check user authorization

Syntax:

check user authorization=user-authorization-option

Parameters:

user-authorization-option If this is set to "no" or "0", user authorization for DCAS is not checked.

Properties:

Default: yes
Values: No, 0, Yes, 1

Comments:

This setting can be used to disable the user-authorization check that DCAS normally makes before requesting a passticket for the user.

The main function of the DCAS service is to ask the External Security Facility to create a passticket (temporary password) for a user. The user ID either comes from a successful mapping of a client certificate (DCAS Format 1 request) or is supplied by the client (Format 2 request). DCAS requests also contain a string called an APPLID (Application ID) which on the mainframe usually identifies the region the user is attempting to sign on to.

If this setting is enabled (the default) then before requesting the passticket, DCAS makes an ESF Authorization request using the request user ID. The resource name is the APPLID from the request and the resource class is PTKTDATA. This is similar, though not identical, to how the PTKTDATA resource class is used on the mainframe. If the user does not have Update access to this resource, the DCAS request is rejected. If the PTKTDATA resource class does not exist, the request is allowed to proceed. (The passticket request may subsequently be denied by ESF for other reasons, for example because the ESMs configured for the region do not permit passtickets for this user.)

The PTKTDATA resource class is not defined in the sample LDAP security definitions included with Enterprise Server. To make this authorization check useful you must define the PTKTDATA class and create suitable resource access rules in it.

Note: For DCAS Format 1 requests from a TN3270 listener for ELF, the APPLID can be controlled by the TN3270 listener configuration. See TN3270 conversation type. For DCAS Format 2 requests, the APPLID is under the control of the DCAS client. DCAS Format 2 access should be restricted to trusted clients only, such as Host Access Automated Sign-On for Mainframe.

For additional DCAS security, leave this option enabled (or enable it explicitly) and configure the PTKTDATA resource class rules for your environment. See DCAS Security for more information.