Skip to content

Defining Security Entities

Like the base ChangeMan ZMF product, access to ChangeMan ZMF ERO functions is controlled by security entities you define in your security system. Like a change package, a release has a set of approvers, and people are granted approval authority by granting them update authority to approver security entities defined in your security system.

Release Administration Entities

ChangeMan ZMF global and application administrators can execute release administration functions in ChangeMan ZMF ERO. In addition, security entities CMNRLSM and CMNRLSA grant authority to perform release administration functions without also granting global or application administration authority in the base ChangeMan ZMF system.

This table shows the security entities that control access to ChangeMan ZMF ERO administration functions:

Security Entity Release Management Administration Option Release Management Functions
CMNGBADM Global Configuration Define release management high level qualifier
CMNGBADM or CMNRLSM Global Configuration Define global approver list.
CMNGBADM or CMNRLSM Release Configuration Create, update, delete a release
Create, update, delete a release area
Add, update, delete a release area approver
Add, update, delete a release install approver
Add, update, delete a prior release
CMNLCADM or CMNRLSA Application Configuration Join, update, delete a release application
Add, update, delete a release application library type
Update release application SYSLIB library concatenation

Follow these rules when you define CMNRLSM and CMNRLSA in your security system:

  • Define release administration security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.

  • Use the same security entity format that you use for entities that grant administration authority in the base ChangeMan ZMF product. For example, if the ChangeMan ZMF global administrator security entity for subsystem 6 is CMN6GBAD, then define the release administration security entities as CMN6RLSM and CMN6RLSA.

  • Define release administration security entities with no authority, then permit userids UPDATE authority to one or both entities to grant the userids release administration privileges in ChangeMan ZMF ERO.

Note

Some processing rules are relaxed for user IDs with UPDATE authority to the global administrator entity (CMNGBADM) or the release administrator (CMNRLSM) entity.
For example, when checking in a package with a component locked by someone else, the check-in is blocked for an ordinary user, but a global or release administrator can override the disallowed check-in.
Processing rules are not relaxed for user IDs with UPDATE authority to the application administrator entity (CMNLCADM) or the release application administrator (CMNRLSA) entity.

Approver Entities

Several approvals are required at different points in the release life cycle. Release approvers include:

Approver Type Description
Check-in Area A check-in approver signifies that an area is ready for check-in from a package or previous release area.
Examples: An application administrator or release manager responsible for preparing release areas for use.
Check-off Area A check-off approver signifies that release activities in an area, such as check-in and testing, are complete. This approval is required to check-in components from the area into the next area.
Examples: A development manager, testing manager, or business unit manager who reviews and approves test results from an area.
Install Release An install approver gives permission for the installation of a release.
Examples: Development managers, testing managers, IT operations managers, and business unit managers.
Associated Release or Area A check-in, check-off, or install approver that is dynamically added to an area or release when a specified library type or other condition is present in the release or area.
Examples: DBA approver that is added to area check-in approvers when there is at least one BIND command member in a release, or the Payroll manager, who is added to release install approvers when a release contains components from the PAYR application.

Follow these rules when you define approver entities in your security system:

  • Define approver security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.

  • Define approver security entities with no authority, then permit userids UPDATE authority to the approver entities to grant the userids approver privileges.

Area Entities

You can restrict who can perform release area functions by defining additional security entities in your security system.

  • Specify security entities in release area definitions.

  • Set area rules that require a security check when anyone attempts to perform the restricted functions.

The use of area security entities is optional. The same security entity can be used to restrict multiple area functions and to restrict functions across multiple entities. Area security entities include:

Area Entity Description
Blocking Entity Restricts who can block and unblock a release area.
Check-in Entity Restricts who can check-in a package into a release area or check-in an area into the next area.
Retrieve Entity Restricts who can retrieve components, packages, and areas from a release area.

Follow these rules when you define area entities in your security system:

  • Define area security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.

  • Define area security entities with no authority, then permit userids UPDATE authority to the area entities to grant area function privileges.