06 internal security file es2secr
Internal Security File (ES2SECR)
ES2SECR - Length 136 - Revised 10/5/2007
Columns | Len | Key | Type | COBOL Field Name | Description & Notes | |
1 | 8 | 8 | Key | Char | SECR-USERID | CICS Logon ID of EXPO system authorized user |
1 | 6 | 6 | Key | Char | SECR-CICS-USER-ID | First six characters of CICS logon ID, anticipating a format of a 3-byte high-order field followed by a 3-byte individual identifier; breakout is shown below |
1 | 3 | 3 | Key | Char | SECR-CUID-GRP | Group-level identifier for CICS Logon ID's (e.g., for SunGard = 'YBU') |
4 | 6 | 3 | Key | Char | SECR-CUID-CODE | Identifier for an individual within the log-on group; used as the editing ID code |
7 | 8 | 2 | Key | Char | SECR-USER-EXT | Extension to user ID, used in some states, but not significant within EXPO processing |
9 | 10 | 2 | Char | SECR-STATE-FIPS | FIPS State code of residence for user | |
11 | 12 | 2 | Char | SECR-STATE-CODE | State postal abbreviation for user's state | |
13 | 13 | 1 | Char | SECR-SECURITY-LEVEL | General system access authorization code, 'A' = System administrator rights granted, 'I' = Inquiry capabilities granted (no update rights), 'U' = File updating capabilities granted (no access to ES2M) | |
14 | 14 | 1 | Char | SECR-SERVICE-CENTER | Indicator designating whether the user's state belongs to the Service Center, 'N' = Not a Service Center State, 'Y' = State is connected to the Service Center | |
15 | 40 | 26 | Char | SECR-TRANSACTIONS | Individual screen access codes (for current and future developmental use), one is available each letter of the alphabet, but only three are currently used, as noted below | |
15 | 22 | 8R | Char | SECR-ES2A-TO-H | Access codes for ES2A, ES2B, . . . , ES2H screen, not currently utilized | |
23 | 23 | 1R | Char | SECR-ES2I | Access code for the ES2I transaction, blank = No access, 'I' = Access to ES2I allowed | |
24 | 25 | 2R | Char | SECR-ES2J-TO-K | Access code for the ES2J, ES2K transactions, not currently used | |
26 | 26 | 1R | Char | SECR-ES2L | Access code for the ES2L transaction, blank = No access, 'L' = ES2L access allowed | |
27 | 27 | 1R | Char | SECR-ES2M | Access code for the ES2M transaction, not currently utilized | |
28 | 28 | 1R | Char | SECR-ES2N | Access code for the ES2N transaction, blank = No access, 'N' = ES2N access allowed | |
29 | 40 | 12R | Char | SECR-ES2O-TO-Z | Remaining access codes, not currently utilized | |
41 | 70 | 30 | Char | SECR-NAME | Name of the person, department or agency assigned to this CICS logon ID | |
71 | 74 | 4 | Char | SECR-EDIT-ID(1) | First Micro Edit Distribution record sequence number assigned for this person | |
75 | 78 | 4 | Char | SECR-EDIT-ID(2) | Second of the MED ranges assigned to this person | |
79 | 82 | 4 | Char | SECR-EDIT-ID(3) | Third MED range assigned to this person | |
83 | 86 | 4 | Char | SECR-EDIT-ID(4) | Fourth MED range assigned to this person | |
87 | 90 | 4 | Char | SECR-EDIT-ID(5) | Fifth MED range assigned to this person | |
91 | 94 | 4 | Char | SECR-EDIT-ID(6) | Sixth MED range assigned to this person | |
95 | 98 | 4 | Char | SECR-EDIT-ID(7) | Seventh MED range assigned to this person | |
99 | 102 | 4 | Char | SECR-EDIT-ID(8) | Eighth MED range assigned to this person | |
103 | 113 | 11 | Char | FILLER | spaces | |
114 | 120 | 7 | Num | SECR-MP02-CT | Number of times this person has called the security check routine (equivalent to the count of Enter or Function key presses while in CICS) | |
121 | 132 | 12 | Char | SECR-ACCESS-DATE-TIME | Last CICS access date and time, broken out as shown below | |
121 | 126 | 6R | Char | SECR-ACC-DATE | Date of last CICS access (yymmdd format) | |
127 | 132 | 6R | Char | SECR-ACC-TIME | Last CICS access time of day (hhmmss format) | |
133 | 136 | 4 | Char | SECR-ACCESS-TRAN | Most recently accessed CICS transaction | |
Internal Security File Data Set Name: WS.ES202.SECURE Service Center DSN: YBUXPO.A145.SECURE Type of File: VSAM indexed File Layout: ES2SECR CICS ID: ES2SECR (Standard); EssSECR (Service Center; ss=State) The Internal Security File is used to regulate access within the CICS transactions. The record key contains only a user's CICS logon ID (which can be up to eight characters in length). The data portion of the record includes the State FIPS code and State postal abbreviation, a security level indicator, and individual transaction-specific access characters. Hence the user will have an overall authorization code (inquiry-only access, update access, or administrator-level authority), plus further specifications of which screens within CICS this authorization covers. Although space is provided to include an indicator for each transaction ID, the only ones currently observed by the system are ES2I, ES2L/EARL and ES2N/ EARN. If a user has access to one of these screens, the appropriate indicator will contain the last letter of the transaction ID. Otherwise it will be blank. For all other transaction ID's, the only access authorization is the general security level indicator. The remaining flags are available for later use, should more specific access restrictions become necessary. A second purpose of this file is for tracking the Micro Edit Distribution by storing up to eight MED sequence numbers in each record, which map to the Lookup File's "ME" records and the Micro Edit File's "A" record type. These distributions are established in the "M3" and "M4" screens, which are subordinates to the primary ES2M security screen. Since these distributions are a part of the Security, only personnel with manager ("M") or administrator ("A") level authorization can set up the edit breakouts. (All of this processing has not yet been activated; it will be part of the Version 9.2 release in 2008.) The internal security system is regulated from CICS transaction ES2M. Only persons with administrator-level access (or manager level, which is equivalent), can enter this screen. Although this file has great flexibility, its control over access can be countermanded by CICS security measures such as RACF. Even though a user may be established, by ES2M, with update access to the ES2C screen, for instance, the CICS system control apparatus may have a lockout for this transaction for the user. It is important that sufficient access to EXPO transaction ID's be granted by the CICS systems personnel when such conflicts arise. Changes, deletions, etc., by CICS programs to system files can be regulated by the internal security system. For example, if a CES analyst is granted "inquiry" access in all screens except for the ES2M screen, he/she could freely transfer from one screen to another without being "booted out" of a transaction due to access violations. The restrictions would take effect in the screens themselves, since the CES person would not be able to update the processing mode from "I" (inquiry) to "A", "C", or "D" (add, change, or delete). Persons with administrator-level access have total control over the security authorization of all users, as far as the internal security is concerned. An administrator can change other persons' access levels or even remove their authorization record completely, even if the other person has administrator-level access as well. This level of authorization must therefore be reserved for a minimal number of system users to avoid any risk of accidental or deliberate misuse. |
Related Links