Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 12 Implementing External Security : Defining Data Object Broker Access

Defining Data Object Broker Access
What Accesses are Affected?
The following functions and utilities are affected by the external security setup for your Data Object Broker:
The S6BSPJEX (Journal Data Extraction) utility used to extract records collected in journal data sets and copy them to a data set on z/OS
The S6BTLBRM (Resource Management Online Backup) utility used to create a flat file backup of the resource data stored in the resource repository on z/OS
When using the Administration menu or issuing operator commands, a user’s user ID is validated against its classification level as defined for external security.
How are the Accesses Specified for z/OS?
On z/OS, you use the System Authorization Facility (SAF) and a SAF-compliant package such as CA-ACF2, RACF, or CA-Top Secret to verify accesses to the Data Object Broker. Refer to External Security Interface–z/OS for information on how to define a user ID with a specific classification level.
Classifications Levels–z/OS
The following table describe, in increasing authority, the user classification levels available for z/OS. Press PF11 in the Administration menu for a full listing of the accesses available based on user classification.
Can view a more complete set of statistical information than a general user. There are no update privileges.
In addition to the accesses that a Privileged user has, an Administrator user can also define and manage resources and issue update operations commands against the Data Object Broker.
In addition to the accesses that an Administrator user has, an Operator user can also access all the displays and functions of the Administrator, including the high impact operator commands.
How are the Accesses Specified for Open Systems
On Open Systems, you define user IDs to a specific classification via the PRIVILEGED, OPERATOR, and SYSADMIN Data Object Broker parameters. Refer to TIBCO Object Service Broker Parameters for details on how to define these parameters.
User Classifications–Open Systems
This table describes the user classifications available for Open Systems.
Can view a more complete set of statistical information than a general user. There are no update privileges.
In addition to the accesses that a Privileged user has, an Operator user can also issue operations commands against the Data Object Broker.
Only one user can be defined as Sysadmin.
External Database Servers
For implementation details about the external database servers, refer to the appropriate Service Gateway manual in the TIBCO Object Service Broker documentation.
See Also
TIBCO Object Service Broker for z/OS Installing and Operating or TIBCO Object Service Broker for Open Systems Installing and Operating for details on the Administration menu and operator commands.
TIBCO Object Service Broker for z/OS Utilities or TIBCO Object Service Broker for Open Systems Utilities for details about the utilities.
TIBCO Object Service Broker Parameters for details on how to define the SECUREADMIN parameter.
External Security Interface–z/OS
What is the Interface?
The z/OS security interface, System Authorization Facility (SAF), is used to verify accesses to the Data Object Broker. SAF is enabled by setting the SECURADMIN Data Object Broker parameter to Y. By default this parameter is set to N (disabled). If security is enabled, a RACROUTE call is made to a SAF-compliant security package such as RACF, CA-ACF2, or CA-Top Secret.
External Security Requirements
You must define the following three security definitions:
nodename.PUSER
nodename.ADMIN
where nodename refers to the Data Object Broker that contains the data to be accessed. Nodename is specified via the NODENAME Data Object Broker parameter.
You define these definitions for each Data Object Broker at your site that has the SECUREADMIN Data Object Broker parameter set to Y. The default access should be NONE; READ access should be given to the user ID being granted access at the specified level.
SAF Parameters Required
The following SAF parameters and values are defined for the RACROUTE macro. You must take these into consideration when defining the security definitions for your site:
 
USERID=userid
The user ID of the requestor
ENTITY=nodename.secdef
The name of the security definition that is to be verified. The value is one of: nodename.PUSER, nodename.ADMIN, or nodename.OPER
The internal requestor name as defined by the Data Object Broker parameter SECREQUESTOR
Samples Provided
Samples are provided with TIBCO Object Service Broker to assist you with preparing your security setup for your administration functions. Your preparation depends on the external security package in use at your site. The following table lists the samples that are shipped with the CNTL data set:
See Also
TIBCO Object Service Broker for z/OS Installing and Operating or TIBCO Object Service Broker for Open Systems Installing and Operating for details on the Administration menu and the operator commands.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved