Defining Security Entities
Like the base ChangeMan ZMF product, access to ChangeMan ZMF ERO functions is controlled by security entities you define in your security system. Like a change package, a release has a set of approvers, and people are granted approval authority by granting them update authority to approver security entities defined in your security system.
Release Administration Entities
ChangeMan ZMF global and application administrators can execute release administration functions in ChangeMan ZMF ERO. In addition, security entities CMNRLSM and CMNRLSA grant authority to perform release administration functions without also granting global or application administration authority in the base ChangeMan ZMF system.
This table shows the security entities that control access to ChangeMan ZMF ERO administration functions:
| Security Entity | Release Management Administration Option | Release Management Functions |
|---|---|---|
| CMNGBADM | Global Configuration | Define release management high level qualifier |
| CMNGBADM or CMNRLSM | Global Configuration | Define global approver list. |
| CMNGBADM or CMNRLSM | Release Configuration | Create, update, delete a release Create, update, delete a release area Add, update, delete a release area approver Add, update, delete a release install approver Add, update, delete a prior release |
| CMNLCADM or CMNRLSA | Application Configuration | Join, update, delete a release application Add, update, delete a release application library type Update release application SYSLIB library concatenation |
Follow these rules when you define CMNRLSM and CMNRLSA in your security system:
-
Define release administration security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.
-
Use the same security entity format that you use for entities that grant administration authority in the base ChangeMan ZMF product. For example, if the ChangeMan ZMF global administrator security entity for subsystem 6 is CMN6GBAD, then define the release administration security entities as CMN6RLSM and CMN6RLSA.
-
Define release administration security entities with no authority, then permit userids UPDATE authority to one or both entities to grant the userids release administration privileges in ChangeMan ZMF ERO.
Note
Some processing rules are relaxed for user IDs with UPDATE authority to the global administrator entity (CMNGBADM) or the release administrator (CMNRLSM) entity.
For example, when checking in a package with a component locked by someone else, the check-in is blocked for an ordinary user, but a global or release administrator can override the disallowed check-in.
Processing rules are not relaxed for user IDs with UPDATE authority to the application administrator entity (CMNLCADM) or the release application administrator (CMNRLSA) entity.
Approver Entities
Several approvals are required at different points in the release life cycle. Release approvers include:
| Approver | Type | Description |
|---|---|---|
| Check-in | Area | A check-in approver signifies that an area is ready for check-in from a package or previous release area. Examples: An application administrator or release manager responsible for preparing release areas for use. |
| Check-off | Area | A check-off approver signifies that release activities in an area, such as check-in and testing, are complete. This approval is required to check-in components from the area into the next area. Examples: A development manager, testing manager, or business unit manager who reviews and approves test results from an area. |
| Install | Release | An install approver gives permission for the installation of a release. Examples: Development managers, testing managers, IT operations managers, and business unit managers. |
| Associated | Release or Area | A check-in, check-off, or install approver that is dynamically added to an area or release when a specified library type or other condition is present in the release or area. Examples: DBA approver that is added to area check-in approvers when there is at least one BIND command member in a release, or the Payroll manager, who is added to release install approvers when a release contains components from the PAYR application. |
Follow these rules when you define approver entities in your security system:
-
Define approver security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.
-
Define approver security entities with no authority, then permit userids UPDATE authority to the approver entities to grant the userids approver privileges.
Area Entities
You can restrict who can perform release area functions by defining additional security entities in your security system.
-
Specify security entities in release area definitions.
-
Set area rules that require a security check when anyone attempts to perform the restricted functions.
The use of area security entities is optional. The same security entity can be used to restrict multiple area functions and to restrict functions across multiple entities. Area security entities include:
| Area Entity | Description |
|---|---|
| Blocking Entity | Restricts who can block and unblock a release area. |
| Check-in Entity | Restricts who can check-in a package into a release area or check-in an area into the next area. |
| Retrieve Entity | Restricts who can retrieve components, packages, and areas from a release area. |
Follow these rules when you define area entities in your security system:
-
Define area security entities under the resource class that you use for other ChangeMan ZMF security entities such as CMNGBADM.
-
Define area security entities with no authority, then permit userids UPDATE authority to the area entities to grant area function privileges.