The SCTY transaction has its own internal security built into it to prevent any non-administrator from executing any of the SCTY functions (ASTR, ACTO, etc.) and to preventsub-administrators from performing main administrator functions (ASTR, ASPR, etc.).

There are occasions, however, when you may want to provide even stricter security for theBIM-ALERT/CICS functions. For example, you might have a night operator who needs to beable to activate operators and terminals but who should not have other administrativecapabilities. Defining security for such a night operator can be accomplished very easily.

The menu driver program has a call to the BIM-ALERT callable interface built in prior todispatching any function. This allows you to define each BIM-ALERT function as a securedtransaction with status P. These function can be added to administrators' profiles asauthorized transactions. If the menu driver receives a "not allowed" return code from thecallable interface, it will be handled like any other transaction violation, thus denying accessto BIM-ALERT functions even though they are not defined to CICS as transactions.

Introduction

To SecureBIM-ALERTFunctions

Securing BIM-ALERT Functions and UFO Resources Securing UFO Resources


Securing UFO Resources

BIM-ALERT/CICS provides a security exit program, S1SUFOXT, that can be used toauthorize UFO procedures, applications, and datasets to BIM-ALERT/CICS operators andterminals as secured programs or files. This security exit is supported at release 3 of UFO.Refer to the section about security exits in the UFO Customization and Operation Guide formore information about defining the exit to the UFO system.

UFO applications and procedures that you want to secure must be defined to BIM-ALERT/CICS as secured programs with status P. Once they are defined to the system, theycan be authorized to users just like any other secured program. BIM-ALERT/CICS programsecurity must be activated for UFO applications or procedures to be secured.

UFO datasets that you want to secure must be defined to BIM-ALERT/CICS as secured fileswith status P. Once they are defined to the system, they can be authorized to users just likeany other secured file. BIM-ALERT/CICS file security must be activated for UFO datasets tobe secured.

The security exit, by default, runs in cancel mode. In other words, whenever access is deniedto some UFO resource, it is handled just like any other program or file authorization failure:the violation is logged to the BIM-ALERT/CICS log file, and the task is abended.

Optionally, you can set up the exit to just return control to UFO on an access failure andthereby let UFO handle the failure. In this mode, UFO issues an error message to the user, butthe user remains in UFO and therefore can continue working from that point instead of havingto start a new UFO session. In this mode, access authorization failures are not written to theBIM-ALERT/CICS log file.

Introduction

Securing UFOApplications andProcedures

Securing UFODatasets

SecurityProcessing

Introduction Setting Up an Interface with CA-ALERT for VM


Setting Up an Interface with CA-ALERT for VM

Introduction

You can set up an interface with CA-ALERT for VM. Establishing this interface allows youto automatically update the CA-ALERT for VM database when you make changes in BIM-ALERT/CICS.

Support of this interface requires version 05.01.xx of CA-ALERT for VM. However, you canstill synchronize passwords between the two products if you are not yet on version 05.01.xx.

The following table lists the requirements for setting up the interface to CA-ALERT for VMfor each user ID:

On This Panel In This Field Specify This Information

System VersionInformation

OPTIONAL FEATURES An asterisk (*) in option 26. Thisenables the BIM-ALERT/CICS /CA-ALERT for VMcommunications. For moreinformation about optional features,see page 9-47.

BIM-ALERTUser Profile

EXT/SEC YES. This enables BIM-ALERT/CICS to call CA-ALERTfor VM for this specific user. Formore information about theEXT/SEC field, see page 6-13.


MODEL A valid CA-ALERT for VM userID. For more information about theMODEL field, see page 6-9.


USERID The user’s VM CMS user ID. Formore information about theUSERID field, see page 6-9.

Overview

Requirements

Setting Up an Interface with CA-ALERT for VM Updating CA-ALERT for VM Security Files


Updating CA-ALERT for VM Security Files

If you made all of the changes listed in the previous section, the following security file updateswill take place automatically in CA-ALERT for VM when the corresponding action occurs inBIM-ALERT/CICS:

If This PersonPerforms This Action inBIM-ALERT/CICS This Occurs in CA-ALERT for

VM

User or securityadministrator

Changes a password. The CA-ALERT for VM passwordchanges to match it.

This update occurs only if the changeto the BIM-ALERT/CICS passwordconforms to CA-ALERT for VMrequirements. For more informationon these requirements, see the CA-ALERT for VM SecurityAdministrator’s Guide.

Securityadministrator

Deletes a user profile(STATUS=E).

The user ID is deleted from thedatabase.


Adds a user profile. The user ID is added to the database,initially using the profile settings ofthe user ID specified in the MODELfield.

User Signs on using an CA-ALERT for VM password.

Nothing. Instead, the BIM-ALERT/CICS password is updated tomatch the one the user entered.

(continued)

What Changes areMadeAutomatically?

Updating CA-ALERT for VM Security Files Setting Up an Interface with CA-ALERT for VM


The following security file updates will take place automatically in BIM-ALERT/CICS whenthe corresponding action occurs in CA-ALERT for VM:

If This PersonPerforms This Action inCA-ALERT for VM This Occurs in BIM-

ALERT/CICS

User or securityadministrator

Changes a password. The BIM-ALERT/CICS passwordchanges to match it.

This update occurs only if the changeto the CA-ALERT for VM passwordconforms to BIM-ALERT/CICSrequirements. For more informationon these requirements, see page 6-13.


Deletes a user ID. The user ID is deleted from thedatabase.


Adds a user ID. The user ID is added to the database,initially using the profile settings ofthe user ID specified in the SETMODELID parameter.

Because of the internal communications methods employed in this interface, changes initiatedin CA-ALERT for VM can take up to five minutes to appear in BIM-ALERT/CICS. Changesinitiated in BIM-ALERT/CICS appear in CA-ALERT for VM immediately.

When Changes AreInitiated

Generating BIM-ALERT/CICS Logos Introduction


Generating BIM-ALERT/CICS Logos

Introduction

BIM-ALERT/CICS can dynamically load logos into the Terminal and Operator Sign-Onpanels. BIM-ALERT/CICS also allows logos to be customized on a terminal-by-terminalbasis using the LOGO SUFFIX field of the ATSI panel. This allows you to create differentlogos for terminals that are in special locations such as branch offices, separate departments,or even foreign countries. Since each separate logo can have its own HELPLOGO, you cancustomize the procedure to be used if operators need help during sign-on at remote locations.

How Logo Names are Generated

BIM-ALERT/CICS uses the following process to generate the name of the individual logo thatit displays on each terminal:

1. It finds the name specified in the LOGO field on the UTOP panel.

2. It finds the two-character suffix specified in the LOGO SUFFIX field on the ATSIpanel.

3. It substitutes the two-character LOGO SUFFIX for the last two nonblank characters ofthe LOGO.

Consider the following example:

1. The name specified in the LOGO field on the UTOP panel is BIMLOGO.

2. The name specified in the LOGO SUFFIX field on the ATSI panel for terminal L2D0 isG1. The name specified in the LOGO SUFFIX field on the ATSI panel for terminalL2D1 is ## (## is the default).

3. When an operator signs on to terminal L2D0, BIM-ALERT/CICS displays the logomodule BIMLOG1. When an operator signs on to terminal L2D1, BIM-ALERT/CICSdisplays the logo module BIMLOGO because ## signifies that there is no special logofor this terminal.

Process

Example

Customizing Logos Generating BIM-ALERT/CICS Logos


Customizing Logos

If you use different logos for different terminals, you must catalog the logo modules with thecorrect names when you assemble and link them. You must assemble and link one logomodule for each suffix that you specify. If BIM-ALERT/CICS cannot locate the correct logoat sign-on time, it returns the sign-on panel without a logo and displays a message stating thatit could not find the logo module. Sign-on continues in the normal manner.

You can also use the ALRTLOGO macro to customize the fields on the Terminal andOperator Sign-On panels. Any field name can be changed to correspond to the needs of theterminal receiving the specific logo. For example, if you have an office in France, you couldhave French field names on the sign-on panel, a customized French logo, and a French helppanel.

While it is possible to change the value of any sign-on field literal, it is not possible toincrease the length of the field on the panel. This means that if the current literal is fivecharacters long (for example, NAME:), you cannot replace it with ten characters (for example,USER NAME:) because the extra characters will not fit on the panel. You can shorten anyfield if you need to. ALRTLOGO will detect any attempt to increase a field and produce amessage telling you which field is in error. Any field containing a length error will be ignoredand replaced with the default data until the length error is corrected.

You also have control over the attributes of some of the fields, so you can determine whetheryou want your users to access a particular feature during sign-on. For example, you can makethe attribute for the new code and new code-check fields SKIP and both the literals and theentry fields would be removed from operator view. Notice that some fields are controlled as agroup, so that entering a single attribute parameter may make multiple fields disappear fromthe sign-on panel. This prevents inconsistent combinations of fields. If just a logo isgenerated, no change in the sign-on panel would be noticed.

Introduction

Length of Logos

Logo FieldAttributes

Generating BIM-ALERT/CICS Logos Customizing Logos


The following tables list ALRTLOGO entries that you can use to change the sign-on panelfields and attributes. Note that you can change both the Operator and Terminal Sign-on panelfield names.

ALRTLOGO Entries to Change Operator Fields:

Entering Changes This Operator Field Maximum Length

OSECLIT= PASSWORD: 14

ONUMLIT= USER ID 13

ONAMATT= NAME ATTRIBUTE N/A

ONAMLIT= NAME: 5

RECNATT= RECONNECT ATTRIBUTE N/A

RECNLIT= RECONNECT: 10

ONCDATT= NEW PSWD/CHECK ATTRIBUTE N/A

ONCDLIT= NEW PASSWORD: 18

ONCCLIT= NEW PSWD CHECK: 15

TERMLIT= TERMINAL ID: 12

TSECLIT= PASSWORD: 14

TNCDATT= NEW PSWD/CHECK ATTRIBUTE N/A

TNCDLIT= NEW PASSWORD: 18

TNCCLIT= NEW PSWD CHECK: 15

Normally you would change only those fields that end with the characters LIT, since these arethe fields that are visible on the sign-on panels. The fields that end with the characters ATTare used to control whether the operator is allowed to use a set of fields on the panel. Theonly valid entry for fields that end with ATT is the word SKIP. If a field is set to SKIP, boththe literal data (what you see on the panel) and the entry field (where you enter data), willdisappear leaving a blank space on the panel. In addition, the operator will not be able toenter data into these fields, which could affect the sign-on process. If you want to preventoperators from changing their own passwords at sign-on, you can code ONCDATT=SKIP toprevent the fields used to change the passwords from appearing on the panel. This is a casewhere a single entry to ALRTLOGO causes four fields to be removed from the panel.

Entries Used toChange Fields andAttributes

Customizing Logos Generating BIM-ALERT/CICS Logos


To aid you in the correct preparation of these logos, a macro has been provided in the sourcelibrary. Your logos can be from 1 to 20 lines in length and each line can be from 1 to 79characters long.

You have control over the attributes of each line. You specify N for normal (this is thedefault), B for bright, and D for dark or nondisplay. You also have control over the color andhighlighting of each line. Acceptable values for color are G (Green) (the default value), R(Red), Y (Yellow), B (Blue), W (White), P (Pink), and T (Turquoise). Acceptable values forhighlighting are B (Blink), R (Reverse), and U (Underline). If a highlighting value is notspecified for a given line, no highlighting occurs on that line.

The following is a sample of the jobstream, including the ALRTLOGO macro, required tocustomize a logo:

// JOB ALRTLOGO// LIBDEF SOURCE,SEARCH=PRODLIB.ALERT// LIBDEF PHASE,CATALOG=PRODLIB.ALERT// OPTION CATAL PHASE BIMLOG2,*// EXEC ASSEMBLY

[Start the following two lines in column 10]

TITLE 'THIS IS A TEST OF THE LOGO MACRO' ALRTLOGO A1=B,A2=D,A3=B,A10=B,C1=R,C2=B,C3=R,C10=T,H1=B,H10=RC

[Start the following eight lines in column 16]

L1='1234567890123456789012345678901234567890123456789012C 345678901234567890123456789', C L2=' THIS IS LINE 2', C L10=NO.QUOTES, C L3='ENTERED OUT OF ORDER', C OSECLIT='PASSWORD:', change PASSWORD: to PASSWORD: C ONCDATT=SKIP prevent operators from changing passwords END/*// EXEC LNKEDT,SIZE=128K/&

ALRTLOGO Macro

Sample Jobstream

Generating BIM-ALERT/CICS Logos Customizing Logos


To specify the attribute for a particular line, use the Ann=x parameter. For example, A16=Bmakes line 16 appear bright.

To specify a color for a particular line, use the Cnn=x parameter. For example, C16=P makesline 16 appear pink. To specify highlighting attributes, use the Hnn=x parameter. Forexample, H16=B makes line 16 blink. The Cnn and Hnn parameters are honored only onterminals that support extended attributes; they are ignored on all other terminals.

To enter the actual line data that is to appear on the sign-on panel, use the Lnn =stringparameter. Lines, attributes, and literals can be entered in any order.

Catalog the module generated to the BIM-ALERT/CICS residence sublibrary for use in thesign-on routine. You may catalog as many modules as you want, but only one logo family canbe in use at any time. (Refer to the explanation of the LOGO field on the UTOP panel formore information.)

Then enter the name of the desired module or logo family on the UTOP panel. The modulewill be edited both at UTOP entry and again when loaded for the actual logo build process.Any errors are reported for correction.

The sign-on program S1S610 allows the operator to request help information at sign-on timeby entering HELP in the password field. This help information must be contained in a speciallogo called HELPLOGO. It is created like any other logo, but must have this special name. Ifyou do not have a HELPLOGO module, a blank logo will be sent if the operator entersHELP.

You can create different help panels for each logo in a family. Use the same two-charactersuffix for the help as you do for the logo. For example, LOGOGOD4 would have a help logoname of HELPLOD4.

SpecifyingAttributes

CatalogingModules

HELPLOGO andHelp Panels

Introduction Maintaining BIM-ALERT/CICS Messages


Maintaining BIM-ALERT/CICS Messages

Introduction

All messages (both GKxxx and violation messages) accessed by BIM-ALERT/CICS aremaintained and stored in one or more VSAM files. You must define the files containing themessages to CICS in the FCT. The security administrator determines whether multiplemessage files are used. This section describes how to maintain message files and how to setup your system to use multiple message files.

The message support provided by MMSG replaces the macro support provided byALRTEMSG and ALRTUMSG. Because all messages can now be changed dynamicallyusing MMSG, BIM-ALERTEMSG and ALRTUMSG are no longer supported.

Maintaining BIM-ALERT/CICS Messages Tailor BIM-ALERT Administrator Messages Panel


Tailor BIM-ALERT Administrator Messages Panel

Use the Tailor BIM-ALERT Administrator Messages panel to display, browse, or updatemessages in the file. If you are not sure of a particular message, you can enter a messagenumber on the panel and use PF8 to browse forward or PF7 to browse backward. Aftermaking changes, press ENTER to update the file.

To access the Tailor BIM-ALERT Administrator Messages panel, do one of thefollowing:


• Enter MMSG on any BIM-ALERT/CICS panel.

MMSG TAILOR BIM-ALERT ADMINISTRATOR MESSAGES UPDATE

ENTER TABLE SUFFIX: ## ENTER MESSAGE NUMBER: GK000

MESSAGE TEXT: 1 . . . | . . . .10 . . . . | . . . .20 . . . . | . . . .30 . . . . | . . . .40 | | | | | G K 0 0 0 P E R M A N E N T S E C U R I T Y O P T I O N S U P D A T E C O M P L E T E _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

SUBSTITUTION VARIABLES: TERMINAL= TERMINAL TRANSACTION= TRANSACTION COMPANY= COMPANY OPERATOR= OPERATOR PROGRAM= PROGRAM DIVISION= DIVISION FILE= FILE DEPT= DEPARTMENT MAP= MAP SECTION= SECTION FIELD RESRC= FIELD RSRC. GROUP= GROUP

PF3=MENU4 PF7=PREVIOUS PF8=NEXT

GK711 ENTER MESSAGE UPDATES -OR- PF KEYS TO BROWSE

The Tailor BIM-ALERT Administrator Messages panel consists of two parts. Use the toppart of the panel to display and update the text of messages. Use the bottom part of the panelto update the values for the variables in the message.

Purpose

Access

Sample Panel

Using the Panel

Maintaining Message Text Maintaining BIM-ALERT/CICS Messages


Maintaining Message Text

Use the top part of the Tailor BIM-ALERT Administrator Messages panel to display andupdate the text of the various messages issued by BIM-ALERT/CICS. You can display aparticular message by entering the message number, or you can use PF8 to browse forward orPF7 to browse backward through the file.

When a message is displayed on the panel, BIM-ALERT/CICS determines the maximumlength needed for that message and unprotects the correct amount of fields on the panel. Thescale is displayed for reference only, and is not part of the message.

After the message text is displayed and you have made your changes, press ENTER to updatethe file with the changes. The new message is displayed the next time it is issued.

Although not required, it is strongly recommended that you leave the message number definedas part of the message text. It is easier to identify and correct problems if the messagenumbers are displayed with the message. Deleting the message number from the text makes itdifficult to locate the message in the file, and therefore more difficult to work with technicalsupport representatives to identify and correct problems.

Field Meaning

ENTER TABLE SUFFIX Use this field to override the default message table if you want to use multiple messagefiles. This field defaults to the message suffix defined for the terminal or operator fromwhich access was requested. Enter the two-character suffix of the message file name forthe message you want to access.

ENTER MESSAGE NUMBER Use this field to access a message directly by entering the key of the message on themessage file. If you are not sure of the message number, use PF7 and PF8 to browsethrough the file and search for the message.

All administrator, signon, and batch processing message numbers begin with thecharacters GK. All violation message keys begin with the characters VIOL and end witha two-digit violation code. See the BIM-ALERT Messages Guide for a list of all messagenumbers. The key of each message is shown in parentheses after the message text.

Introduction

Recommendation

Field Descriptions

Maintaining BIM-ALERT/CICS Messages Maintaining Variables


Maintaining Variables

When To Change User-Defined Variables:Use the bottom part of the panel (TERMINAL=, OPERATOR=, and so on) to update valuesfor variables defined as part of the message. You would alter a user-defined variable if themessage table is in a language other than English and you want your variables in the samelanguage. For example, you can update the transaction variable to the German spelling,"transaktion," so the entire panel is in German.

The message processors (S1SMSGO and S1BMSGO) automatically insert the correct user-defined variables into the message. The security administrator can alter the value for user-defined variables so that the value set for a variable type is inserted into the message wheneverthe requesting program indicates that variable type to S1SMSGO.

To Put a New Variable Into Effect Immediately:When you update a variable, S1SMSGO must be newcopied to place the new variable intoeffect immediately. S1SMSGO maintains a copy of the variable information in the program tocut down on I/O to the message file during processing, and therefore requires a newcopy forany variable change to take effect immediately.

Message Processing:After the correct message is selected, the message processor scans for an 11-character stringof Vs. The program requesting the message indicates to the message processor the variable toinsert in place of the Vs. The variable can have up to fifteen characters.

Important: Regardless of the length of the variable information, the placement of thevariable in the message must always be indicated by a string of 11 Vs.

Multiple Variables in a Message:You can have multiple variables in a message, but the message processor replaces only thenumber of variables existing in the default message. For example, if you add a second stringof Vs to GK226 in the above Tailor BIM-ALERT Administrator panel, the second string isnot replaced with a variable because the program requesting the message expects only onevariable. Therefore, only the first string is replaced.

Other variable information (return codes, program names) can be passed to the messageprocessor. The location of this variable information is indicated in the message by a string ofeight Xs. The length of the variable information can be more or less than eight characters.

If you add more variable strings than the original, no information is inserted in them. If youdelete a variable string, that variable information will not be displayed.

If you change a message containing more than one string of eight Xs, make sure you keep thevariables in the same order. The program requesting the message passes the variable data tothe message processor in the same order as it is displayed. See the following example.

User-DefinedVariables

Fixed Variables

Maintaining Variables Maintaining BIM-ALERT/CICS Messages


MMSG TAILOR BIM-ALERT ADMINISTRATOR MESSAGES UPDATE

ENTER TABLE SUFFIX: ## ENTER MESSAGE NUMBER: GK025

MESSAGE TEXT: 1 . . . | . . . .10 . . . . | . . . .20 . . . . | . . . .30 . . . . | . . . .40 | | | | | G K 0 2 5 I N I T I A L I Z I N G B I M - A L E R T / C I C S V E R X X X X X X X X P T F L E V E L X X X X X X X X _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

SUBSTITUTION VARIABLES: TERMINAL= TERMINAL TRANSACTION= TRANSACTION COMPANY= COMPANY OPERATOR= OPERATOR PROGRAM= PROGRAM DIVISION= DIVISION FILE= FILE DEPT= DEPARTMENT MAP= MAP SECTION= SECTION FIELD RESRC= FIELD RSRC. GROUP= GROUP

PF3=MENU4 PF7=PREVIOUS PF8=NEXT

GK711 ENTER MESSAGE UPDATES -OR- PF KEYS TO BROWSE

Suppose message GK025 in the preceding panel were updated to the following:

GK025 INITIALIZING PTF LEVEL XXXXXXXX OF BIM-ALERT/CICS VERSION XXXXXXXX

In this example, the variable information would be reversed. The variable information for thePTF Level would be inserted in the first set of Xs, corresponding to the Version, and thevariable information for the Version would be inserted in the second set of Xs, correspondingto the PTF Level.

Example ofImproperly OrderedVariables

Maintaining BIM-ALERT/CICS Messages Using Multiple Message Files


Using Multiple Message Files

You can define multiple message files to BIM-ALERT/CICS in order to route differentmessages to different operators or terminals. With this feature you can provide messages invarious languages. Initialization programs supplied on the installation tape let you initialize afile in the standard English set of messages (S1U006E), in German (S1U006G), in French(S1U006F), or in Italian (S1U006I). If you need messages in another language, you caninitialize a file with the standard set of messages and update them with the online transactionMMSG.

To use just one set of messages in any language, specify the name of the message file in themessage file field on the UTOP panel. The message processor then accesses this file for allmessage requests.

We suggest you use the default message file name S1SMS## and use the default messagesuffix of ## for operators and terminals. In this way you can implement the file just bydefining and initializing it.

If your system was set up to display an alternate set of messages using the ALRTEMSGmacro, you can easily adapt it to the new system. For example, if you have an alternate set ofGerman messages assembled using ALRTEMSG and with a suffix of G1, define the messagefile using S1U006G for German messages and name the file S1SMSG1 in the FCT. Thenenter S1SMSG1 on the UTOP panel in the message file field.

The data for accessing the message file is extracted from three sources: the options record(UTOP), the operator profile of the signed on operator (AAUP), and the terminal profile onwhich the operator is running (ATSI). When an operator is to receive a message, therequesting program builds a parameter list of data required by the message processor toextract and construct the correct message.

When the message processor gets control from the requesting program, it first determineswhich file to read for the correct message. The options are examined to find the name of thedefault message file. The operator profile is examined next. If the message suffix specified inthe operator's profile is not ## (the default), then these two characters are placed over the lasttwo characters of the default message file to build the file name. If the message suffixspecified in the operator's profile is ##, then the terminal profile is examined. If the terminalprofile is not ##, then these two characters replace the last two characters of the file name.

Purpose

To Use One Set ofMessages

To Use an AlternateSet of Messages

MessageProcessing

Using Multiple Message Files Maintaining BIM-ALERT/CICS Messages


Suppose the headquarters of a multinational company is located in the USA, with offices inEngland, France, Germany, and Italy. You can define and initialize a separate message file foreach office, using S1SMS## (English), S1SMSG1 (German), S1SMSF1 (French), andS1SMSI1 (Italian). When defining the operators in the system, let all American and Englishoperator message suffixes default to ##. Specify G1 as the message suffix for all Germanoperators, F1 for all French operators, and I1 for all Italian operators. Also define these filesto CICS in the FCT. On the UTOP panel, specify S1SMS## as the message file. Now, forexample, if a German operator is to receive a message, the ## at the end of the message filename is overlaid with G1, and the S1SMSG1 file is read to extract the correct message inGerman.

Example

Parameter-Driven Sign-On and Sign-Off Processing Introduction


Parameter-Driven Sign-On and Sign-Off Processing

Introduction

BIM-ALERT/CICS can obtain the required sign-on data from a parameter list rather than froma panel. The standard BIM-ALERT/CICS sign-on and sign-off processes are terminal-driven;the operator enters the transaction ID on the panel and supplies the required information tocomplete the sign-on process. BIM-ALERT/CICS is shipped with full support for standardsign-on and sign-off processing.

With the flexibility provided by parameter sign-on processing, however, you can change,rearrange, or otherwise tailor the sign-on panel to your installation's needs with minimal user-written code. This kind of sign-on still requires operator intervention.

With a little more coding on your part, the sign-on process can be driven from anotherapplication without operator intervention, thus providing automatic sign-on processing.

Overview

Operator and Terminal Sign-On from a Terminal Parameter-Driven Sign-On and Sign-Off Processing


Operator and Terminal Sign-On from a Terminal

Signing on an operator or a terminal from a terminal (with operator intervention) is fullyfunctional in the supplied BIM-ALERT/CICS system. The standard BIM-ALERT/CICS sign-on panels are presented to the user when the appropriate transactions are entered (CSSN andTSSN). With minimal coding, however, you can change, rearrange, or otherwise tailor thesesign-on panels to match your installation's needs.

The BIM-ALERT/CICS sign-on driver program S1S610 links to program S1S611 any time itneeds to communicate with the terminal from which the operator is signing on. For example,when the initial sign-on map is to be sent to the terminal, S1S610 will pass this data to S1S611via the COMMAREA. S1S611 knows what function to perform by the data passed in theCOMMAREA. If S1S611 needs to send data to the panel, the data to be sent is also passed inthe COMMAREA. If S1S611 is called to read the panel, the data read from the panel ispassed back to S1S610 to continue the sign-on process via the COMMAREA. (All the samefunctions are provided for terminal sign-on; in this case, the programs involved are S1S600and S1S601.)

To tailor the sign-on panels to your installation's requirements, you first assemble the sign-onmap to your specifications. Next, code the S1S611 program to communicate with the terminalusing your new sign-on panel. The function your program is to perform (read to receive mapor write to send map) is passed by S1S611 via the COMMAREA. Any data to be sent to thepanel or any data to be read from the panel must also be communicated across the link via theCOMMAREA.

BIM-ALERT/CICS provides these programs in order to do our own sign-on processing usingthe standard BIM-ALERT/CICS sign-on maps. In addition to supplying executable modulesfor these programs, the source is cataloged as part of the installation as source membersSXM610.A (operator/Assembler), SXM610.C (operator/COBOL), SXM600.A(terminal/Assembler), and SXM600.C (terminal/COBOL). This source is supplied as anexample to help you code your own modules.

Introduction

Sign-OnProcessing

Tailoring Sign-OnPanels

Parameter-Driven Sign-On and Sign-Off Processing Sign-On and Sign-Off Without Operator Intervention


Sign-On and Sign-Off Without Operator Intervention

The sign-on and sign-off processes can be driven from another application with no operatorintervention if a CICS task can be initiated to pass data to the sign-on or sign-off processor.This module communicates directly with the sign-on interface via a COMMAREA.

The sign-on driver module is responsible for the following functions:

• Acquiring the storage for a COMMAREA. This COMMAREA is used to passinformation to the signon interface. Copybook S1OSNCOM must be used to map theCOMMAREA. If the COMMAREA contains data other than that mapped byS1OSNCOM, S1OSNCOM must be at the beginning of the COMMAREA.

• Determining whether the function being processed is a signon or signoff. Thisinformation is passed to the signon interface by placing a P in the SIGNFCT field for asignon, or an O for a signoff.

• Moving the appropriate signon data to the COMMAREA. The user ID to sign on mustbe moved to the COMMOP# field. The operator's name (optional) is moved to theCOMMOPNM field. The operator's password is moved to the COMMOPCD field. Ifthe password is to be changed, the new password must be passed in the COMMNCODfield. If a signoff is to be processed, this information is not necessary.

• Processing a CICS LINK to the signon interface. To process an operator signon orsignoff, you must link to program S1S881. To process a terminal signon or signoff, youmust link to program S1S871.

• Processing the return code from the signon or signoff process. The return code ispassed back to the calling program in the COMMAREA in the SIGNRET field.Messages are passed pack to the calling program either in the MESSAGE field (for anysignon/signoff failures), or in the form of a map named S1M882. Whether thisinformation is used by the calling program is optional. The different return codespossible in SIGNRET are documented in the copybook.

Introduction

Sign-OnProcessing

Display System Version Information Panel Displaying Version Information


Displaying Version Information

Display System Version Information Panel

The System Version Information panel is used to display BIM-ALERT/CICS versioninformation that can be used in problem determination. This information can be used to verifythat corrective fixes, as well as optional fixes, have been correctly applied to the BIM-ALERT/CICS system. It can also be used to dynamically install or remove optional featuresof the BIM-ALERT/CICS system.

To display the System Version Information panel, do one of the following:


• Enter VERS on any security panel.

VERS * * BIM-ALERT/CICS * * CICS/VS x.x

CORRECTIVE ZAPS 1.2.3.4.5.6.7.8.9.0 1.2.3.4.5.6.7.8.9.0 1.2.3.4.5.6.7.8.9.0 001-030 ** NONE APPLIED ** 031-060 061-090 091-120

OPTIONAL FEATURES 1.2.3.4.5.6.7.8.9.0 1.2.3.4.5.6.7.8.9.0 1.2.3.4.5.6.7.8.9.0 001-030 ** NONE APPLIED ** 031-060 061-090 091-120

ENTER THE MODULE NAME TO BE VERIFIED SECURITY FILE INFORMATION

MODULE = S1S890 PATCH AREA = EMPTY FILE VERSION = 5.0A VERSION = 5.0 PTF LEVEL = A FILE FORMATTED BY S1C050 DATE = 02/08/1998 TIME = 17.17 DATE = 03/19/1998 TIME = 09.52

Purpose

Access

Sample Panel

Displaying Version Information Display System Version Information Panel


Field Meaning

CORRECTIVE ZAPS This section occupies the top third of the panel. It consists of a heading line, a ruler line, and upto three lines of corrective zap indicators. Corrective zaps are fixes to BIM-ALERT/CICS thatare required to ensure that BIM-ALERT/CICS performs according to program specifications. Fixnumbers are assigned starting at one each time a major release of the product is distributed.

If no corrective zaps have been applied to your system, the message ** NONE APPLIED **appears in the line just below the ruler line.

If corrective zaps have been applied to your system, BIM-ALERT/CICS determines which onesand displays an asterisk (*) under the appropriate position on the ruler line. In addition, threefields to the left of the fix lines display range information for each line. For example, fix line onerepresents fixes 001-030, fix line two represents fixes 031-060, and so on.

Note that even though the range indicator 001-030 may appear, the only actual fixes on yoursystem are those indicated with an asterisk (*) under the ruler lines.

OPTIONALFEATURES

This section occupies the middle third of the panel. It consists of a heading line, a ruler line, andup to three lines of optional feature indicators. Optional features are changes to BIM-ALERT/CICS that allow an installation to meet a specific need. While every attempt is made toprovide optional features on new releases, it is possible that design changes will prevent optionalfeatures from working on future releases. Accordingly, you should carefully consider the use ofoptional features and use them only as a last resort. Whenever possible, optional features areincorporated into the base system.

Use the center section of the VERS panel to install or remove optional features. These featuresare described on page 9-47. To install a feature, move the cursor to the correct spot under thescale, enter an asterisk, and press ENTER; the optional feature is then put in effect. To remove afeature, move the cursor to the correct spot and remove the asterisk; the feature is then removed.

Once an optional feature is installed, it will remain installed until you remove it, even if youchange releases.

Module Verification This section occupies the left half of the bottom third of the panel. It is used to check informationabout a specific program in the BIM-ALERT/CICS system. This information can be checkedagainst the report produced by the S1U005 version check program. S1U005 is run against theactual distribution tape to check the version of all programs in the BIM-ALERT/CICS system.

MODULE Enter the name of any online module to be checked. Online modules are those defined in thePPT. For example, to check the base level of your system, you could enter S1SVERS as themodule name. This module is used as the base level indicator for the entire BIM-ALERT/CICSsystem.

(continued)

Field Descriptions



Field Meaning

PATCH AREA Each module in BIM-ALERT/CICS has a patch area. This area is used to make both correctiveand optional changes to the program. This field displays whether the patch area is EMPTY or INUSE. This is useful only if there is a question about a feature that is not working correctly. Mostof the time the patch area should display EMPTY.

VERSION The version field is used to describe the BIM-ALERT/CICS system. The numbers in the formatv.r represents the following information:

v BIM-ALERT/CICS version numberr BIM-ALERT/CICS release number

PTF LEVEL The PTF LEVEL field indicates the modification level of the module. It is used as the referencepoint for problem determination and is most important when displaying the S1SVERS module.

DATE and TIME These two fields give the exact date and time the module was last assembled. This guaranteesthat you and BIM Technical Support are looking at the same version of a program.

SECURITY FILEINFORMATION

This section occupies the right half of the bottom third of the panel. It is used to displayinformation about the version of the security file being used by BIM-ALERT/CICS. It ensuresthat the file is converted at the same time the programs are updated. It shows the name of theprogram that formatted the file. This can be either the initialization program S1U000 or aconversion program. Conversion programs are indicated by the letter C in the third position.

FILE VERSION This field shows the version of the security file itself. It should match the version displayed byany module you are asked to check.

FILE FORMATTEDBY

This field shows the name of the program that was used to change the file's version level. It willbe S1U000 if you have installed BIM-ALERT/CICS for the first time. It will be a conversionprogram name if you have upgraded from a previous release of BIM-ALERT/CICS. Conversionprograms have a C in the third position.

DATE and TIME These fields show the assembly date and time of the initialization or conversion program. Thisallows BIM Technical Support to match program listings to your specific file information.



The following table describes the optional features for BIM-ALERT/CICS:

Number Feature

01 Disable setting read timeout value to force AKCT abends on conversationaltransactions.

02 Reset upper case index before signing off the user due to inactive time limitbeing exceeded.

03 Deactivate user cleanup program S1S900 after inactive time limit or after aviolation.

04 Prevent keyboard remaining locked after file or program access denied(necessary only with certain PTF levels of VTAM).

05 Deactivate disabling terminal when maximum consecutive or maximumviolations is reached.

06 Force ACCESS PROHIBITED to be displayed on all user exit violations.

07 Prevent the operator passwords from ever appearing on the AAUP, DAUP, orUAUP panels.

08 Force administrators to assign user IDs of three or fewer characters in length.

09 Force administrators to enter a model when adding a new operator.

10 Make operator name optional for user sign-on processing.

11 Deactivate moving in Good Morning/Afternoon message at bottom of operatorsignon panel.

12 Force cursor to user ID field instead of password at sign-on time.

13 Issue CSSF LOGOFF whenever CSSF transaction is entered.

14 Disable displaying number of days until password expiration at sign-on time.

15 Prohibit group operators from changing their password at sign-on time.

16 Disable showing operator his or her last sign-on time at the conclusion of sign-on processing.

17 Force terminal table scanner to extract terminal ID from TCTUA rather thanTCTTE.

18 Disable printing status D operators on the Operator Security batch report.

19 Force S1B571 to skip to a new page for each new resource.

20 Reduce full page counts for batch reports to accommodate smaller paper.

21 Do not clear TCTTEOI field at operator sign-off.

(continued)

Descriptions ofOptional Features



Number Feature

22 Force only a certain terminal group (DIAL in this case) to be disconnected toVM when the inactive time limit. Any terminal not in this group will be signedoff, but will remain dialed to CICS.

23 Force the VSE/SP interactive interface signon panel to be presented to anyunsecured terminal, either at system startup time or when CSSN is entered.

24 Do not display sign-on complete message to those users who will beautomatically signed on to the interactive interface. Optional feature 25 mustbe also be implemented for this to work properly.

25 Allows IUI users to get into IUI and those who are not defined to IUI to get intoCICS. Users who should proceed directly to the interactive interface must havethe characters IUI specified in the first three positions of the first DATA fieldon the AAUP panel.

26 Enable the BIM-ALERT/CICS / CA-ALERT for VM sign-on interface. Thesign-on interface will only apply to those users who have YES specified inEXT/SEC on the AAUP panel.

27 Set the terminal to ALT panel size before passing control to the interactiveinterface.

28 Allow CSSF LOGO as an abbreviation for CSSF LOGOFF.

29 For MRO users, skip setting S1S610 as the program for CSSN and CSSFduring initialization.

30 For unsecured terminals, allow the user name and password to be passed toDFHSNP with the CSSN tran ID.

31 Print passwords on the operator security report.

32 Secure Windows pseudo terminals based on the real terminal ID which isplaced in the TCTUA by an optional feature from WINDOWS. Also requires17 to be applied.

33 Allow VTAM terminals to be disconnected to VM by ALRTDISC or IFFORCED DISPLAY = VM on UPAR. The last three characters of the terminalID must be the same as the real device address as defined to VTAM for this towork.

34 Skip converting PF key transaction codes that are defined using RDO tohexadecimal. They are assigned transaction codes of PFxx by RDO.

35 Save the OPID in the last three bytes of the operator user data field so theTCTTE fields can be restored by U1S610 on re-entry to the system.

36 User wants to XCTL to S10000 from his post-signon program for his systemadministrator. The post-signon program must acquire a TIOA and move SCTYinto it, and this optional feature must be applied to change the EIBTRNID fromCSSN to SCTY prior to sending the menu panel and returning.

(continued)



Number Feature

37 Inactive time limit processing does not always work correctly on SNAterminals. These terminals become locked if a user has entered any data on thepanel prior to leaving the terminal. If you are experiencing this problem, installthis feature.

38 In shops that use BMS paging functions, if a transaction has pages to bedisplayed when it is timed out, these pages may be displayed to the next usersigning on to that terminal. This feature will cause the pages to be purged atsign-on time.

39 Causes only transactions defined as status A to be displayed on theALRTMENU authorized transaction display.

40 Disables the date authorization performed by S1URESRC, S1UGROUP,S1U550, and S1U560 in order to print the operator and terminal profile data.

41 Disables the "SIGNON COMPLETE" message from the post-signon messagesdisplayed to the user. All other informational messages will be displayed asusual.

42 Forces the BIM-ALERT internal transaction IDs S010, S140, and S150 to bechanged to S910, S940, and S950, respectively, due to conflicts withtransaction IDs already in the system.

43 Disables the administrator authorization check from the DVIO/PVIO function,in effect allowing a subadministrator to display or print all violations.

44 Forces the password expiration message to be displayed starting with 99 days.

45 Removes CSSN from the system codes to force users to sign on to BIM-ALERTusing OSSN.

46 Forces the input exits S1SXZCIN and S1SXTCIN to update the last active timefor all operators in the same group whenever they are driven.

47 Forces PF3 and PF15 to be used to disconnect to VTAM from the BIM-ALERT/CICS operator sign-on panel.

48 Causes the first eight bytes of the user name to be moved to the SNNTUSIDfield rather than the user ID.

49 Causes the first eight bytes of the user name to be passed to CA-ALERT forVM as the userID for password verification rather than the user ID. Optionalfeature 26 must also be implemented to enable the CA-ALERT for VMinterface.

50 Causes the cursor to be positioned on the user name field on the signon panelrather than on the password field.

51 Causes both the new password and the original password to be moved into thetable when a user changes his password. This will allow a post-signon programto access the original password in field S#OTSEC and the new password infield S#OTNWCD in order to coordinate passwords with other softwarepackages.

(continued)



Number Feature

52 Prevents sub-administrators from changing an operator's model on UAUP.Sub-Administrators will still be able to assign models on AAUP. This featuredoes not affect main administrator's functionality at all.

53 Allows PF5 from the IUI to be handled as a signoff.

54 Causes the detail lines from batch report S1B571 to be single-spaced in order toreduce paper usage.

55 Causes BIM-ALERT to skip updating the last active timer whenever CSPG isrun in order to accommodate a user application.

56 Causes BIM-ALERT to recognize PF12 as a signon request and perform first-time in signon processing when it is detected (which includes signing the useroff).

57 Causes BIM-ALERT to assign unexpired passwords when operators are addedvia the batch program S1U550.

58 Causes the BIM-ALERT signon panel to be displayed any time the in-servicemessage is issued by terminal scheduling.

59 Allows a group of operators to participate in the IUI automatic signon. If agroup operator is detected, bytes 2-5 of the operator name will be used for theIUI userid. Since IUI will allow the same operator to be signed on only once,provision will have to be made in IUI to allow users to escape to CICS from theIUI signon panel.

60 Forces OPWD to follow the mask defined for passwords.

61 Causes PF3 and PF4 from the signon panel to be disabled from any specialfunctions (disconnect to VTAM or VM) and simply be handled as the ENTERkey.

62 Disables logging timeouts due to inactive time limit as violations.

63 Allows program security and IDMS to coexist. Without optional feature 63,abends may occur if IDMS is in the system and program security is activated.

64 Prevents sub-administrators and regular operators from updating mainadministrator passwords using OPWD.

65 Disables multiple password attempts during two-level timeout processing. Withthis feature turned on, the user is allowed one attempt to enter a passwordcorrectly at the first timeout level.

66 Reverses the processing mode for field-level security. Default processingchecks each resource definition until it finds a violation condition. When youturn on this feature, the processing checks each resource definition until it findsa condition that is not a violation. That is, it searches until it finds a resourcethat the user is authorized for.

Displaying Unsecured Transactions Display Unsecured Transactions Panel


Displaying Unsecured Transactions

Display Unsecured Transactions Panel

Use the Display Unsecured Transactions panel to display the transaction codes of alltransactions that are in the PCT but not in the BIM-ALERT/CICS transaction security tablewith a status of A or P. Any transaction that appears in the list is not protected by BIM-ALERT/CICS. The transaction codes are sorted in ascending order.

This panel can be displayed at any time without affecting BIM-ALERT/CICS. After you haveactivated a transaction using ATRN, it will no longer appear on this panel and is secured asspecified.

To display the Display Unsecured Transactions panel, do one of the following:


• Enter TRAN on any security panel.

TRAN ** UNSECURED TRANSACTION LISTING ** VERIFY

THE TRANSACTIONS BELOW ARE NOT SECURED BY BIM-ALERT/CICS. USE (ASTR/DSTR/USTR) TO ADD/DISPLAY/UPDATE THE SECURITY FILE. THEN USE (ATRN) TO ACTIVATE THE TRANSACTION. NOTE: BOTH STEPS ARE REQUIRED TO SECURE THE TRANSACTION.

- UNSECURED TRANSACTIONS - ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____

START = 0001 NEXT = 0001 TOTAL = 0000 GK903 END OF UNSECURED TRANSACTION CODES

Purpose

Access

Sample Panel

Display Unsecured Transactions Panel Displaying Unsecured Transactions


Field Meaning

START The number of the first transaction on the display relative to the beginning of the list. It normally contains thevalue 0001, indicating that this is the first page of the display.

NEXT The number specifying a new starting point for the display. If this number is greater than the TOTAL field,the display will start at 0001 (wrap-around mode) when ENTER is pressed. If a number between START andTOTAL is entered, the display starts at that number. Press ENTER until the NEXT field is greater thanTOTAL, which means you have reached the end of the list. You can change this field to adjust the next pageto be displayed.

TOTAL The total number of unsecured transactions. The lower the number, the better the security.

Field Descriptions

Displaying Unsecured Programs Display Unsecured Program Panel


Displaying Unsecured Programs

Display Unsecured Program Panel

Use the Display Unsecured Programs panel to display all the programs in your CICS systemthat are defined in the PPT but that are not in the BIM-ALERT/CICS program security tablewith a status of A or P. Any program that appears in this list is not secured by BIM-ALERT/CICS program security. The program names are sorted in ascending order.

This panel can be displayed at any time without affecting BIM-ALERT/CICS. After you haveactivated a program using APRG, it will no longer appear on this panel and is secured asspecified.

Many of the programs that appear on this display might be BMS mapsets, since these aredefined in the PPT as programs. These can be secured using BIM-ALERT/CICS mapsecurity. In most cases, you would not want to secure a BMS mapset using program securityunless you wanted to put a time limitation on when a map could be used.

To display the Display Unsecured Programs panel, do one of the following:


• Enter PROG on any security panel.

Purpose

Securing BMSMapsets

Access

Display Unsecured Program Panel Displaying Unsecured Programs


PROG ** UNSECURED PROGRAM LISTING ** VERIFY

THE PROGRAMS BELOW ARE NOT SECURED BY BIM-ALERT/CICS. USE (ASPR/DSPR/USPR) TO ADD/DISPLAY/UPDATE THE SECURITY FILE. THEN USE (APRG) TO ACTIVATE THE PROGRAM. NOTE: BOTH STEPS ARE REQUIRED TO SECURE THE PROGRAM.

- UNSECURED PROGRAMS - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

START = 0001 NEXT = 0001 TOTAL = 0000 GK903 END OF UNSECURED PROGRAMS

Field Meaning

START The number of the first program on the display relative to the beginning of the list. It normally contains thevalue 0001, indicating that this is the first page of the display.

NEXT The number specifying a new starting point for the display. If this number is greater than the TOTAL field,the display will start at 0001 (wrap-around mode) when ENTER is pressed. If a number between START andTOTAL is entered, the display starts at that number. Press ENTER until the NEXT field is greater than theTOTAL field, which means you have reached the end of the list. You can change this field to adjust the nextpage to be displayed.

TOTAL The total number of unsecured programs. The lower the number, the better the security.

Sample Panel

Field Descriptions

Displaying Unsecured Files Display Unsecured File Panel


Displaying Unsecured Files

Display Unsecured File Panel

Use the Display Unsecured Files panel to display all the files in your CICS system that aredefined in the FCT but are not in the BIM-ALERT/CICS file security table with a status of Aor P. Any file that appears in this list is not secured by BIM-ALERT/CICS file security. Thefile names are sorted in ascending order.

This panel can be displayed at any time without affecting BIM-ALERT/CICS. After you haveactivated a file using AFIL, it should no longer appear on this panel and is secured asspecified.

To display the Display Unsecured Files panel, do one of the following:


• Enter FILE on any security panel.

FILE ** UNSECURED FILE LISTING ** VERIFY

THE FILES BELOW ARE NOT SECURED BY BIM-ALERT/CICS. USE (ASFL/DSFL/USFL) TO ADD/DISPLAY/UPDATE THE SECURITY FILE. THEN USE (AFIL) TO ACTIVATE THE FILE. NOTE: BOTH STEPS ARE REQUIRED TO SECURE THE FILE.

- UNSECURED FILES - ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

START = 0001 NEXT = 0001 TOTAL = 0000 GK903 END OF UNSECURED FILES

Purpose

Access

Sample Panel

Display Unsecured File Panel Displaying Unsecured Files


Field Meaning

START The number of the first file on the display relative to the beginning of the list. It normally contains the value0001, indicating that this is the first page of the display.

NEXT The number specifying a new starting point for the display. If this number is greater than the TOTAL field,the display will start at 0001 (wrap-around mode) when ENTER is pressed. If a number between START andTOTAL is entered, the display starts at that number. Press ENTER until the NEXT field is greater than theTOTAL field, which means you have reached the end of the list. You can change this field to adjust the nextpage to be displayed.

TOTAL The total number of unsecured files. The lower the number, the better the security.

Field Descriptions

Displaying Current Users Display Current Users Panel


Displaying Current Users

Display Current Users Panel

Use the Display Current Users panel to determine the status of users and terminals in yoursystem at any time when BIM-ALERT/CICS is active. All the terminals currently in theBIM-ALERT terminal table are displayed. The Current User Report can be helpful in

• Locating the user ID of an operator having trouble under BIM-ALERT/CICS

• Keeping track of the status of terminals in the system to ensure that administrativeaction is not required

• Determining values to be used for terminal and operator inactive time limits

To display the Display Current Users panel, do one of the following:


• Enter USER on any security panel.

USER *** CURRENT USER REPORT *** DISPLAY

<- - - TERMINAL INFORMATION - - -> <- - - - OPERATOR INFORMATION - - - -> ID STATUS LAST ACTIVE IDLE USER ID NAME OP-ID

L2DA L2DB L2DC L2DD L2DE L2DF L2D0 .. 09:24 00:00:00 A admin A L2D1 .. L2D2 .. L2D3 .. L2D4 .. L2D5 .. L2D6 L2D7 L2D8

FUNCTION: AL START: L2DA NEXT: L2D9 LAST: L3D0

GK704 ENTER FUNCTION ==> AL=ALL MA=MAX MC=MAX CON DA=DISABLED "M="=ALL MAX

Purpose

Access

Sample Panel

Display Current Users Panel Displaying Current Users


TERMINAL INFORMATION:

Field Meaning

ID The terminal ID as defined to BIM-ALERT/CICS. To view the BIM-ALERT/CICS basic information forthis terminal, use DTSI and specify this value as the terminal ID field. If you are using dynamic terminalsecurity, this terminal may not be specifically defined on the security file.

STATUS A value that indicates whether any action needs to be taken by the security administrator to put the terminalback into service or to secure it. If two periods (..) are displayed, the terminal status is OK and no actionneeds to be taken. If this field contains MC (maximum consecutive violations have been reached) or MA(maximum violations have been reached), run the ACTT transaction to re-activate the terminal. If this fieldcontains DA, the terminal has been deactivated (dropped from BIM-ALERT/CICS security). To re-activatesecurity for the terminal, use the ACTT transaction. While a terminal has a status of DA, BIM-ALERT/CICS will not perform any of the terminal-related security checks. While MA or MC is displayed,the terminal is unavailable. You should use DVIO to determine what violations have occurred to causeBIM-ALERT/CICS to put the terminal in secured status. When you are ready to allow further processingon the terminal, use ACTT to activate the terminal and allow sign-ons again.

LASTACTIVE

The time of day, in the format hh:mm:ss, when the operator last pressed the ENTER key or a PF key.

IDLE The difference, in the format hh:mm:ss, between the current time of day and the last active time. This canbe helpful in determining the value to use for the inactive time limit for terminals and operators.

Field Descriptions

Displaying Current Users Display Current Users Panel


OPERATOR INFORMATION:

Field Meaning

USER ID The user ID (as defined to BIM-ALERT) of the operator currently signed on to the terminal.

NAME The operator name (as defined to BIM-ALERT) of the operator currently signed on to the terminal.

OP-ID The current value in the field TCTTEOI in the TCTTE. If someone is signed on to this terminal, this fieldwill be equal to the first three characters of the USER ID unless you have altered the normal sign-onprocedure and loaded the TCTTEOI from some other field. Any nondisplayable character that may be inTCTTEOI is displayed as a period.

FUNCTION One of the following values to specify a subset of terminals to display:

Value Meaning

AL All terminals

MC Only terminals with maximum consecutive violations

MA Only terminals with maximum violations

M= All terminal with either maximum violations or maximum consecutive violations

DA Only deactivated terminals

START The terminal ID of the first terminal on the panel. This field can be used either to designate a starting pointin the terminal table to build the panel, or to alter the normal starting point in some way.

NEXT A value indicating what the first terminal on the next page will be if the ENTER key is pressed. If thisvalue is a value on the last page of the display, the first terminal on the next page will be the first terminal inthe BIM-ALERT/CICS terminal table; otherwise it will be the terminal that follows the last terminal on thepanel. If the value of FUNCTION is not AL, the terminal specified by NEXT may not be displayed,depending upon whether it fits the function selection, but the value of NEXT still signifies the starting pointof the scan for the next panel.

LAST The terminal ID of the last terminal in the BIM-ALERT terminal table.

Terminal Sign-On Panel Controlling Terminal Sign-On


Controlling Terminal Sign-On

Terminal Sign-On Panel

Use the Terminal Sign-On panel to display the fields that should be entered for a terminal tobe signed on to the system.

Enter TSSN to display the Terminal Sign-On panel.

Enter the necessary information and press the ENTER key. The message SIGN-ON ISCOMPLETE appears if the information is correct. If incorrect data is entered, an errormessage appears and the incorrect field is highlighted. If this occurs, reset the cursor to theappropriate field and enter the correct information.

** TERMINAL SIGN-ON **TSSN TERMINAL ID: PASSWORD:

The terminal sign-on and the operator sign-on are two distinct processes and are notdependent on each other.

Terminal security profiles are enforced whether or not a terminal sign-on is required.Terminal sign-ons are optional.

Even if an installation requires only operator sign-on, all terminal security turned on isinvoked immediately at sign-on.

Field Meaning

TERMINAL ID Assigned by the organization and uniquely identifies each terminal in the system. The length of thefield is four alphanumeric characters. This must be the terminal ID as found in the TCT.

PASSWORD The code verifies the identity of the terminal to the security system. When entered by the operator,this field is not displayed on the panel. The length of the field is eight alphanumeric characters.

Purpose

Access

Using the Panel

Sample Panel

Terminal andOperator Sign-on

Field Descriptions

Controlling Terminal Sign-On Terminal Password Distribution


Terminal Password Distribution

When a new terminal is added to the security system and the terminal requires a sign-on, amain administrator or a subadministrator assigns the password for the terminal. The passwordis automatically updated by BIM-ALERT/CICS according to the parameters specified in theSystem Parameters panel.

After a terminal's password has been updated, any attempt to sign on the terminal using theoutdated password causes a message to be displayed stating that a new password has beenissued. The operator presses the ENTER key to obtain the new password. To sign on, theoperator must use the new password. The number of times the new password is displayeddepends on the value specified in the NUMBER OF NOTIFICATIONS field on the SystemParameters panel.

TERMINAL SIGN-ON / PASSWORD DISTRIBUTION

---------------------------------------------------------| || || TSSN ** TERMINAL SIGN-ON ** || || TERMINAL ID: PASSWORD: || || || || || --------------------------------------------------- -----| | || | || | || | ************************************************* | -----| * * | | * A NEW PASSWORD HAS BEEN ASSIGNED FOR * | | * THIS TERMINAL. IF YOU NEED TO ACQUIRE THE * | | * NEW PASSWORD, PRESS THE 'ENTER' KEY. * | | * PLEASE USE THE NEW PASSWORD FOR THIS SIGN-ON.* | | * * | | ************************************************* | | | | --------------------------------------------------- ----- | | | | | | -----| | | *********************************** | | * * | | * NEW TERMINAL PASSWORD IS: * | | * 12345678 * | | * * | | *********************************** | | | | | | | | | | | ---------------------------------------------------------

Assigning aPassword for aTerminal

After the PasswordIs Updated

Operator Sign-On Panel Controlling Operator Sign-On


Controlling Operator Sign-On

Operator Sign-On Panel

Use the Operator Sign-on panel to allow an operator to sign on to BIM-ALERT/CICS.Operator sign-ons are required if each operator is to have a specific security profile.

Enter CSSN to display the Operator Sign-on panel. Enter your password, user ID, andoperator name to sign on to BIM-ALERT/CICS. If no errors are detected, you will receive amessage stating that your sign-on is complete. If errors are detected, you will receive amessage indicating the action to be taken.

O P E R A T O R S I G N - O N TERMID: L100USER PASSWORD: USER ID: NAME:RECONNECT: NEW PASSWORD: NEW PASSWORD CHECK:< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->| || || || || || || || || || || USER DEFINED LOGO AREA || || || || || || || |< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->GK780 WELCOME .. PLEASE SIGN ON OR TYPE HELP .. TIME IS 10:05:04 ON 05/01/1998

Purpose

Access

Sample Panel

Controlling Operator Sign-On Operator Sign-On Panel


The information on the second line of the preceding panel is required. The information on thethird line is optional.

Field Meaning

TERMINAL ID This field is filled in by BIM-ALERT/CICS and is for information only. If multiple systems areavailable to the user, the terminal ID can be used to determine which CICS is being used.

PASSWORD This field is used by BIM-ALERT/CICS to verify the operator's identity. This field is not displayedon the panel when it is entered to protect it from unauthorized users. The password can be one toeight alphanumeric characters. The format of the password is determined by a main administrator onthe UTOP panel. This field is required.

USER ID The user ID is assigned by the security administrator. This number uniquely identifies each operatorthat is authorized to use the CICS system. The user ID can be from one to nine alphanumericcharacters long. The first three digits of this number are used to construct the OP ID field of theCICS TCTTE table entry (TCTTEOI). This field is required.

NAME This is the 1- to 20-character name of the operator signing on to the CICS system. This field isassigned by the administrator when the operator is added using the AAUP panel. This field isrequired unless optional feature 10 is installed to make the name optional (see page 9-45 for anexplanation of specifying optional features on the System Version Information panel).

RECONNECT This field allows a user who is already signed on to BIM-ALERT/CICS at a different terminal toreconnect to the CICS system without first signing off the original terminal. This field is used insituations when the user's connection to CICS (logical session) has been dropped, but CICS itself isunaware of the problem. This happens most often in VM environments or any time CICS is notdoing the terminal handling. If you want to reconnect, enter a Y. This is equivalent to doing a CSSFfrom the original terminal and then CSSN from the new terminal. Your CICS transaction will not bebrought forward, but your original terminal will be secured. This field is optional.

NEWPASSWORD

This field is used to assign a new password to the operator signing on. It can be one to eightcharacters and must conform to the format specified by the main administrator on the UTOP panel inthe OPERATOR MASK field. If this field is entered, the NEW PASSWORD field MUST also beentered. This field is optional.

NEWPASSWORDCHECK

This field provides a verification to ensure that the NEW PASSWORD field was entered correctly.Since both of these fields are nondisplay, the double entry ensures that the new password was enteredas desired. This field is required if a new password is entered; otherwise it is ignored.

USER DEFINEDLOGO AREA

The 20 lines in the middle of the sign-on panel are for use by your organization. It can be used todisplay various types of information, logos, pictures, or warnings. This area can be defined on aterminal-by-terminal basis or all terminals can receive the same information. Refer to the descriptionof how to generate BIM-ALERT/CICS logos on page 9-29 for more information.

Field Descriptions

Operator Password Distribution Controlling Operator Sign-On


Operator Password Distribution

When a new operator is added to the security system and the operator requires a sign-on, amain administrator or a subadministrator assigns the password for the operator. The passwordis automatically updated by BIM-ALERT/CICS according to the parameters specified in theSystem Parameters panel.

After an operator's password has been updated, any attempt by the operator to sign on usingthe outdated password causes a message to be displayed stating that a new password has beenissued. The operator should press the ENTER key to obtain the new password. To sign on,the operator must use the new password. The number of times the new password will bedisplayed depends on the value specified in the NUMBER OF NOTIFICATIONS field on theSystem Parameters panel.

OPERATOR SIGN-ON / PASSWORD DISTRIBUTION

---------------------------------------------------------| || || ** OPERATOR SIGN-ON ** || || PASSWORD: USER ID: || NAME: NEW PASSWORD: NEW PASSWORD CHECK: || || || || || --------------------------------------------------- -----| | || | || | || | ************************************************* | -----| * * | | * A NEW PASSWORD HAS BEEN ASSIGNED FOR * | | * SYSTEM ACCESS. IF YOU NEED TO ACQUIRE THE * | | * NEW PASSWORD, PRESS THE 'ENTER' KEY. * | | * PLEASE USE THE NEW PASSWORD FOR THIS SIGN-ON.* | | * * | | ************************************************* | | | | --------------------------------------------------- ----- | | | | | | -----| | | ********************************** | | * * | | * YOUR NEW PASSWORD IS: * | | * 12345678 * | | * * | | ********************************** | | | | | | | | | ---------------------------------------------------------

Controlling Operator Sign-On User Profile Search Panel


User Profile Search Panel

The BIM-ALERT User Profile Search panel allows you to search for a user profile byspecifying a user name, user ID, or SECID.

To access this panel, enter SRCH at any panel or select the option from the BIM-ALERT/CICS Other Security Functions panel.

SRCH BIM-ALERT USER PROFILE SEARCH

SEARCH STRING: ______________________ START SEARCH WITH WORD: 1 SEARCH FIELD: NAME _ USERID _ SECID _ SEARCH STATUS: = FLAG LAST SIGN-ON GT: 030

ACTION USER ID NAME STATUS LAST SIGN-ON

ACTION CODES ==> A=ACTIVATE D=DISPLAY U=UPDATE

GK752 ENTER SCAN ARGUMENT AND STARTING WORD NUMBER

Purpose

Access

Sample Panel

User Profile Search Panel Controlling Operator Sign-On


Take the following steps to search for a user profile from the User Profile Search panel:

Step Action

1 In the SEARCH STRING field, enter any of the following:• Name• Partial name• User ID• SECID

You can enter a character string that could match either the first or the last name.An equal sign (=) as the first character of the search string causes all the operatorson file to be displayed.

2 Specify where to start in the scan in the START SEARCH WITH WORD field.

This field will accept values one through five; the default is one.

3 Select the field you want to search on: NAME, USERID, or SECID by placing anX in the field.

4 You can specify an operator status in the SEARCH STATUS field to limit thesearch to operators with the specified status. For example, enter a V to displayoperators who have been disabled because of too many consecutive violations.

5 Press ENTER.

If the search is successful, BIM-ALERT displays the information you requested andnotifies you that it has reach the end of the profiles on file.

If the search is not successful, BIM-ALERT tells you that it does not have a profilematching the search term you entered.

6 After you receive a display of users, you may want to use the ACTION field asfollows:

A Activate the selected operator.

D Display the selected operator’s basic user profile. The DAUP panel willbe displayed containing the basic user profile.

U Update the selected operator’s basic user profile. The UAUP panel willbe displayed, from which you can update the selected operator’s basicuser profile information.

How to Use theUser Profile SearchPanel

Controlling Operator Sign-On Group Search Panel


Group Search Panel

Use the Group Search panel to display pertinent information about a subset of groups definedin the S1SCTY file.

To display the Group Search panel, do one of the following:


• Enter GRPS on any security panel.

To start a search, enter the string of characters to be used as a search argument. The grouprecords are scanned and any record that contains the specified search argument in the groupnumber field is displayed.

GRPS * * GROUP NUMBER SEARCH * *

SEARCH STRING: =________

ACTION GROUP GROUP DESCRIPTION

GROUP01 GROUP NUMBER 01 GROUP02 GROUP NUMBER 02

ACTION (POS 1) ==> A=ADD U=UPDATE D=DISPLAY ACTION (POS 2) ==> T=TRANS P=PROGS F=FILES M=MAPS R=FLDS

GK227 END OF GROUPS ON FILE - S1S579

Purpose

Access

Search Procedure

Sample Panel

Group Search Panel Controlling Operator Sign-On


Field Meaning

SEARCH STRING Enter the character string to search for in the group number. When the search is made, thecomparison is not limited to the beginning of the number; if the specified character string appearsanywhere in the group number, it is considered a match.

There is no case translation performed as part of the search. If the group numbers on the securityfile are a mixture of uppercase and lowercase letters, the search string must be entered in exactly thesame case to produce a match.

An equal sign (=) as the first character of the search string causes all the groups on file to bedisplayed.

ACTION Enter two letters to perform an action for a selected group. The first letter indicates the type ofprocessing, as follows:

A Add functionD Display functionU Update function

The second letter indicates the resource type to be processed, as follows:

F FilesM MapsP ProgramsR Field-level resourcesT Transactions

GROUP The number assigned to this group. This number can be from 1 to 9 alphanumeric characters. Addthis number to an operator or terminal profile to assign the group to that operator or terminal.

GROUPDESCRIPTION


Field Descriptions

Displaying Attempted Violations Display Attempted Violations Panel


Displaying Attempted Violations

Display Attempted Violations Panel

Use the Violation Selection panel to display violation information that has been collected byBIM-ALERT/CICS. The violation records you select are displayed on the AttemptedViolations panel. This information can be used to determine why a terminal or operator ishaving trouble getting on the CICS system.

To display the Violation Selection panel, do one of the following:


• Enter DVIO on any security panel.

DVIO ** DISPLAY ATTEMPTED VIOLATIONS ** DISPLAY

ENTER SELECTION CRITERIA BELOW

.....FROM..... ......TO...... DATE: 04 / 14 / 1998 04 / 15 / 1998 TIME: 00 : 00 24 : 00

USERID: _________ ADMINISTRATOR: _________ TERMINAL: ____ VIOLATION CODE: __

Purpose

Access

Sample Panel

Display Attempted Violations Panel Displaying Attempted Violations


Field Meaning

DATE Enter the FROM date and TO date to be used in selecting violation records. You may change asmuch or as little as you want. If nothing is entered, the FROM date will default to yesterday's dateand the TO date will default to the current date.

TIME Enter the FROM time and TO time to be used in selecting violation records. You may change asmuch or as little as you want. If nothing is entered, records with any time are displayed on theAttempted Violations panel.

USER ID Enter the user ID to be used to select violation records. If nothing is entered, all operator recordsare displayed on the Attempted Violations panel.

ADMINISTRATOR Enter the administrator number to be used to select violation records. If nothing is entered, alladministrator records are displayed on the Attempted Violations panel.

TERMINAL Enter the terminal ID to be used to select violation records. If nothing is entered, all terminalrecords are displayed on the Attempted Violations panel.

VIOLATION CODE Enter the two-digit violation code to be used to select only certain violations. The code matchesthe last two digits of the violation key on the BIM-ALERT message file. For example, the key forthe following message is VIOL26:

OPERATOR UNAUTHORIZED TRANSACTION - xxxx

If you want to see only unauthorized transaction attempts, enter 26 in the violation code field. Seethe BIM-ALERT Messages Guide for a complete list of the violation messages and their codes.Not all messages can be displayed with DVIO.

Field Descriptions

Displaying Attempted Violations Attempted Violations Panel


Attempted Violations Panel

The Attempted Violations panel shows the actual violation records that qualified for displaybased on the selection criteria entered on the Violation Selection panel. Violation records canbe printed real-time by using the PVIO panel and specifying a printer ID.

DVIO ** ATTEMPTED VIOLATIONS * DISPLAY

=============================================================================== DATE: 04/14/1998 TERMINAL: BC32 TELE NO: (000) 000-0000 COM: 0000 DEPT 0000 TIME: 09:14:26 USERID : **** DIV: 0000 SECT 0000 SYSID: TEST ADMINISTRATOR: FLL VIOLATION ==> - OPERATOR NOT SIGNED ON - =============================================================================== DATE: 04/14/1998 TERMINAL: BC32 TELE NO: (000) 000-0000 COM: 0000 DEPT 0000 TIME: 09:47:30 USERID : FLL LINTON, FRED DIV: 0000 SECT 0000 SYSID: TEST ADMINISTRATOR: A VIOLATION ==> - OPERATOR INACTIVE TIME LIMIT EXCEEDED - =============================================================================== DATE: 04/14/1998 TERMINAL: BC32 TELE NO: (000) 000-0000 COM: 0000 DEPT 0000 TIME: 10:49:01 USERID : FLL LINTON, FRED DIV: 0000 SECT 0000 SYSID: TEST ADMINISTRATOR: A VIOLATION ==> - OPERATOR INACTIVE TIME LIMIT EXCEEDED - =============================================================================== DATE: 04/14/1998 TERMINAL: BC32 TELE NO: (000) 000-0000 COM: 0000 DEPT 0000 TIME: 11:28:01 USERID : FLL LINTON, FRED DIV: 0000 SECT 0000 SYSID: TEST ADMINISTRATOR: A VIOLATION ==> - OPERATOR INACTIVE TIME LIMIT EXCEEDED - =============================================================================== GK772 MORE ATTEMPTED VIOLATIONS ON FILE ... PRESS -PF8- TO CONTINUE

The following PF keys can be used during DVIO processing to perform special functions:

Key Function

PF7 Scroll backwards through the violations.

PF8 Scroll forward through the violations.

PF10 Switch between DVIO and PVIO. For example, if you were running DVIO todisplay some violations and decided you wanted to print them, you could pressPF10 and be presented with the PVIO selection panel with all the same selectioncriteria filled in (except the printer ID).

PF12 Return to selection panel.

Purpose

Sample Panel

PF Keys

Attempted Violations Panel Displaying Attempted Violations


10-1

10

Online Auditing

This chapter explains BIM-ALERT’s online auditing facility.

Introduction..................................................................................................................10-2About This Chapter..................................................................................................10-2

Using the DAUD Function...........................................................................................10-3Introduction .............................................................................................................10-3DAUD Selection Criteria Panel ...............................................................................10-4DAUD Display Panel...............................................................................................10-6

About This Chapter Introduction


Introduction

About This Chapter

The batch and online auditing capabilities are the same for BIM-ALERT/CICS and BIM-ALERT/VSE. This chapter explains BIM-ALERT's online auditing facility.

For an explanation of the S1U100 audit trail backup/archive utility, refer to page 12-16.

For an explanation of the S1B100 audit trail batch report, refer to the BIM-ALERT Auditingand Report Writing Guide.

Chapter Contents

For FurtherInformation

Using the DAUD Function Introduction

Chapter 10. Online Auditing 10-3

Using the DAUD Function

Introduction

BIM-ALERT's DAUD function lets you display and review online the changes that have beenmade to security. You can use DAUD to show all changes made in chronological order, oryou can enter selection criteria to limit the display based on date, time, administrator, orfunction.

You use the following panels to perform online auditing:

• The DAUD Selection Criteria panel, from which you select the types of records youwant to display

• The DAUD Display panel, which displays the records you selected

DAUD Selection Criteria Panel Using the DAUD Function


DAUD Selection Criteria Panel

Use the DAUD Selection Criteria panel to select the types of records you want to display onthe DAUD Display panel.

When you select the DAUD function, BIM-ALERT displays the DAUD Selection Criteriapanel.

DAUD ** DISPLAY AUDIT INFORMATION SELECTION CRITERIA ** DISPLAY

ENTER SELECTION CRITERIA BELOW

.....FROM..... ......TO...... DATE: 04 / 14 / 1998 04 / 15 / 1998 TIME: 00 : 00 24 : 00

ADMINISTRATOR: _________ BIM-ALERT FUNCTION: ____

Purpose

Access

Sample Panel

Using the DAUD Function DAUD Selection Criteria Panel


You can display all audit records or selected audit records, as follows:

• To display all the audit records in chronological order, press ENTER.

• To receive more specific information, use one or more of the following selection criteriafields to limit the records displayed on the DAUD Display panel:

Field Meaning

DATE Specifies the dates of the earliest and most recent records to bedisplayed. If nothing is entered, the FROM date defaults toyesterday's date and the TO date defaults to the current date.Records from the dates specified are included in the display.

TIME Limits the display to records logged between the times specified.Times are specified in military format. For example, if the daterange specified were from 01/01/1998 to 01/02/1998, and the timerange specified were 10:00 to 12:00, only those records loggedbetween 10 a.m. and noon on the two dates would be displayed.

ADMINISTRATOR Limits the display to only those changes made by the specifiedadministrator. Main administrators can review any record. Sub-Administrators can review only their own changes.

BIM-ALERTFUNCTION

Limits the display to records containing a particular BIM-ALERTfunction. For example, if you want to see the updates to operatorsdefined on the BIM-ALERT security file, enter UAUP in the BIM-ALERT FUNCTION field.

Using the Panel

DAUD Display Panel Using the DAUD Function


DAUD Display Panel

The records you selected on the DAUD Selection Criteria panel are displayed on the DAUDDisplay panel.

DAUD ** DISPLAY BIM-ALERT AUDIT INFORMATION ** DISPLAY

DATE: 04/28/1998 FUNCTION: UAUP ADMINISTRATOR NO: ATIME: 07:49:33 SYSID: TEST ADMINISTRATOR NAME: N/A-ALERT NOT ACTIVEACTION: UPDATE USER PROFILE INFORMATION= = = = = = = = = = = = CICS USER PROFILE INFORMATION = = = = = = = = = = = =OPERATOR NUMBER ===> OPER99 <<NEW PASSWORD ADDED OR UPDATED>>

OPERATOR NAME COMPANY DIVISION DEPARTMENT SECTIONBEFORE ==> OPER99 0000 0000 0000 0000AFTER ==> OPERATOR 99 BIM MPLS DEVL VSE

ADMIN MODEL PRIM. TERM ALTERNATE-1 ALTERNATE-2 GROUPBEFORE ==> FLL ALLAFTER ==> FLL OPER2 ALL

STATUS MSG. LANG. PROCESS TYPE INACTIVE TIME USER DEFINED DATABEFORE ==> A ## U 00 HRS 30 MINS 1234567890AFTER ==> A ## U 02 HRS 00 MINS ABCDEFGHIJ

OP. CLASS EXT. SEC. EXT. MODEL CICS PPW OPID IUI USERIDBEFORE ==> R Y OPER1 Y N O99 OPER-99AFTER ==> R Y OPER2 Y Y O99 OPER-99GK775 PRESS -ENTER- FOR OPERATOR TIMES PRESS -PF8- FOR SELECTION PANEL

The DAUD Display panel consists of two parts. The top portion of the panel is fixedinformation that is contained in every audit record. The bottom section of the panel displaysthe variable information from each audit record.

If the function audited is an update, the data before and after the update is displayed. Thechanges resulting from the update are displayed in high intensity in the display. If the functionaudited is an addition, there is no BEFORE data.

Purpose

Sample Panel

Panel Description

Using the DAUD Function DAUD Display Panel


The information at the top of the panel in each record display indicates the following:

Field Meaning

DATE The date the change was made.

FUNCTION The subfunction that was executed to produce the audit record. Ifthe audit record was an update made by one of the batch utilities, thecode shows the first three characters of the online function that mostclosely relates to the operation performed and contains a B (batch)as the last character. For example, if some operators are addedusing the batch utility S1U550, the function displayed on the auditrecords produced by the updates will be AOSB (Add OperatorSecurity Batch).

USER ID The user ID of the administrator who changed the data. If BIM-ALERT was not active when the update was made or if the auditrecord was added by one of the batch processors, the defaultadministrator is displayed.

TIME The time of day when the change was made.

SYSID The system from which the change was made. If the audit recordwas added by a batch process, the SYSID will display BATC.

ADMINISTRATORNAME

The name of the administrator who made the change. If BIM-ALERT was not active when the change was made, the namedisplays N/A - BIM-ALERT NOT ACTIVE. If the audit record wasadded by one of the batch processors, the name displays N/A -BATCH PROCESS.

ACTION An expanded explanation of the function code. This data is notcarried in the record but is based upon the function carried into theaudit record.

For complete descriptions of the variable information displayed in each record, refer to theexplanation of the corresponding BIM-ALERT function.

Several of the functions (for example, xAUP, xTSI, xOSB, xTSB, xSMP, and UPAR) containaudit records that span two pages. Press ENTER to display the second page. To display thenext record and skip the second page of the display, press PF8.

Once you view all the records selected, the DAUD Selection Criteria panel is again displayed.

To return to the DAUD Selection Criteria panel before you have viewed all of the records youselected, press PF12. You can then change the selection criteria and view another display.

Field Descriptions

Returning to theDAUD SelectionCriteria Panel

DAUD Display Panel Using the DAUD Function


11-1

11

Advanced Security Facilities

This chapter describes the advanced security facilities of BIM-ALERT/CICS.

User Exits.....................................................................................................................11-2Introduction .............................................................................................................11-2Using Custom Exits .................................................................................................11-4Passing Data to BIM-ALERT/CICS from an Exit ...................................................11-5Refreshing User Exits, Monitors, and Logos ...........................................................11-6

Post-Sign-On Processing..............................................................................................11-8Authorized Transaction Display Program....................................................................11-9VSE Interactive User Interface Support .....................................................................11-10

Introduction ...........................................................................................................11-10Logic Flow Through Sign-On................................................................................11-11Logic Flow Through Sign-Off ...............................................................................11-13PCT Updates..........................................................................................................11-14PLT Updates..........................................................................................................11-14UPAR and UTOP Updates ....................................................................................11-14ASTR Updates.......................................................................................................11-15

S1SUSER: Return Security Data to Calling Program ...............................................11-16Additional Exits .........................................................................................................11-18

Introduction User Exits


User Exits

Introduction

BIM-ALERT/CICS was designed to provide complete security for your online resourceswithout any user coding required. Since one of the most valuable resources in any onlinesystem is storage, the use of user exits is completely controlled by the user. This isaccomplished by answering a single question on the UPAR panel regarding user exits. If youanswer NO to the question, no storage is required and no exits are loaded or executed, therebyproviding the minimum path length for security processing.

Use user exits only after you have determined that there is no other way to provide the securityyou need. User exits, in any product, increase complexity and introduce additional sources oferrors. In an online product, this extra exposure can be very costly if it keeps the system fromrunning. Never try exits unless they have been thoroughly tested.

The easiest way to never display certain fields for some operators or terminals is to use themap security feature of BIM-ALERT/CICS and not an exit.

Controlling UserExits

When to UseUser Exits

Securing Fields forOperators orTerminals

User Exits Introduction

Chapter 11. Advanced Security Facilities 11-3

BIM-ALERT/CICS is also designed with enough flexibility to handle the advanced securityneeds of those computer shops with a variety of both user-written and OEM vendor products.Often these products do not provide easily available security hooks, and the time and effortrequired to change the system to meet advanced security needs cannot be justified. To handlethese special cases, BIM-ALERT/CICS provides exits at the following points:

Exit Type Name When Called

Terminal beforesecurity exit

S1TRMBEX Before BIM-ALERT/CICS applies the standard security defined for an individualterminal. Possible uses for this exit include validation of terminal specific dataand the gathering of statistics.

Terminal security exit S1TRMEXT After BIM-ALERT/CICS applies the standard security defined for an individualterminal. This exit is useful if you have modified the terminal information andneed to repair it for use by CICS.

Operator beforesecurity exit

S1OPRBEX Before BIM-ALERT/CICS applies the standard security defined for an individualoperator. This exit is useful for changing operator-specific data to be passed toother products. For example, you may need to load data into the TCTUAL fieldfor a program later in the transaction flow.

Operator security exit S1OPREXT After BIM-ALERT/CICS applies the standard security defined for an individualoperator. This exit could be used to keep statistics on successful operatoroperations.

Transaction beforesecurity exit

S1TRNBEX Before BIM-ALERT/CICS applies the standard security defined for an individualtransaction. This exit may be used to keep statistics on transactions.

Transaction securityexit

S1TRNEXT After BIM-ALERT/CICS applies the standard security defined for an individualtransaction. This exit may be needed if S1TRNBEX has modified data. It couldbe used to gather statistics, etc.

Program beforesecurity exit

S1PRGBEX Before BIM-ALERT/CICS applies the standard security defined for an individualprogram. Refer to the section describing additional exits on page 11-18 for moreinformation.

Program security exit S1PRGEXT After BIM-ALERT/CICS applies the standard security defined for an individualprogram. Refer to the section describing additional exits on page 11-18 for moreinformation.

File before read exit S1FILEX1 Before BIM-ALERT/CICS allows a particular record to be read from the file.This exit is needed if you want to prevent a range of records on a file from beingdisplayed based on operator- or terminal-specific data, etc. You must be able totell if the record qualifies before you have read it, usually by the key.

Field before securityexit

S1FLDBEX Before BIM-ALERT/CICS applies the standard security defined for a field-levelresource. Refer to the section describing additional exits on page 11-18 for moreinformation.

Field security exit S1FLDEXT After BIM-ALERT/CICS applies the standard security defined for a field-levelresource. Refer to the section describing additional exits on page 11-18 for moreinformation.

User ExitsProvided

Using Custom Exits User Exits


Using Custom Exits

BIM-ALERT/CICS is distributed with a STUB module for each possible user exit point.Refer to page 11-3 for the names of the modules. To activate your own user exit, perform thefollowing steps:

Step Action

1 Locate where you need to take an exit. For example, if you want to take atransaction before security exit, you need to modify S1TRNBEX.

2 Locate in the BIM-ALERT/CICS residence sublibrary the source for the exitprograms identified in the step above.

3 Add your required code to the exit after the comment in the STUB moduleprovided.

All user exits must be coded in assembler. Be sure to be as brief as possible sinceyou will be adding to your path length for security. Any errors you introduce mayhave a major effect on the system.

4 Rename the STUB module you are going to modify. This gives you a way to goback if your module has a problem and will not run.

5 Catalog the modified stub with the exact module name it had before.

6 Go to the UPAR panel and change the answer to the question about user exits toYES (if not already specified).

7 If you want to immediately install your new exit for testing, execute the BIM-ALERT/CICS REFR function.

If you do not execute the REFR function, then your new exit (and all other stubexits) will be loaded with the next activation of BIM-ALERT/CICS.

User Exits Passing Data to BIM-ALERT/CICS from an Exit


Passing Data to BIM-ALERT/CICS from an Exit

Any time a user exit is called, BIM-ALERT/CICS must be able to determine whether aviolation has occurred. This information is passed to BIM-ALERT/CICS in the user exitcommon interface area. A description of this area is given below.

S#EXAREA EQU *

S#RETCOD DS XL1 User exit return code:

00 No violation detectedFF Violation detected

S#DISP DS CL1 Disposition of violation:

1 Display message to operator only2 Report for auditing only3 Display and report the violation

S#SEVRTY DS CL1 Severity level action to be taken:

1 Continue normal processing2 Add to violation count - continue3 Add to violation count - prohibit4 Prohibit further processing

S#EXTMSG DS CL50 User violation description message

As you can see, there is no limit to the number of user messages that can be displayed, and notable of messages is needed. You must ensure that the 50-character message provides enoughinformation to tell the operator or the security administrator what happened. This 50-character message is displayed to the operator and also is written with the violation to theS1SECLOG file for later processing.

Refreshing User Exits, Monitors, and Logos User Exits


Refreshing User Exits, Monitors, and Logos

The refresh function lets you use new versions of non-CICS programs such as the BIM-ALERT monitors, user exits, logos, and help logos.

If it is necessary to put a corrective or optional zap onto one of the BIM-ALERT/CICSmonitors, the REFR function lets you put the corrected version into effect immediately.Likewise, if you are testing exits or logos, you can immediately use the new copy withouthaving to recycle CICS.

To display the Refresh Monitors/Exits/Logos panel, do one of the following:


• Enter REFR on any security panel.

REFR REFRESH MONITORS/EXITS/LOGOS REFRESH

MONITORS EXITS LOGO MODULES -------- ----- ------------ _ S1S110 _ S1TRMBEX ________ _ S1S120 _ S1TRMEXT ________ _ S1S125 _ S1OPRBEX ________ _ S1S130 _ S1OPREXT ________ _ S1S131 _ S1TRNBEX ________ _ S1S132 _ S1TRNEXT ________ _ S1S180 _ S1PRGBEX ________ _ S1S181 _ S1PRGEXT ________ _ S1FLDBEX ________ _ S1FLDEXT ________

GK705 ENTER 'X' TO REFRESH A MONITOR/EXIT - LOGONAME TO REFRESH A LOGO

Purpose of theRefresh Function

Access

Sample Panel

User Exits Refreshing User Exits, Monitors, and Logos


You can refresh any of the monitors and user exits listed on the REFR panel by entering Xbeside those for which you want a new copy. Since the names of the logos and help logos areuser-defined, you must enter the complete name of the logo you want to refresh. You canspecify multiple monitors, exits, or logos on the panel. The processing program checks eachpanel position to see if any action is necessary.

Use the REFR function only when you have changed one of the monitors or exits listed or youhave reassembled your logos. Use the REFR function for only those modules that have beenupdated. For example, if you have received a corrective patch to S1S110, you should selectonly S1S110 to be refreshed.

Using the Panel

Post-Sign-On Processing


Post-Sign-On Processing

BIM-ALERT/CICS allows you to transfer control directly to a user program after eitherterminal or operator sign-on is complete. You might want to perform a variety of special tasksat operator sign-on time to streamline the operation of your system. For example, you mightwant to automatically sign the user on to another CICS application, override the default valuethat BIM-ALERT/CICS places in the OPID field, or move an operator identifier into theTCTUA for use by your applications.

The supplied U1S610 source program illustrates how to access the BIM-ALERT/CICSoperator table to extract operator data. The USER DEFINED DATA field on the Terminaland Operator Security Information panels can be used to pass information to the post-sign-onprogram (the field is placed in the table in an unencrypted format). The supplied sampleprogram illustrates how to move the data in the USER DEFINED DATA field to the TCTUA.

There are no restrictions on what you can do in this program because standard CICS facilitiesare used to pass control to it. In other words, you can use any CICS command or anyoperating system macro without affecting BIM-ALERT/CICS. The name of the program canbe any name allowed by the operating system as long as it is accessible to CICS. The suppliedsample is just a sample; you can assemble and link it if you need to, or you can modify it orcompletely rewrite it to perform the post-sign-on processing that you need. The return at theend of the post-sign-on program passes control to CICS. If you need to pass control toanother program, you must code the post-sign-on program accordingly (for example, useXCTL to pass control to another program).

The coding language required for post-sign-on programs depends on whether the programaccesses the BIM-ALERT/CICS operator or terminal security table, as follows:

• If you access the BIM-ALERT/CICS operator or terminal security table in your post-sign-on program to extract data from the USER DEFINED DATA field, you must codethe program in assembler language so that you can use register addressing to access thetables.

• If you do not access these tables, you can use any language supported by CICS.

Purpose

Supplied SampleProgram

Coding Language

Authorized Transaction Display Program


Authorized Transaction Display Program

The ALRT transaction supplied with BIM-ALERT/CICS is a pseudo-conversationaltransaction designed to display all transactions authorized to an operator and terminal at anyparticular time. ALRTMENU is the program that is initiated by the ALRT transaction.ALRTMENU scans the secured transaction list in memory to determine the transactions thatthe user is authorized to execute. In order for ALRTMENU to function, either operatortransaction security or terminal transaction security must be activated on the Current Optionspanel (UCOP) or the Permanent Options panel (UPOP).

The ALRTMENU program uses a temporary storage queue to store the pages containing thelist of transactions. Each page is stored as a temporary storage record. A record is read fromthe queue and displayed when requested by pressing the appropriate PF key for page forwardor backward, or by entering the page number in the current page field. The temporary storagequeue name is constructed of the four-character terminal ID concatenated with the literalMENU. The queue is created at initial entry to the transaction and purged at final exit orXCTL to another transaction.

At initial entry to ALRT, the first page of transactions and their descriptions are displayed. Atthis point, the user can enter a transaction to be given control with transaction data, pageforward or backward, enter the specific page to be displayed, or cancel or terminate the ALRTtransaction. When a transaction ID is entered with or without data, a PCT locate is first doneto validate that the transaction exists. If the transaction is valid, a call is made to BIM-ALERT/CICS using the user-callable interface to check if the operator and terminal areauthorized to execute the transaction.

The program S1S200 must be defined in your PPT for the user-callable interface tosuccessfully validate authorization. If the validation is successful, a second panel is displayedwith the transaction ID and any associated data in the upper left corner of the panel. The useris instructed to press ENTER to begin processing the selected transaction. This method allowsthe ALRT transaction to work in all configurations (MRO, ISC, etc.) and removes anyproblems with CICS monitors logging the incorrect transaction ID.

Introduction

Temporary StorageQueue Used

Using ALRT

WARNING!

Introduction VSE Interactive User Interface Support


VSE Interactive User Interface Support

Introduction

BIM-ALERT/CICS provides a method of interfacing with the Interactive User Interface (IUI)of VSE at sign-on time that preserves all the features of both systems, fully secures the IUIfunctions with standard BIM-ALERT/CICS security facilities, and requires only a single usersign-on.

In the VSE environment without BIM-ALERT/CICS, when you access a terminal, theInteractive Interface Sign-On panel is displayed. After sign-on, the next function defined inthe interactive interface profile is presented.

With the changes made to allow BIM-ALERT/CICS to enter the picture, all of this will workexactly the same except that the sign-on panel will be the BIM-ALERT/CICS Sign-On panel.When users successfully sign on to BIM-ALERT/CICS, they see a message (from BIM-ALERT/CICS) that sign-on is complete. The next thing they see is the first interactive panelthey would have received after completing a normal IUI sign-on. At this point, the user isindeed signed on to the IUI and can then proceed normally. When users sign off, either byusing CSSF or the PF3 key, they are signed off both BIM-ALERT/CICS and the IUI.

Purpose

VSE Interactive User Interface Support Logic Flow Through Sign-On


Logic Flow Through Sign-On

Four programs are involved in the sign-on procedure. Three of these are BIM-ALERT/CICSprograms (S1S615, S1S610, and S1S613), and the fourth is the IUI sign-on programIESIES01.

When ICCF/CICS is initialized, the CICS initialization program IESCICIN initializes all theTCTTE entries to run CSGM or IEGM in order to display the IUI Sign-On panel.

S1S615 is the sign-on front end that BIM-ALERT/CICS provides; it allows users to have theirown transaction IDs drive the BIM-ALERT/CICS sign-on process. By changing the PCTentry for CSGM (and/or IEGM) to point to program S1S615, the BIM-ALERT/CICS Sign-onpanel is displayed instead of the IUI Sign-On panel.

When the user enters her password, user ID, and operator name on the sign-on panel, programS1S610 validates the data against her user profile to determine if she is indeed authorized tosign on. If everything is correct, S1S610 signs her onto the BIM-ALERT/CICS system andcalls program S1S613 to initiate the IUI sign-on procedure automatically.

When S1S613 gains control, it dynamically builds and passes the user name and password tocomplete the IUI sign-on process. If the IUI user ID and password are already specified in theuser profile, they are used for signon. Otherwise, the first four characters of the BIM-ALERT/CICS operator name are used as the interactive interface user name and password.

The reason why the first four characters of the operator name are used as the interactiveinterface user name instead of the user ID is that the interactive interface requires a four-character user name. Therefore, when operators are defined to BIM-ALERT/CICS, you mustensure that the first four characters of their operator name match the user name defined to theIUI. The data in the remainder of the field will not affect the sign-on to the interactiveinterface.

The reason why the first four characters of the operator name are used as the IUI passwordinstead of the BIM-ALERT/CICS password is twofold. Most important, the IUI keeps thepasswords it uses in core in the clear. We feel it is a security exposure to have the BIM-ALERT/CICS passwords displayed in clear text if ICCF were to dump, or if you have somefacility to display storage while ICCF is active. Second, since the operator name is not likelyto change, the maintenance of passwords can be handled completely by BIM-ALERT/CICS.An operator's password can be changed any number of times to BIM-ALERT/CICS, but theoperator never has to worry about keeping the IUI password synchronized, because it doesn'tchange.

Overview

S1S615

S1S610

S1S613

IUI User Name

IUI User Password

Logic Flow Through Sign-On VSE Interactive User Interface Support


Once S1S613 has built the required input, control is passed to the IUI sign-on programIESIES01.

IESIES01 processes the IUI sign-on at this point just as if the user had entered the data on thepanel and as if BIM-ALERT/CICS were not involved at all. When sign-on is complete, theuser proceeds directly to the panel he would have seen prior to BIM-ALERT/CICS being usedand proceeds as normal. If he escapes to CICS to work or tries to process some IUI functiondriven by a CICS transaction ID that he is not authorized for in his BIM-ALERT/CICS userprofile, access will be denied by BIM-ALERT/CICS.

IESIES01

VSE Interactive User Interface Support Logic Flow Through Sign-Off


Logic Flow Through Sign-Off

Four programs are involved in the sign-off procedure: the BIM-ALERT/CICS programsS1S610, S1S615, and S1SIGNOF, and the IUI program IESIES5.

The two modes of signing off from the IUI when BIM-ALERT/CICS is involved are using theCICS transaction CSSF and using the PF3 key.

The CSSF transaction's PCT entry points to the sign-on/sign-off program S1S610. Thisprogram signs off the user from the BIM-ALERT/CICS system. Upon completion of its task,S1S610 passes control to the supplied S1SIGNOF exit program.

S1SIGNOF calls the IUI sign-off program IESIES5 to sign off the user from the interactiveinterface. When S1SIGNOF regains control, it restarts transaction CSGM or IEGM, whichrestarts sign-on processing, and the BIM-ALERT/CICS Sign-On panel again appears on theterminal.

The interactive interface defines the PF3 key to take you back to the previous panel you wereworking on. If you press the PF3 key back to the IUI Sign-On panel, it signs you off andleaves the IUI Sign-Off panel displayed (if BIM-ALERT/CICS is not involved).

With BIM-ALERT/CICS in control, PF3 works exactly the same as the IUI in native mode,except that when you get back to the first level (where you would normally get the IUI Sign-On panel), BIM-ALERT/CICS becomes involved because the CSGM or IEGM transactiondrives this processing for the IUI. As explained earlier, CSGM or IEGM points to the BIM-ALERT/CICS program S1S615. When it is reached in this mode, S1S615 first causes sign-offto occur just as if CSSF were entered. When the sign-off is complete, the BIM-ALERT/CICSSign-On panel reappears, ready for the next user to sign on.

You can use PF4 and PF16 to disconnect the terminal from VTAM, regardless of whether youused PF3 or CSSF to sign off from the BIM-ALERT/CICS Sign-On panel. PF3 and PF15disconnect the terminals to VM (on VTAM terminals only if the last three characters of theterminal ID are the same as the CUU of the device). For example, if the device address asdefined to VTAM is 080, the terminal ID may be L080, M080, N080, or any other four-character string ending with 080.

Overview

CSSF Sign-Off

PF3 Sign-Off

PCT Updates VSE Interactive User Interface Support


PCT Updates

The PCT entry for transaction CSGM and IEGM must be changed to point to programS1S615. As discussed above, this change will cause the BIM-ALERT/CICS Sign-On panel tobe displayed rather than the IUI Sign-On panel.

PLT Updates

As discussed in the BIM-ALERT Installation and Operations Guide, an entry may be includedin the PLT to automatically start up BIM-ALERT/CICS when CICS initializes. When thePLT is updated to serve this function, you must ensure that you include the following IUIentry to initialize the terminals correctly:

DFHPLT TYPE=ENTRY,PROGRAM=IESCICIN

This entry is included in the copy book IESZPLTI and should not be included twice in thePLT. If this entry is not included, the BIM-ALERT/CICS Sign-On panel will not appearinitially on the terminals and sign-on to the IUI will not be possible.

UPAR and UTOP Updates

Several changes to the BIM-ALERT/CICS system parameters must be made to implement theBIM-ALERT/CICS / IUI interface

• S1S613 must be added to UTOP as the program to receive control after operator sign-on.

• S1SIGNOF must be added to UTOP as the program to receive control after operatorsign-off.

• IESIES01 must be added to UPAR as the program to receive control on unsecuredterminals. This is the IUI sign-on program.

VSE Interactive User Interface Support ASTR Updates


ASTR Updates

The following transaction IDs must be added to BIM-ALERT/CICS as secured transactionswith status S (safe):

• IES6 (the IUI sign-on transaction)• PF03 (the IUI previous panel transaction)• IESI (the IUI function processor)

There are circumstances in which these transactions are driven prior to sign-on or after sign-off from BIM-ALERT/CICS, and they must be allowed to continue so that the next sign-on issuccessful.

S1SUSER: Return Security Data to Calling Program



Use the utility program S1SUSER, which can be linked to from any command level CICSprogram, to extract data from the BIM-ALERT security table pertaining either to the terminalthe task is running on or to the operator executing the task.

S1SUSER is a utility program that can be linked to by a standard EXEC CICS LINKcommand from any command-level CICS program to pass back data to that calling program.The data is extracted by S1SUSER from the BIM-ALERT security table and pertaining eitherto the terminal that the transaction is running on or to the operator executing the transaction,as determined by a request type passed to S1SUSER by the program issuing the LINK.

S1SUSER must be defined to CICS as a program, either by reassembling the PPT or bydefining S1SUSER using RDO. The programming language of S1SUSER must be assembler.

The program that issues the link to S1SUSER has the following responsibilities:

• Acquiring a commarea. The program issuing the link must acquire a commarea at leastlarge enough to contain the data to be passed back by S1SUSER. Also, the fields usedby S1SUSER and the linking program to pass data back and forth must be at the verybeginning of the commarea acquired. You can add fields after the area used byS1SUSER for other purposes, but you must not add anything before the area used byS1SUSER.

• Setting the request type. S1SUSER can pass back data about either the terminal therequesting task is running on, or the operator who is signed on to that terminal. Theprogram issuing the link must pass a T or an O to S1SUSER in the commarea (fieldUSERREQ in the assembler layout or field LS-REQUEST-TYPE in the COBOLlayout) to signal S1SUSER which type of data is required.

• Checking the return code. S1SUSER will pass back an abnormal return code if for anyreason the request cannot be honored (see the copy books for the values of these returncodes and their meanings). It is the responsibility of the linking program, uponregaining control, to check the return code before trying to process the data.

Layouts of the commarea used by S1SUSER were cataloged as part of the standard BIM-ALERT/CICS install. For COBOL programs, the layout copybook is S1USERDS.C. Forassembler programs, the copybook is S1USERDS.A.

Description

Prerequisites

Requirements forthe ProgramCalling S1SUSER

Layout Copybooks



Whether the linking program is written in COBOL or assembler, all data pertaining to eitherthe terminal or the operator will be passed back in the commarea. The linking program canthen examine and use whatever data it needs to satisfy its requirements.

Usage Note

Additional Exits


Additional Exits

In addition to the normal exits described above, BIM-ALERT/CICS also provides thefollowing other facilities that let you create customized exits:

• The UTOP panel provides pseudo-exits that allow you to invoke a special user code anytime a terminal or operator sign-on is completed. There is no actual exit overheadinvolved in these pseudo-exits, and you do not have to specify EXITS=YES to use thisfacility.

• The USER DATA field on both the terminal and operator panel is maintained in coreand is available at all exit points with no I/O. This can be used for additional levels ofsecurity checking.

• You can use the preload status of transactions, programs, and files with user exits. Thisapproach makes many complex security needs easy to address.

For example, suppose you have many programs with multiple levels of power, such as inquiry,add, and update, that are controlled by PF keys. You can allow a given operator (or terminal)to do adds and inquiries but not updates.

To do so, you would first define pseudo-programs with a status of P. Assign these to theoperator (or terminal), and then invoke the program before security exit to look at the programname and PF key to build a pseudo-program name to be checked by BIM-ALERT/CICS forsecurity violations. If the operator is authorized to use the pseudo-program, BIM-ALERT/CICS allows access.

In this way you can create any number of additional security schemes for products such asDMS that do not provide the flexible security you need.

AdditionalFacilities forCreating Exits

Example

12-1

12

Utilities

This chapter describes how to use BIM-ALERT/CICS utilities to maintain a securityenvironment.

Introduction..................................................................................................................12-3Function of Utilities .................................................................................................12-3

S1U000: Security File Initialization............................................................................12-4S1U001: Security File Restore/Reorganization - Step 1 .............................................12-5S1U002: Security File Restore/Reorganization - Step 2 .............................................12-6

Introduction .............................................................................................................12-6Reorganize BIM-ALERT/CICS Security File .........................................................12-7

S1U003: Security Log File Initialization ....................................................................12-8S1U004: Audit File Initialization................................................................................12-9S1U005: Current Module Version Report.................................................................12-10S1U006x: Message File Initialization .......................................................................12-12S1U009: Terminal/Operator Access Time Update Utility ........................................12-13S1U010: Release Shared BIM-ALERT/CICS Tables ...............................................12-14S1U100: The Audit Trail Backup/Archive Utility ....................................................12-16

Introduction ...........................................................................................................12-16Examples ...............................................................................................................12-17

S1URESRC: Resource Add/Delete Utility................................................................12-18Introduction ...........................................................................................................12-18Examples ...............................................................................................................12-21

S1UGROUP: Group Assign/Remove Facility...........................................................12-23Introduction ...........................................................................................................12-23Examples ...............................................................................................................12-25

S1U550: Batch Operator Add Facility ......................................................................12-26


S1U560: Update Profile Program .............................................................................12-27Introduction............................................................................................................12-27Example .................................................................................................................12-29

S1U887: Freeing Terminal Table Entries Utility ......................................................12-31Introduction............................................................................................................12-31Example .................................................................................................................12-32

Introduction Function of Utilities

Chapter 12. Utilities 12-3

Introduction

Function of Utilities

BIM-ALERT/CICS utilities perform functions necessary to maintain a security environment.Some of these utilities are used only during installation, and others are used duringmaintenance of the ever-changing security environment.

This chapter explains how to use the utilities provided. They are presented in alphanumericorder. The following utilities are described:

• S1U000: Security file initialization• S1U001: Security file restore/reorganization - step 1• S1U002: Security file restore/reorganization - step 2• S1U003: Security log file initialization• S1U004: Audit file initialization• S1U005: Current module version report• S1U006x: Message file initialization• S1U009: Terminal/operator access time update utility• S1U010: Release shared BIM-ALERT/CICS tables• S1U100: Audit trail backup/archive utility• S1URESRC: Resource add/delete utility• S1UGROUP: Group assign/remove facility• S1U550: Batch operator add facility• S1U560: Update profile program• S1U887: Freeing terminal table entries utility

Utilities Provided

S1U000: Security File Initialization


S1U000: Security File Initialization

The S1U000 program initializes the BIM-ALERT/CICS security file. It can only be run whenyou are installing BIM-ALERT/CICS for the first time.

Never run this program on an existing security file.

Description

WARNING!

S1U001: Security File Restore/Reorganization - Step 1



The S1U001 program is the first of two programs required to reorganize the BIM-ALERT/CICS security file. It uses a standard IBM REPRO dataset as input and therefore isfail-safe as long as you keep the backup tape. This job only removes status D resources fromthe S1SCTY file and has no effect on the speed of execution or memory used by BIM-ALERT/CICS actual online security processing. The TLBL name for tape backups isS1SCTYT.

S1U001 can also read the backup dataset from a disk file. If you use REPRO to back up todisk rather than tape, simply insert in the deck after the // EXEC S1U001,SIZE=AUTOstatement an input card image containing the word DISK beginning in column one, as well asa DLBL for the backup file. Use S1SCTYD as the DLBL name.

Run S1U001 (and S1U002) only if you have deactivated a large number of resources and youwant to remove them from the file to save disk space. All deactivated resources areautomatically skipped by BIM-ALERT/CICS at start-up and therefore do not use any memoryresource. Since all deactivated resources are dropped from the file during this process, if youhave resources on the file waiting to be activated, be sure that they are status P and not D toavoid having them dropped.

This program is not a replacement for normal VSAM file backups used in disaster recovery.Back up the BIM-ALERT/CICS files in a manner consistent with your normal procedures. Aproduct similar to IBM's IDCAMS REPRO is excellent for this purpose.

After the S1U001/S1U002 reorganization process completes, you must shut down and restartCICS. In addition, you must ensure that the BIM-ALERT/CICS security tables are rebuilt. Ifyou use control suffix zero, this happens when you shut down and restart CICS. If you use anonzero control suffix, you must run the S1U010 utility program or IPL before restartingCICS.

WARNING!

If you use a nonzero control suffix and do not run S1U010 or IPL before restarting CICS,operators may be able to execute transactions they are not authorized for or there may berandom abends.

Description

When to RunS1U001

Shut Down andRestart CICS Afterthe Reorganization

Introduction S1U002: Security File Restore/Reorganization - Step 2



Introduction

The S1U002 program is the second of two programs used to reorganize the BIM-ALERT/CICS security file. Run it immediately after running S1U001 to successfullycomplete the reorganization process.

Failure to run S1U002 after you run S1U001 results in failure of BIM-ALERT/CICS at thenext CICS start-up.

After the S1U001/S1U002 reorganization process completes, you must shut down and restartCICS. In addition, you must ensure that the BIM-ALERT/CICS security tables are rebuilt. Ifyou use control suffix zero, this happens when you shut down and restart CICS. If you use anonzero control suffix, you must run the S1U010 utility program or IPL before restartingCICS.

WARNING!

If you use a nonzero control suffix and do not run S1U010 or IPL before restarting CICS,operators may be able to execute transactions they are not authorized for or there may berandom abends.

Description

WARNING!

After theReorganizationProcess

S1U002: Security File Restore/Reorganization - Step 2 Reorganize BIM-ALERT/CICS Security File


Reorganize BIM-ALERT/CICS Security File

Process the following jobs as one jobstream to back up, restore, and resequence BIM-ALERT/CICS authorized resources.

All resources that have a D (disabled) status are deleted from the S1SCTY file and eliminatedas authorized resources from any terminal or operator that they may have been assigned to.

The self-documented job control for these jobs is contained in the BIM-ALERT/CICS sourcelibrary member ALRTJCLD (disk) or ALRTJCLT (tape) supplied with the installation tape.

The steps you should process as one jobstream to back up, restore, and resequence BIM-ALERT/CICS authorized resources are as follows:

Jobstep Description

IDCAMS Backup/delete/define security file

* CONTENTS *

IDCAMS VerifyRepro Disk to backupDelete Security fileDefine Security fileListcat Entries (security file)

S1U001 Restore backup to disk

S1U002 Resequence secured resources.

This procedure is rarely required. When you feel it is needed, you must use the IBM REPROof IDCAMS (or an OEM replacement of IDCAMS) to produce a backup file to be used asinput to S1U001.

Although you will not need to restore and resequence your BIM-ALERT/CICS files often, it isvery important that you back them up often to protect yourself against head crashes, etc. Forthis purpose, products like CA-FAVER provide many advantages such as ease of use, speed,and integrity checks not provided by IDCAMS. These are excellent for daily backups. CA-FAVER has the ability to produce a sequential backup file that can be used as input toS1U001. Program S1U001 cannot read a normal CA-FAVER cluster backup tape because ofthe CA-FAVER control information it contains, which is necessary for emergency restore.

Jobstream to BackUp and RestoreFiles

Using FAVERBackups

S1U003: Security Log File Initialization


S1U003: Security Log File Initialization

The S1U003 program is used during installation to initialize the violation log file used byBIM-ALERT/CICS. Since it will be necessary from time to time to clear the Violation Logfile, this job may be run after BIM-ALERT/CICS is installed. This program simply writes aheader record to the log file after you have run a DELETE/DEFINE using IDCAMS to clearthe file. This allows the file to be opened as I/O in the CICS jobstream.

Description

S1U004: Audit File Initialization


S1U004: Audit File Initialization

The S1U004 program is used during initialization to initialize the BIM-ALERT/CICS auditfile. This job adds a dummy header record to the audit file so that it can be opened as I/O inthe CICS jobstream.

Description

S1U005: Current Module Version Report



Run the Current Module Version Report soon after installation. The S1U005 program readsthe BIM-ALERT/CICS installation tape and produces the Current Module Version Reportshowing the name, version number, assembly time, and assembly date of every modulesupplied on the tape (excluding maps). Keep the report with your BIM-ALERT/CICSdocumentation. This report can then be used in conjunction with the BIM-ALERT/CICSonline VERS transaction to guarantee that the version of BIM-ALERT/CICS running is thelatest version installed.

To run S1U005 job, the TLBL name must be ALRTAPI, and the drive on which the tape ismounted must be assigned to SYS010. The following JCL produces the report shown on thenext page:

// JOB S1U005// LIBDEF PHASE,SEARCH=???????.????????// TLBL ALRTAPI// ASSGN SYS010,TAPE// MTC REW,SYS010// MTC FSF,SYS010,2// EXEC S1U005/*// MTC FSF,SYS010,2// EXEC S1U005/*// MTC FSF,SYS010,2// EXEC S1U005/*// MTC FSF,SYS010,2// EXEC S1U005/*// MTC FSF,SYS010,2// EXEC S1U005/*/&

Description

Sample JCL



DATE: 02/28/1998 S1U005 BIM-ALERT PAGE TIME: 09:28:15 1 * * CURRENT MODULE VERSION REPORT * * MODULE NAME VERSION ASSEMBLY DATE ASSEMBLY TIME MODULE NAME VERSION ASSEMBLY DATE ASSEMBLY TIME S1S000 03.50.00 01/08/87 23.38 S1S001 03.50.00 02/22/87 21.08 S1S002 03.50.00 01/13/87 01.16 S1S003 03.50.00 01/13/87 01.58 S1S004 03.50.00 02/06/87 15.36 S1S005 03.50.00 01/13/87 17.17 S1S006 03.50.00 01/13/87 18.04 S1S007 03.50.00 01/13/87 18.26 S1S100 03.50.00 01/31/87 22.55 S1S130 03.50.00 02/07/87 22.49 S1S500 03.50.00 02/11/87 15.56 S1S502 03.50.00 02/12/87 11.55 S1S510 03.50.00 02/11/87 17.14 S1S512 03.50.00 02/12/87 13.57 S1S520 03.50.00 02/12/87 11.02 S1S522 03.50.00 02/12/87 14.07 S1S530 03.50.00 02/12/87 14.17 S1S532 03.50.00 02/12/87 14.41 S1S540 03.50.00 02/12/87 15.12 S1S542 03.50.00 02/12/87 16.53 S1S543 03.50.00 02/12/87 17.11 S1S552 03.50.00 02/15/87 10.38 S1S554 03.50.00 02/15/87 12.57 S1S555 03.50.00 02/18/87 13.50 S1S556 03.50.00 02/18/87 14.09 S1S558 03.50.00 02/19/87 08.45 S1S560 03.50.00 02/19/87 10.06 S1S562 03.50.00 02/19/87 13.04 S1S566 03.50.00 02/19/87 14.38 S1S600 03.50.00 02/26/87 09.06 S1S610 03.50.00 01/28/87 14.48 S1S752 03.50.00 02/20/87 10.35 S1S888 03.50.00 02/20/87 10.35 S1S890 03.50.00 02/24/87 13.40 S1S996 03.50.00 02/24/87 13.33 S1S997 03.50.00 02/20/87 12.29 S1S998 03.50.00 02/24/87 11.56 S1S999 03.50.00 02/24/87 18.45 S1B190 03.50.00 01/08/87 10.33 S1B192 03.50.00 01/08/87 12.31************************************************************************************************************************************TOTAL MODULES ON RELEASE TAPE - 40************************************************************************************************************************************

Sample Report

S1U006x: Message File Initialization


S1U006x: Message File Initialization

The S1U006x program is used to initialize the BIM-ALERT/CICS message file. You caninitialize the file in different languages by altering the suffix. The following initializationmodules are included on the installation tape:

Module Language

S1U006E English (default)

S1U006F French

S1U006G German

S1U006I Italian

Description

S1U009: Terminal/Operator Access Time Update Utility


S1U009: Terminal/Operator Access Time Update Utility

S1U009 is designed to allow you to update all terminal or operator access times in a batchmode. The input to the program is in card format and consists of the type records to update(TIME=TERM or TIME=OPER), the day of the week, and the access times for that day. Ifyou want to update the terminal access times, you must include the card TIME=TERM as thefirst input card. If no TIME= card is present, the default is TIME=OPER. The day of theweek and access time data must follow on succeeding cards. The rules concerning the timesare the same as if the update were being done online:

• The valid time range is 0001-2400.• The four-digit time field must be numeric.• The times are entered in the format hhmm/hhmm with no intervening blanks.

The S1SCTY file must be closed to CICS prior to running the job. Any combination of daysof the week may be updated. Any day of the week not found in the input jobstream will not beupdated by the program. The day and the times may start in any column as long as the inputdoes not extend past column 72. The day must be the first input on the line, followed by theaccess times for that day. Only one day per line is accepted. The days need not be in anyparticular order.

The following is a sample S1U009 jobstream:

// JOB S1U009// DLBL S1SCTY,'BIM.ALERT.S1SCTY.VSAM',,VSAM// DLBL S1SMS##,'BIM.ALERT.S1SMS##.VSAM',,VSAM// EXEC S1U009,SIZE=AUTOTHURSDAY 0230/1030SATURDAY 0800/1230MONDAY 0700/1900/*/&

If the preceding jobstream were executed, the access times for Thursday, Saturday, andMonday would be updated for all operators, with the times for Sunday, Tuesday, Wednesday,and Friday left as they were. If you had wanted to update the terminal times instead, the firstinput card would have been TIME=TERM.

Description

S1U009 SampleJobstream

S1U010: Release Shared BIM-ALERT/CICS Tables



When BIM-ALERT/CICS is running in a single CICS partition with control suffix 0, thesecurity tables are maintained in the same partition as CICS. This means that when CICS isterminated, the tables are automatically deleted. This is the easiest method of operation.When it is necessary to run multiple CICS systems (Multi-Region Operation), the BIM-ALERT/CICS tables are moved into shared storage and a single copy is used by all CICSpartitions sharing the same BIM-ALERT/CICS file. This means that the tables are not freedwhen a particular CICS partition ends because the tables may be in use by other partitions.

BIM-ALERT/CICS attempts to manage the number of partitions sharing a particular set oftables by adding one to a counter each time a CICS partition starts up and subtracting one eachtime a CICS partition ends normally. In order for the subtraction to take place, you must add aspecial BIM-ALERT/CICS program to the SHUTDOWN PLT facility of CICS. Thisprogram, S1S998, will display a message on the console at each shutdown to let you knowhow many partitions BIM-ALERT/CICS thinks are still using the tables. This message,GK585, displays 000 when the last CICS system is terminated.

If a CICS partition is ended abnormally and S1S998 is not permitted to run, then the counternever reaches 000. In this case, the BIM-ALERT/CICS tables are not refreshed unless youIPL the operating system.

Since forced IPLs are unpleasant, a special program, S1U010, is provided to allow you toforce the tables to be freed even if the count is not zero.

Ensure that no CICS systems are using the tables before running the S1U010 program.Clearing the tables while a CICS system is still using them will cause unpredictable results andmay result in CICS abending.

To help you, S1U010 will check the counter for the zero value and display a message to theoperator if it appears as though a CICS partition is still using the tables. If you have checkedand are sure all CICS partitions using this set of tables are down and the count is still not zeroyou may have the operator respond with the word NOCICSUP. This response will cause thetables to be freed immediately regardless of the value in the use counter.

Description

WARNING!

Forcing Tables tobe Freed



As an alternative to stopping all the CICS partitions and running S1U010, it may be possibleto change the control suffix on the SCTY UPAR panel to a number that has not been used andrestart the CICS systems one at a time to have them start using the new tables. This approachwill work only if you have enough space in the SVA to hold two copies of the security tables.While you would have to restart each CICS partition using the new control number, you wouldnot have to have ALL the partitions down at the same time.

If you do have to run S1U010, the only input it requires is the control suffix number of thetables to be cleared. This can be found by using the SCTY DPAR function of BIM-ALERT/CICS. The control suffix is displayed as a number from one to nine. This number isentered on the SUFFIX card as input to S1U010. A report is provided showing the suffixnumber and the date of all tables freed by the S1U010 program.

If the control suffix displayed on the SCTY DPAR panel is zero, you are not using sharedtables and do not need to run the S1U010 program.

The following is a sample jobstream for running the S1U010 program:

// JOB S1U010 RELEASE BIM-ALERT/CICS SHARED TABLE SPACE// LIBDEF PHASE,SEARCH=ALERT.LIB// DLBL S1SMS##,'BIM.ALERT.S1SMS##.VSAM',,VSAM// DLBL S1SCTY,'BIM.ALERT.S1SCTY.VSAM',,VSAM// EXEC S1U010,SIZE=AUTO SUFFIX=1/*/&

Alternative toRunning S1U010

Input to S1U010

To Check If YouAre Using SharedTables

Sample Jobstream

Introduction S1U100: The Audit Trail Backup/Archive Utility


S1U100: The Audit Trail Backup/Archive Utility

Introduction

The S1U100 utility can either create a new copy of the audit file (backup) or append thecurrent file to an existing backup (archive). The function performed is determined byparameters passed to the program via SYSIPT.

You may choose to maintain a cycle of backup tapes by periodically running the utility as abackup, or you can use S1U100 as an archive utility. In this mode, S1U100 reads the previousarchive file along with the current S1SAUDT file and merges them to a new archive outputfile. In both cases, the output file will be a variable blocked file with a maximum record sizeof 1800 bytes.

The S1U100 parameters are as follows:

Parameter Description Default

INPUT-FILE=TAPE/DISK For ARCHIVE only, specifies whether theexisting backup file resides on tape or ondisk.

TAPE

INPUT-DEVICE=SYSnnn For ARCHIVE only, specifies the logicalunit assigned to the device on which theexisting backup resides.

SYS010

INPUT-BLOCKSIZE=nnnn For ARCHIVE only, specifies theblocksize of the existing backup file.

8000

OUTPUT-FILE=TAPE/DISK Specifies whether the resulting output file(BACKUP or ARCHIVE) is to reside ontape or on disk.

TAPE

OUTPUT-DEVICE=SYSnnn Specifies the logical unit assigned to theoutput device.

SYS011

OUTPUT-BLOCKSIZE=nnnnn Specifies the blocksize of the resultingbackup/archive output file.

8000

The output filename must be U100OUT.

Description

Input Parameters

Output Filename

S1U100: The Audit Trail Backup/Archive Utility Examples


Examples

The following example illustrates use of the FUNCTION=BACKUP parameter to create anew backup of the audit file. Defaults are used for output file destination and blocksize.

// JOB S1U100// ASSGN SYS011,280// TLBL U100OUT,'AUDIT.BACKUP',0// DLBL S1SAUDT,'BIM.ALERT.S1SAUDT.VSAM',,VSAM// DLBL S1SMS##,'BIM.ALERT.S1SMS##.VSAM',,VSAM// DLBL S1SCTY,'BIM.ALERT.S1SCTY.VSAM',,VSAM// LIBDEF PHASE,SEARCH=???????.?????// EXEC S1U100,SIZE=64K FUNCTION=BACKUP/*/&

The next example uses the archive function to append the current S1SAUDT file to an existingbackup file. Note that the input file name must be U100INP and the output filename must beU100OUT. The default blocksizes for input and output tape files are overridden to 32767.All other parameters are allowed to default.

// JOB S1U100// ASSGN SYS010,280// TLBL U100INP,'AUDIT.BACKUP',0// ASSGN SYS011,281// TLBL U100OUT,'AUDIT.BACKUP',0// DLBL S1SAUDT,'BIM.ALERT.S1SAUDT.VSAM',,VSAM// DLBL S1SMS##,'BIM.ALERT.S1SMS##.VSAM',,VSAM// DLBL S1SCTY,'BIM.ALERT.S1SCTY.VSAM',,VSAM// LIBDEF PHASE,SEARCH=???????.?????// EXEC S1U100,SIZE=64K FUNCTION=ARCHIVE, INPUT-BLOCKSIZE=32767, OUTPUT-BLOCKSIZE=32767/*/&

Creating a NewBackup of theAudit File

Appending theCurrent Audit Fileto an ExistingBackup File

Introduction S1URESRC: Resource Add/Delete Utility


S1URESRC: Resource Add/Delete Utility

Introduction

S1URESRC runs as a batch program and is used to add secured resources to an operator,terminal, or group profile, or to delete resources from an operator, terminal, or group profile.Any secured resource (transactions, programs, and so on) may be added or deleted using thisbatch utility.

The program accepts input parameters to direct its actions. Using S1URESRC, a resource canbe added (or deleted) to all operators, terminals, or groups, specific operators, terminals, orgroups, or to all operators or terminals modeled after specified models. When you updatemodeled operators or terminals, the model is also updated.

You must set the operator or terminal PRINT PROFILE field on the UTOP panel to authorizeuse of S1URESRC. For information on using the UTOP panel, see the description of theGlobal System Parameters for Terminals and Operators panel on page 8-13.

The input to the program consists of parameters supplied in card format. Include commentsby specifying an asterisk (*) in column one. Comments are echoed to printed output, but areignored by the program.

The program accepts several keyword parameters to direct execution. These must be suppliedon the first non-comment input record. Following is a list of these keywords and theiraccepted arguments:

Description

Rules for Input toS1URESRC

S1URESRC: Resource Add/Delete Utility Introduction



AFFECTS=option Determines whether operator, terminal, or group profiles are to be updated. Specifyone of the following for option:

GROUP Updates group profiles.

TERM Updates terminal profiles.

OPER Updates operator profiles.

OPER

UPDATE=option Determines the type of update processing to take place. Specify one of thefollowing for option:

ALL Adds or deletes the resources from all operator profiles defined inthe security file.

MODEL Updates all operators or terminals modeled after the modelsspecified in the input deck.

OPER Updates only the user IDs specified in the input deck.

TERM Updates only the terminals specified in the input deck. IfAFFECTS=TERM is specified, UPDATE=OPER is invalid andvice versa.

The UPDATE parameter is not valid if AFFECTS=GROUP is specified.

ALL

RES=option Specifies which type of resource is being added. Only one resource type ispermitted per execution. The resources must have already been added to thesecurity file using the appropriate online function (for example, ASTR or ASPR).Replace option with TRAN, PROG, FILE, MAP, or FRES. This parameter isrequired.

none

INPUT=nnnn Specifies the number of input cards. S1URESRC uses this parameter to calculatehow much storage is necessary to build tables used in processing. The value youspecify should be equal to the number of input records (if over 50). If fewer than 50input records are included in the input, the default storage allocation should besufficient.

none

(continued)

Introduction S1URESRC: Resource Add/Delete Utility



TYPOPER=option Determines whether the specified resources will be added to or deleted from theprofiles. Specify one of the following for option:

ADD Adds the specified resources to the profiles.

DELETE Deletes the specified resources from the profiles.

ADD

ALLRES=option Overrides the ALL resources authorized indicator in the operator or terminalprofile. Specify one of the following for option:

YES Overrides the ALL indicator.

NO Keeps the ALL indicator in effect.

Under normal circumstances, if an operator profile is authorized for all transactions,S1URESRC does not assign any new transaction to the operator, even if theoperator's ID is specified in the input deck. If ALLRES=YES were specified underthese conditions, the ALL indicator would be turned off, and the operator would beassigned the transaction (this is true for all resource types, not just transactions).The exception to this is that if the operator is a main administrator, S1URESRC willnever turn off the ALL indicator. To turn off the ALL indicator for a mainadministrator, you must use the online AOxx function to add the resource to theadministrator in question.

NO

Other rules for input to S1URESRC are as follows:

• Input cards cannot extend beyond column 71.

• The first field on each input card is the resource name to be added (excluding commentrecords and the input record containing the input parameters described above). If all theoperators, terminals, or groups do not fit on the same input record to which you want toassign this resource, you can duplicate the same resource name on multiple inputrecords.

• Separate operators, terminals, models, or groups by blanks or commas.

S1URESRC: Resource Add/Delete Utility Examples


Examples

The following is an example of how to add some transactions to specific operators:

// EXEC S1URESRC,SIZE=AUTO********* ADD SEVERAL TRANSACTIONS TO SOME OPERATORSAFFECTS=OPER,UPDATE=OPER,RES=TRAN,TYPOPER=ADD,ALLRES=YES*** ADD TRANID ABCD TO OPER01 AND OPER52ABCD OPER01,OPER02*** ADD TRANID WXYZ TO OPER27WXYZ OPER27/*

The following example can be used to delete programs from all terminals modeled afterspecified models:

// EXEC S1URESRC,SIZE=AUTO********* DELETE SEVERAL PROGRAMS FROM MODELS AND TERMINALSAFFECTS=TERM,UPDATE=MODEL,RES=PROG,TYPOPER=DELETE*** DELETE PROGRAM PROG0002 FROM L080 AND MODELLED TERMINALSPROG0002 L080/*

The following example can be used to add some files to specified group profiles. Note that inthe input with RES=FILES, when you specify the terminal, operator, or group to add it to, youmust also specify the access level you want the operator, terminal, or group to have to the file(I=Inquiry, U=Update). The access level must be separated from the operator, terminal, orgroup by a space or comma.

// EXEC S1URESRC,SIZE=AUTO********* ADD SEVERAL FILES TO SPECIFIED GROUPSAFFECTS=GROUP,RES=FILE,TYPOPER=ADD*** ADD FILE FILE0001 TO GROUPS GROUP01 AND GROUP02 READ*** AND GROUP03 AS UPDATEFILE0001 GROUP01,I GROUP02,I GROUP03,U/*

Example of How toAdd Transactionsto SpecificOperators

Example of How toDelete Programsfrom All ModeledTerminals

Example of How toAdd Files toSpecified GroupProfiles

Examples S1URESRC: Resource Add/Delete Utility


The following example can be used to delete map resources from specified operators. Noticethat when identifying the map, both the map name and the reference number must bespecified. The two pieces of information must be separated by a comma and enclosed inparentheses.

// EXEC S1URESRC,SIZE=AUTO********* DELETE SEVERAL MAPS FROM SPECIFIED OPERATORSAFFECTS=OPER,UPDATE=OPER,RES=MAP,TYPOPER=DELETE*** DELETE MAP MAP0001 REF# 87 FROM OPER01 AND OPER56(MAP0001,87) OPER01,OPER56/*

The following example can be used to add field-level resources to the specified groups:

// EXEC S1URESRC,SIZE=AUTO********* ADD SEVERAL FIELD RESOURCES TO THE SPECIFIED GROUPSAFFECTS=GROUP,RES=FRES,TYPOPER=ADD,INPUT=2*** ADD FIELD RESOURCE FLD00001 TO GROUP02 AND GROUP07FLD00001 GROUP02 GROUP07*** ADD FIELD RESOURCE FLD00002 TO GROUP02FLD00002 GROUP02/*

Example of How toDelete MapResources fromSpecifiedOperators

Example of How toAdd Field-LevelResources toGroups

S1UGROUP: Group Assign/Remove Facility Introduction


S1UGROUP: Group Assign/Remove Facility

Introduction

S1UGROUP runs as a batch program and is used to assign or remove groups from a terminalor operator's profile. The program accepts input records to direct its execution.

You must set the operator or terminal PRINT PROFILE field on the UTOP panel to authorizeuse of S1UGROUP. For information on using the UTOP panel, see the description of theGlobal System Parameters for Terminals and Operators panel on page 8-13.

Description

Introduction S1UGROUP: Group Assign/Remove Facility


The input to the program consists of parameters supplied in card format. Include commentsby specifying an asterisk (*) in column one. Comments are echoed to the printer in output, butare ignored by the program.

The program accepts several keyword parameters to direct execution. These must be suppliedon the first non-comment input record. Following is a list of these keywords and theiraccepted arguments:


AFFECTS=option Specifies the type of records the resources will be added to or deleted from.Replace option with OPER to assign or remove the group from an operator.Replace option with TERM to assign or remove a group from a terminal.

OPER

UPDATE=option Determines the type of update processing to take place. Specify one of thefollowing for option:

MODEL Adds the resources to all terminals or operators modeled after themodels specified in the input deck.

OPER Adds the resources to only those operator IDs specified in the inputdeck.

TERM Adds the resources to only those terminal IDs specified in the inputdeck. If AFFECTS=TERM is specified, UPDATE=OPER isinvalid and vice versa.

OPER

TYPOPER=option Determines whether the specified group is to be assigned to the terminal oroperator, or is to be removed from the terminal or operator. Specify one of thefollowing for option:

ADD Adds the group to the terminal or operator.

DELETE Deletes the group from the terminal or operator.

ASSIGN

Other rules for input to S1UGROUP are as follows:

• Input cards cannot extend beyond column 71.

• The first field on each input card (excluding comments and parameter cards) is thegroup to be added. If all the operator or terminal names do not fit on the same inputrecord to which you want to assign this group, the same group name can be duplicatedon multiple input cards.

• Separate operator or terminal names by blanks or commas.

Rules for Input toS1UGROUP

S1UGROUP: Group Assign/Remove Facility Examples


Examples

The following example can be used to assign certain groups to specific operators:

// EXEC S1UGROUP,SIZE=AUTO********* ASSIGN GROUPS TO OPERATORSAFFECTS=OPER,UPDATE=OPER,TYPOPER=ADD*** ASSIGN GROUP ACCNTING TO OPER01 AND OPER52ACCNTING OPER01 OPER02*** ASSIGN GROUP INVENTORY TO OPER19INVENTORY OPER19/*

The following example can be used to remove groups from all terminals modeled afterspecified models:

// EXEC S1UGROUP,SIZE=AUTO********* REMOVE GROUPS FROM MODELLED TERMINALSAFFECTS=TERM,UPDATE=MODEL,TYPOPER=DELETE*** REMOVE GROUP INVENTORY FROM L080 AND MODELLED TERMINALSINVENTORY L080/*

Example of How toAssign Groups toSpecific Operators

Example of How toRemove Groupsfrom All ModeledTerminals

S1U550: Batch Operator Add Facility


S1U550: Batch Operator Add Facility

The S1U550 utility adds operators to the BIM-ALERT/CICS file in batch mode..

Since BIM-ALERT/CICS allows you to define many operator restrictions not offered by otherfacilities (such as time-of-day access), you must define models on the BIM-ALERT/CICSsecurity file to be used as base profiles for the new operators you are adding.

If you use S1U550, you must set the operator or terminal PRINT PROFILE field on theUTOP panel. For information on using the UTOP panel, see the description of the GlobalSystem Parameters for Terminals and Operators panel on page 8-13.

The input to S1U550 is in fixed card image format and can be input in the jobstream from asequential disk file or from a tape.

• If the input file resides on tape or disk, this must be specified on the first input cardusing either an INPUT=TAPE or an INPUT=DISK statement. If you specifyINPUT=TAPE, the input filename must be U550TAP. If you specify INPUT=DISK,the input filename must be U550DSK.

• If no INPUT= card is located, input is expected to come from SYSIPT.

The input must be in the following format:

StartingColumn Length Data

1 20 The operator's name.

21 9 The operator's user ID.

30 9 The user ID of the model after which this operator is to bepatterned.

39 8 The operator's password (password). This field is optional.

47 10 User-defined data. This field is optional.

57 4 The operator's terminal group. This field is optional.

The complete operator profile is modeled, including the authorized transactions, programs,files, restricted maps, and field resources.

Description

Rules for Input toS1U550

S1U560: Update Profile Program Introduction


S1U560: Update Profile Program

Introduction

S1U560 is a mass update program for the BIM-ALERT/CICS security file terminal andoperator records. If a major shop reconfiguration is done or an event occurs that causesemergency relocation, update all the terminal and user profiles with the new terminal IDsusing one of the following:

• The BIM-ALERT/CICS online file update facilities• The S1U560 program

To update all the terminal and user profile records to handle the new configurationautomatically, S1U560 needs the following information:

• The current terminal IDs• The new terminal IDs• The status in which you want to leave each profile record

If you use S1U560, you must set the operator or terminal PRINT PROFILE field on theUTOP panel. For information on using the UTOP panel, see the description of the GlobalSystem Parameters for Terminals and Operators panel on page 8-13.

The program performs the following four basic steps:

Step Action

1 Reads the input records, echoes them back to the printer, and builds tables for useby the other program components.

2 Edits the input records and provides audit trails for number of records processed,number of errors, etc.

3 Updates or deletes existing terminal records and adds new ones.

4 Updates the operator profiles.

Depending on the parameters passed to the program in the input deck, you can updateterminals only, operators only, or both in one run. This feature allows you to add newterminal records in preparation for some upcoming event and then update the operator recordsafter the new terminals are actually in place.

Description

InformationRequired byS1U560

Steps Performedby S1U560

Introduction S1U560: Update Profile Program


S1U560 performs the following functions:

• Adds new terminal records to the security file.

• Automatically updates operator records with the new terminal IDs.

• Automatically deletes old terminal records as new ones are added (if desired).

• Supplies an audit trail of old terminal IDs, new terminal IDs, and the status of each.

• Supplies an audit trail of operator records and what their new authorized terminals are.

• Provides a means for preparing for upcoming changes.

• Provides a means for running BIM-ALERT/CICS at a disaster recovery site that hasterminal IDs different from those of your company.

The input to the program consists of parameters supplied in card format. Include commentsby specifying an asterisk (*) in column one. The following rules apply to coding the inputcard images:

• If parameters are to be passed to the program, pass them on the first noncomment inputcard. Valid parameters are as follows:

Parameter Description

TERMINALS=nnnn Specifies the number of input cards. S1U560 uses this parameter to determine the size of thedynamic storage it needs for in-core tables.

UPDATE=option S1U560 uses this parameter to determine which records should be updated with the newinformation. Specify one of the following for option:

MIXED Both the OPERATOR and TERMINAL records are to be updated.

OPERATOR Only OPERATOR records are to be updated.

TERMINAL Only TERMINAL records are to be updated.

The default is UPDATE=MIXED.

New terminals are configured exactly like the old terminals, including the secured resources.Running S1U560 with the proper parameters is equivalent to renaming the terminal.

• Data on input cards cannot extend beyond column 71.

• The first field on each input card (excluding comments and parameter cards) is theoriginal terminal ID. The total length of data on any card cannot exceed 20 bytes.

• Fields on each card must be separated by commas or blanks.

S1U560 Functions


S1U560: Update Profile Program Example


Example

The following illustrates the input format and JCL necessary to run S1U560:

* ********************************************************************* ***** S1U560 - TERMINAL CONVERSION UTILITY* ********************************************************************* ***** THIS IS THE RECORD LAYOUT FOR THE PARAMETER CARDS* ********************************************************************* ***** * LENGTH * DESCRIPTION* ***** A-* 4 * ORIGINAL TERMINAL-ID* ***** B-* 4 * NEW TERMINAL-ID* ***** C-* 1 * STATUS OF ORIGINAL(A=ACTIVE,D=DISABLED,E=ERASE)* ***** D-* 1 * STATUS OF NEW(A=ACTIVE,D=DISABLED)* ************EXAMPLES************************************************TERMINALS=10,UPDATE=TERMINAL (OPTIONAL - IF OMITTED,DEFAULTS USED)* THESE ARE THE TERMINALS IN ACCOUNTING (COMMENT CARD - * IN COLUMN 1)L1D0,Z400,A,D MAKE Z400 LIKE L1D0 FOR FUTURE USEL200 B200 E A REPLACE L200 WITH B200L450,L451,A,A ADD L451 LIKE L450/************************************************************************* $$ JOB JNM=S1U560,CLASS=A,DISP=D* $$ LST CLASS=A,DISP=D// JOB S1U560// DLBL S1SCTY,'BIM.ALERT.S1SCTY.VSAM',,VSAM// DLBL S1SMS##,'BIM.ALERT.S1SMS##.VSAM',,VSAM// EXEC S1U560,SIZE=AUTOTERMINALS=10,UPDATE=MIXED (OPTIONAL - IF OMITTED, DEFAULTS USED)* MIXED MEANS THAT OPERATOR RECORDS WILL BE CHANGED TO MATCH THE NEW* TERMINAL STATUS. ANY OPERATOR RECORD THAT HAS L200 WILL BE* CHANGED TO HAVE B200 AS AN AUTHORIZED TERMINAL.L200,B200,E,A/*/&* $$ EOJ

Sample JCL

Example S1U560: Update Profile Program


The following are samples of the output from S1U560:

DATE: 05/01/1998 S1U560 5.0A B I M - A L E R T / C I C S PAGE TIME: 16:34:32 1 * * TERMINAL CONVERSION UTILITY REPORT * *GK950 - CONTROL CARD INPUT TERMINALS=3L1D3 PH84 D AL1D4 PH85 A DPH86 PH83 E DGK951 - END OF CONTROL CARD INPUTGK952 - TOTAL INPUT TRANSACTIONS - 3 DATE: 05/01/1998 S1U560 5.0A B I M - A L E R T / C I C S PAGE TIME: 16:34:32 2 * * TERMINAL CONVERSION UTILITY REPORT * *GK953 - START OF CONTROL CARD EDITCODE 01 - ORIGINAL TERMINAL ID GREATER THAN 4 CHARACTERSCODE 02 - NEW TERMINAL ID GREATER THAN 4 CHARACTERSCODE 03 - ORIGINAL RECORD STATUS GREATER THAN 1 CHARACTERCODE 04 - ORIGINAL RECORD STATUS MUST BE A, D, OR ECODE 05 - NEW RECORD STATUS GREATER THAN 1 CHARACTERCODE 06 - NEW RECORD STATUS MUST BE A OR D INPUT PARAMETERS ERRORS INPUT PARAMETERS ERRORS INPUT PARAMETERS ERRORS L1D3 PH84 D A L1D4 PH85 A D PH86 PH83 E D TOTAL VALID TRANSACTIONS PROCESSED - 3 TOTAL TRANSACTIONS IN ERROR - 0 TOTAL TRANSACTIONS PROCESSED - 3GK954 - END OF CONTROL CARD EDIT

DATE: 05/01/1998 S1U560 5.0A B I M - A L E R T / C I C S PAGE TIME: 16:34:32 3 * * TERMINAL CONVERSION UTILITY REPORT * * ORIGINAL NEW STATUS OF STATUS ORIGINAL NEW STATUS OF STATUS TERMINAL TERMINAL ORIGINAL OF NEW TERMINAL TERMINAL ORIGINAL OF NEW ID ID RECORD RECORD ID ID RECORD RECORD L1D3 PH84 DISABLED ACTIVE L1D4 PH85 ACTIVE DISABLED PH86 PH83 DELETED DISABLED DATE: 05/01/1998 S1U560 5.0A B I M - A L E R T / C I C S PAGE TIME: 16:34:32 4 * * TERMINAL CONVERSION UTILITY REPORT * * ORIGINAL NEW ORIGINAL NEW ORIGINAL NEW OPERATOR PRIMARY PRIMARY ALTERNATE-1 ALTERNATE-1 ALTERNATE-2 ALTERNATE-2 GROUP NUMBER OPERATOR NAME TERMINAL TERMINAL TERMINAL TERMINAL TERMINAL TERMINAL ID A admin *NONE* *NONE* *NONE* ALL XX sub xx *NONE* *NONE* *NONE* ALL ZZ sub zz *NONE* *NONE* *NONE* ALL bjk bjk L1D0 NO CHANGE L1D1 NO CHANGE *NONE* *NONE* crs crs *NONE* *NONE* *NONE* ALL djr dave L1D0 NO CHANGE L1D1 NO CHANGE *NONE* *NONE* edp eddie pollock *NONE* *NONE* *NONE* all laj les L1D2 NO CHANGE *NONE* *NONE* *NONE* lmm linda L1D0 NO CHANGE *NONE* *NONE* *NONE* sps sps L1D0 NO CHANGE L1D1 NO CHANGE *NONE* *NONE* tom tom *NONE* *NONE* *NONE* ALL trw trw L1D0 NO CHANGE *NONE* *NONE* ALL bion hall *NONE* *NONE* *NONE* ALL file file *NONE* *NONE* *NONE* ALL wm08 wm08 *NONE* *NONE* *NONE* ALL nancy nancy L1D3 PH84 L1D4 NO CHANGE *NONE* ALL test1 test 1 *NONE* *NONE* *NONE* ALL test2 test 2 *NONE* *NONE* *NONE* ALL test3 test 3 L1D0 NO CHANGE L1D4 NO CHANGE *NONE* ALL test4 test alpha password L1D1 NO CHANGE L1D2 NO CHANGE L1D3 PH84 *NONE*

Sample Reports

S1U887: Freeing Terminal Table Entries Utility Introduction


S1U887: Freeing Terminal Table Entries Utility

Introduction

The S1U887 utility forces the freeing of dynamic terminal entries in the BIM-ALERT/CICSterminal security table.

This utility can be useful in situations where lines have dropped, preventing the normaldisconnection of terminal devices which would free up entries. If you use S1U887 in thiscase, the utility forcibly would free up entries not flagged as in use (not signed onto by anoperator).

The S1U887 utility can be used to free terminal entries only if the terminal security table isloaded in the SVA.

The program accepts one input card with the following parameters:

Parameter Description

SUFFIX= Specifies what terminal security table to free. This parameter mustbe the same as the CONTROL SUFFIX specified on the UPARpanel. This is a required parameter.

TERMINAL= Use this parameter to specify a specific terminal to free. This is anoptional parameter. If it is omitted, all dynamic terminal entriesmarked as not signed on are freed.

Purpose

Restriction


Example S1U887: Freeing Terminal Table Entries Utility


Example

The following is a sample of the JCL required to execute the S1U887 utility:

// JOB S1U887 FORCE FREE BIM-ALERT/CICS TERMINAL TABLE SLOTS// DLBL IJSYSUC,’BIM.ALERT.VSAM.USER.CATALOG’,,VSAM// DLBL SISCTY,’BIM.ALERT.S1SCTY.VSAM’,,VSAM (security file)// DLBL S1SMS##,’BIM.ALERT.S1SMS##.VSAM’,,VSAM (message file)// LIBDEF PHASE,SEARCH=??????.??????? (BIM-ALERT residence library)// EXEC S1U887,SIZE=AUTO SUFFIX=1,TERMINAL=L08F (TERMINAL= is optional)/*/&

This JCL would free up one terminal entry (L08F). If the TERMINAL= parameter had beenomitted, all unattended terminals in the BIM-ALERT/CICS terminal table would have beenfreed.

Sample JCL

A-1

A Features of Previous Releases

This appendix briefly describes the features that were introduced with previous releases ofBIM-ALERT/CICS.

BIM-ALERT/CICS Release 4.9 ...............................................................................A-2BIM-ALERT/CICS Release 4.8 ...............................................................................A-3BIM-ALERT/CICS Release 4.7 ...............................................................................A-4

BIM-ALERT/CICS Release 4.9

A-2 Security Administrator's Guide


• BIM-ALERT/CICS provides an enhanced interface to CA-ALERT for VM.

• The User Profile panel was modified so that you can use it to define both BIM-ALERT/CICS and BIM-ALERT/VSE user profiles.

• BIM-ALERT/CICS provides a batch utility that allows you to free dynamic terminalentries in the BIM-ALERT/CICS terminal security table.


Appendix A. Features of Previous Releases A-3


• If you are running VSE/ESA version 1.3 or above, security tables can be built inextended storage above the 16M line.

• The menu system has been changed so that you can select a function without entering anX next to the selection. All that is now required is to move the cursor to the selectionand press ENTER.

• PF-key functions have been standardized. Use PF8 to page forward, PF7 to pagebackward, PF3 to return to the previous menu or panel, and so on.

• Online panels are now used to define and maintain all field-level security definitions.

• Resource grouping is supported to allow transactions, programs, files, maps, and fieldlevel resources to be assigned to a group or groups, and then the group or groups can beassigned to an operator or terminal. Any changes to the group will automatically applyto the operator the next time he or she signs on. Changes to the terminal will take effectthe next time the terminal is activated or the security tables are reinitialized.

• Generic resource naming is provided to reduce the number of resource definitions thatmust be defined. You can use the generic character = (equal sign) to secure a group ofsimilarly-named resources with a single resource definition.

• DL/I security is provided at the segment level to control read and update access tosegments.

• The parameter-driven signon and signoff processing has been made easier to use andmore efficient. All temporary storage queues have been eliminated from processing ofthe parameter list.

• The user-callable interface has been enhanced to provide password validation. Thisallows other applications requiring a signon to call BIM-ALERT/CICS for passwordvalidation.

• The two-level signoff processing has been enhanced to improve performance andeliminate problems with temporary storage queues. In addition, password validationhas been changed to allow multiple attempts to enter the correct password (up to thenumber of maximum consecutive violations).

• Several new optional features have been added for dynamic activation and deactivationfrom the VERS screen.

• The OPER function has been enhanced to allow direct display, update, activation, ordeactivation of an operator from the OPER screen.


A-4 Security Administrator's Guide


• Color is now available for all BIM-ALERT/CICS panels for terminals supportingextended attributes.

• Restrictions on user IDs for administrators have been lifted. When you add an operator,you use a new operator class indicator to designate whether he or she is a mainadministrator, a subadministrator, or a regular operator.

• Messages are now recorded in a VSAM file instead of in the individual programsproducing the messages. You can update these messages with the new online functionMMSG. MMSG provides message file initialization programs that let you displaymessages in English, French, German, or Italian.

• The new online transaction REFR allows you to refresh logos, user exits, and monitorswithout recycling CICS.

• The S1U530 utility lets you add maps to or delete maps from users or terminals in batchmode.

• An exit is provided that works with the Online Software International UFO product.This exit allows UFO resources to be secured by BIM-ALERT.

• A full report writer is provided to produce user-definable reports from the security file,log file, or audit file.

• Different date formats are provided for reports and online panels. Supported formatsare as follows:

− MM/DD/YY (USA format)− DD/MM/YY (European format)− YY/MM/DD

• Dates on online panels are displayed in the format you select, and you must enter datesin the same format to ensure that date validation routines work properly.

• The ALTSCNCK macro (used for input map security) now lets you specify multipledata values on the DATA= parameter and perform range checking.

• The VERS function provides the ability to dynamically install and remove optionalpatches without actually patching any programs. Also, once an optional patch isinstalled using VERS, it will remain across releases without any further action.

• Violations can be routed real-time to the operator console.

Index-1

Index

AAAUP (add BIM-ALERT user profile) 6-7Access time restrictions

administrators 6-4files 3-15programs 3-11transactions 3-7updating in batch 12-13

ACOM (add company identification) 2-3Activating

BIM-ALERT, methods for 8-26security for

field resources 7-17files 7-12maps 7-15operators 7-6programs 7-10transactions 7-8

ACTO (activate secured operator) 7-6ACTT (activate secured terminal) 7-3ADIV (add division identification 2-5Administrators, types of 1-4ADPT (add department identification) 2-7AFIL (activate secured file) 7-12AFLD (activate secured field resource) 7-17AGFL (add group files) 4-9AGFS (add group field security) 4-15AGMP (add group maps) 4-12AGPR (add group programs) 4-6AGTR (add group transactions) 4-3ALERT transactions 4-5ALRTMENU (display authorized transaction) 11-9AMAP (activate secured map) 7-15AOFL (add operator authorized files) 6-26AOFS (add operator field security) 6-32AOGR (add operator groups) 6-34AOMP (add operator map security) 6-29AOPR (add operator authorized programs) 6-24AOTR (add operator authorized transactions) 6-21

APRG (activate secured program) 7-10Archiving, audit file 12-16ASCT (add section identification) 2-9ASFF (add secured fields (files)) 3-21ASFL (add secured file) 3-12ASFM (add secured fields (maps)) 3-27ASFS (add system field-level security) 3-19ASMP (add secured map) 3-16ASPR (add secured program) 3-8ASTR (add secured transactions) 3-3ATFL (add terminal authorized files) 5-19ATFS (add terminal authorized field resources) 5-25ATGR (add terminal groups) 5-27ATMP (add terminal authorized maps) 5-22ATPR (add terminal authorized programs) 5-17ATRN (activate secured transaction) 7-8ATSI (add terminal security information) 5-6ATTR (add terminal authorized transactions) 5-14Audit file

backing up or archiving 12-16displaying 10-5initializing 12-9

Auditing, online facility 10-2Auditors, defining 6-5Authorized transactions, displaying (ALRTMENU)

11-9Auto-installed terminals 5-4

BBacking up

audit file 12-16authorized resources 12-7

Batchpasswords

period of effect 8-24BIM-ALERT User Profile Panel 6-7BIM-ALERT/CICS

accessing (SCTY transaction) 1-8activating, methods for 8-26description of 1-4

Index-2 Security Administrator's Guide

logos, generating 9-29overview of security process 1-6release 4.7 A-4release 4.8 A-3release 4.9 A-2release 5.0 1-5version, displaying 9-44

BIM-ALERT/CICS manuals ixBIM-ALERT/VSE manuals ixBrowsing

operators 6-3system resources 3-2terminal records 5-3

CCA-ALERT for VM interface 9-26Color, in logos 9-32Column number (map), determining 3-30Command-level interface 9-19COMMAREA 9-19Company information, specifying 2-3Conversational tasks 9-18

no two-level sign-off 9-16CSGM (sign-on panel display) 11-11CSSF sign-off 11-13CSSN (display operator sign-on) 9-62Current Module Version Report 12-10

DDAOP (deactivate secured operator) 7-7Date format, specifying 8-8DATM (deactivate secured terminal) 7-5DAUD

Display panel 10-6panels 10-3Selection Criteria panel 10-4

DAUP (display BIM-ALERT user profile) 6-7DCOM (display company identification) 2-3DDIV (display division identification 2-5DDPT (display department identification) 2-7Deactivating

security forfield resources 7-19files 7-14maps 7-16operators 7-7programs 7-11terminals 7-5transactions 7-9

Department information, specifying 2-7DFH0405 abends 9-18

DFIL (deactivate secured file) 7-14DFLD (deactivate secured field resource) 7-19DGFL (display group files) 4-9DGFS (display group field security) 4-15DGMP (display group maps) 4-12DGPR (display group programs) 4-6DGTR (display group transactions) 4-3Directory

Main 1-8Other Security Functions menu 1-11System Functions menu 1-9Terminal/Operator/Group menu 1-10

Disaster recovery (S1U560) 12-27Division information, specifying 2-5DL/I PSBs 3-12DL/I secured resources

deactivating security for 7-14DL/I segments 3-12DMAP (deactivate secured map) 7-16Documentation

list of BIM-ALERT manuals ixDOFL (display operator authorized files) 6-26DOFS (display operator field security) 6-32DOGR (display operator groups) 6-34DOMP (display operator map security) 6-29DOPR (display operator authorized programs) 6-24DOTR (display operator authorized transactions) 6-21DPAR (display global system parameters) 8-2DPRG (deactivate secured program) 7-11DSCT (display section identification) 2-9DSFF (display secured fields (files)) 3-21DSFL (display secured file) 3-12DSFM (display secured fields (maps)) 3-27DSFS (display system field-level security) 3-19DSMP (display secured map) 3-16DSPR (display secured program) 3-8DSTR (display secured transactions) 3-3DTFL (display terminal authorized files) 5-19DTFS (display terminal authorized field resources) 5-

25DTGR (display terminal groups) 5-27DTMP (display terminal authorized maps) 5-22DTOP (display terminal/operator parameters) 8-13DTPR (display terminal authorized programs) 5-17DTRN (deactivate secured transaction) 7-9DTSI (display terminal security information) 5-6DTTR (display terminal authorized transactions) 5-14DVIO (display violations) 9-69Dynamic terminal security 5-4

specifying number of slots 8-6

Index-3

EExits

activating 8-6activating your own 11-4creating your own 11-18for conversational tasks 9-18introduction to 11-2list of supplied exits 11-3

Expiration of user profile 6-12

FFeatures

optionalapplying or removing 9-45list of 9-47

Features, optional 9-45Field resources

activating security for 7-17deactivating security for 7-19

Field-level resourcesadding to resource groups 4-15authorizing for operators 6-31authorizing for terminals 5-24defining to BIM-ALERT 4-15

Field-level security, definingfor files 3-21for maps 3-27introduction 3-19

Filesaccess time restriction 3-15activating new security for 7-12adding 3-12, 3-21adding to resource groups 4-9authorizing for operators 6-26authorizing for terminals 5-19deactivating security for 7-14defining to BIM-ALERT 3-12, 3-21, 4-9maximum number of 1-7securing all 8-9unsecured, displaying 9-55

Function keysPF3 1-9, 1-10, 1-11PF7 1-8, 1-9, 1-10, 1-11PF8 1-8, 1-9, 1-10, 1-11

Functions, BIM-ALERT, securing 9-24

GGK110 message 8-2Groups

adding

in batch 12-23assigning for terminals 5-27assigning to operators 6-34resource groups 4-2searching for 9-67

HHighlighting, in logos 9-32

IID statement

externally generated 6-12IEGM (sign-on panel display) 11-11IESCICIN (CICS initialization) 11-11IESIES01 (IUI sign-on) 11-12Inactive time limit processing

setting up 9-15specifying time for 8-9

InterfacesCA-ALERT for VM 9-26command-level 9-19IUI 11-10macro-level 9-23user-callable 9-19

IUI (interactive user interface) 11-10

LLanguage for messages

initializing message file 12-12Log file

initializing 12-8Logging

operator sign-on and sign-off 8-23terminal sign-on and sign-off 8-19

Logoscustomizing 8-15generating 9-29

MMacro-level interface 9-23Main administrators, defining 6-4Main Directory 1-8Maps

activating new security for 7-15adding 3-16, 3-27adding to resource groups 4-12authorizing for operators 6-29authorizing for terminals 5-22deactivating new security for 7-16defining to BIM-ALERT 3-16, 3-27, 4-12


maximum number of 1-7reference numbers 3-18

Masks, passwords 8-18, 8-22Message file

initializing 12-12Messages

changing 9-35GK110 8-2languages provided 12-12maintaining message files 9-34multiple message files 9-39routing to console 8-4terminal service times 8-29

Modeling operators 6-18MRO - multi-region operation

defining MRO complexes 8-5shared tables 12-14

NNOCICSUP 12-14

OOnline auditing facility 10-2Operator

default authority 8-24log-on prohibited 7-7

Operatorsaccess times, updating in batch 12-13activating new security 7-6adding

in batch 12-26assigning groups to 6-34assigning password to 9-64authorizing access to

field-level resources 6-31files 6-26maps 6-29programs 6-24transactions 6-20

controlling sign-on 9-62deactivating security for 7-7defining 6-7global parameters 8-20global system parameters for 8-13modeling 6-18no maximum number of 1-7ownership of records

changing 9-5reclaiming 9-8

passwordseffective date 6-16

period of effect 8-21security for, introduction 6-2security relation to terminal security 6-2sign-on and sign-off

logging 8-23status 6-9, 6-14status when violations occur 8-10

Optional featuresapplying or removing 9-45list of 9-47

Organizational information, specifying 2-2Other Security Functions menu 1-11

PPassword

in user profile 6-12IUI 11-11

Passwordsaction when expired 8-5batch

period of effect 8-24masks 8-18, 8-22operators

assigning 9-64period of effect 8-21

terminalsassigning 9-61period of effect 8-17

using old 8-19, 8-23PF3 (sign-off) 11-13PF7 (browsing) 6-3PF8 (browsing) 6-3PLT shutdown 12-14Post-sign-on processing 11-8Printing reports, authority for 8-19, 8-23Programs

access time restrictions 3-11activating new security for 7-10adding 3-8adding to resource groups 4-6authorizing for a group 4-6authorizing for operators 6-24authorizing for terminals 5-17deactivating security for 7-11defining to BIM-ALERT 3-8maximum number of 1-7securing all 8-9unsecured, displaying 9-53

PSBs, DL/I 3-12

Index-5

RREFR function 11-6Refresh function 11-6Regrouping

to eliminate exceptions to group security 5-28, 6-35Remote jobs

specifying if a user can submit 6-11Reorganizing

security file 12-5Reports

authority to print 8-19, 8-23Current Module Version Report 12-10

Resource groups 4-2Resources

activating or deactivating 7-2adding in batch 12-18maximum number of 1-7

Restoring authorized resources 12-7

SS140 (inactive time limit processing driver) 9-17S144 (two-level timeout) 9-17S145 (single-level timeout) 9-17S1S199 (user-callable interface program) 9-19S1S610 (sign-on data validation) 11-11S1S613 (build user name and password) 11-11S1S615 (sign-on front end) 11-11S1S900 (user cleanup program) 9-18S1S998 - shutdown counter 12-14S1SUSER utility 11-16S1U000 utility (initialize security file) 12-4S1U001 utility (reorganize security file) 12-5S1U002 utility (reorganize security file) 12-6S1U003 utility (initialize log file) 12-8S1U004 utility (initialize audit file) 12-9S1U005 utility (produce Current Module Version

Report) 12-10S1U006x utility (initialize message file) 12-12S1U009 utility (update access times) 12-13S1U010 utility (release shared tables) 12-14S1U100 utility (back up/archive audit trail) 12-16S1U550 utility (batch operator add) 12-26S1U560 utility (disaster recovery) 12-27S1U887 utility 12-31S1UGROUP utility (group add/delete) 12-23S1URESRC utility (resource add/delete) 12-18Section information, specifying 2-9Section name 2-10Securing

BIM-ALERT functions 9-24Security

overview of 1-6Security file, reorganizing 12-5Segments, DL/I 3-12Selection menu 1-8Shared tables, releasing 12-14Sign-on and sign-off

inactive time limit processing 9-15parameter-driven 9-41post-sign-on processing 11-8programs for 11-11prohibiting operator sign-on 7-7S140 task 9-17sign-off programs 11-13sign-on panels, changing 9-42

SIT overridesconversational tasks 9-18

STUB exits, list of 11-3STUB module 11-4Sub-Administrators, defining 6-5System Functions menu 1-9System parameters, setting 8-2

TTables

shared, releasing 12-14Terminal security

processing flow 5-5Terminal/Operator/Group menu 1-10Terminals

access times, updating in batch 12-13activating new security 7-3assigning groups to 5-27assigning password to 9-61authorizing access to

field-level resources 5-24files 5-19maps 5-22programs 5-17transactions 5-14

auto-installed 5-4browsing 5-3controlling sign-on 9-60deactivating security for 7-5default authority 8-20dynamic 8-6global system parameters for 8-13maximum violations 8-4no maximum number of 1-7not under BIM-ALERT control 8-11ownership of records

changing 9-10reclaiming 9-13


passwordsperiod of effect 8-17

securing only some 8-8security for, introduction 5-2service times 8-29sign-on and sign-off

logging 8-19Transaction

access time 3-7Transactions

accessing 1-12activating new security 7-8adding 3-3adding to resource groups 4-3ALERT status 4-5authorizing for operators 6-20authorizing for terminals 5-14deactivating security for 7-9defining to BIM-ALERT 3-3, 4-3maximum number of 1-7securing all 8-9transaction codes 1-12unsecured, displaying 9-51

TSSN (terminal sign-on) 9-60Two-level timeout

description of 9-15specifying time for 8-9

UUAUP (update BIM-ALERT user profile) 6-7UCOM (update company identification) 2-3UDIV (update division identification 2-5UDPT (update department identification) 2-7UFO resources, securing 9-25UGFL (update group files) 4-9UGFS (update group field security) 4-15UGMP (update group maps) 4-12UGPR (update group programs) 4-6UGTR (update group transactions) 4-3UOFL (update operator authorized files) 6-26UOFS (update operator field security) 6-32UOGR (update operator groups) 6-34UOMP (update operator map security) 6-29UOPR (update operator authorized programs) 6-24UOTR (update operator authorized transactions) 6-21UPAR (update global system parameters) 8-2USCT (update section identification) 2-9User name, IUI 11-11User profile

expire date 6-12searching for 9-65

User-callable interface 9-19

User-callable interfaces 9-19Users

displaying current 9-57hierarchy of 1-4introduction to 1-4

USFF (update secured fields (files)) 3-21USFL (update secured file) 3-12USFM (update secured fields (maps)) 3-27USFS (update system field-level security) 3-19USMP (update secured map) 3-16USPR (update secured program) 3-8USTR (update secured transactions) 3-3UTFL (update terminal authorized files) 5-19UTFS (update terminal authorized field resources) 5-

25UTGR (update terminal groups) 5-27Utilities

list of 12-3S1SUSER 11-16S1U000 (initialize security file) 12-4S1U001 (reorganize security file) 12-5S1U002 (reorganize security file) 12-6S1U003 (initialize log file) 12-8S1U004 (initialize audit file) 12-9S1U005 (produce Current Module Version Report)

12-10S1U006x (initialize message file) 12-12S1U009 (update access times) 12-13S1U010 (release shared tables) 12-14S1U100 (back up/archive audit trail) 12-16S1U550 (batch operator add) 12-26S1U560 (disaster recovery) 12-27S1U887 12-31S1UGROUP (group add/delete) 12-23S1URESRC (resource add/delete) 12-18

UTMP (update terminal authorized maps) 5-22UTPR (update terminal authorized programs) 5-17UTSI (update terminal security information) 5-6UTTR (update terminal authorized transactions) 5-14

VVERS (display system version information) 9-44Version

compatibility with release of CICS 1-5displaying BIM-ALERT's 9-44

Violationsdisplaying 9-69initializing log file 12-8maximum per terminal 8-4messages, routing to console 8-4

Index-7

Z Zaps, displaying 9-45

cics external security system security … · alert/cics. subject manual installation the bim-alert...

Documents