Administering Security Data

The security data used by the VSAM ESM Module is kept in a set of COBOL VSAM (.dat) files, referred to as the VSAM ESM file directory. These files can be created and updated using the mfsecconv utility, which can convert between data specified in a YAML file and the VSAM ESM file directory. YAML is a data serialization language typically used for configuration files which can be created and maintained using a text editor.

The COBOL VSAM files in the VSAM ESM file directory can also be edited using the Data File Editor. See Data File Editor for more information.

An example YAML file is provided with the product, es_default_security.yaml, which is located at $COBDIR/etc/vsam_esm.

Note: Importing the es_default_security.yaml file into an existing security configuration with the --update option will overwrite all changes that have been made to objects in the security configuration which have a definition in the YAML file. This includes the password generated for the SYSAD user during product installation. Micro Focus recommends creating a YAML file with only the changes you require. You can use es_default_security.yaml as a template, but remove all entries you do not require.

The YAML syntax used with mfsecconv is as follows:

Users:
  - User:
    UserId: ""  #Attribute type: String
    AltId: "" #Attribute type: String
    AllowLogon: True #Attribute type: Boolean
    Description: "" #Attribute type: String
    CustomText: "" #Attribute type: String
    DefaultGroup: "" #Attribute type: String
    CreateToken: "" #Attribute type: String
    UseToken: "" #Attribute type: String
    LastLoginTime: "" #Attribute type: String, format ISO8601
    ExpirationDate: "" #Attribute type: String, format ISO8601
    LoginAttempts: 0 #Attribute type: Integer
    Audit: True #Attribute type: Boolean
    MTOs:
      Priority: 0 #Attribute type: Integer
      Timeout: 0 #Attribute type: Integer
      OperatorClass: 0 #Attribute type: Integer
      OperatorID: "" #Attribute type: String
      GroupPrefix: "" #Attribute type: String
    Password:
      - Verifier: "" #Attribute type: String in the format "<verifier type>:<verifier>" e.g. "literal:a_strong_password"
      - MustChange: True #Attribute type: Boolean
      - ExpirationDate: "" #Attribute type: String, format ISO8601
      - History: # A sequence of Attribute type: String
        # conforming to the following format "<ISO8601 date/time>:<verifier type>:<verifier> e.g.:"
        - "20220811T164639Z:literal:an_old_password"

UserGroups:
  - UserGroup:
    GroupId: "" #Attribute type: String
    Description: "" #Attribute type: String
    CustomText: "" #Attribute type: String
    Member: # A sequence of Attribute type: String, where each entity is a member of this user group
      - "SYSAD" #Meaning the SYSAD user is a member of this user group
      - "#DSAdmin Group" #The " group" suffix indicates "#DSAdmin" is a user group, whose members are also members of this group.
    Audit: True #Attribute type: Boolean

ResourceClass:
  - ResourceClass:
    ResourceClassId: "" #Attribute type: String
    Description: "" #Attribute type: String
    CustomText: "" #Attribute type: String

ResourceRules:
  - ResourceRule:
    RuleID : "" #Attribute type: String
    ResourceClassId: "" #Attribute type: String
    ACEs: #A sequence of Attribute type: String representing this rule's Access Control Entries
    # in the format: "<access type>:<actor>:<permission level>" e.g.
      - "allow:ALLUSER group:read" # the " group" suffix indicates ALLUSER is a group and allows all it's members to read.
      - "deny:SYSAD:execute"  #Denies the user SYSAD from executing.
      - "deny:*:write" # denies all actors(both users and groups) from writing.

    Description: "" #Attribute type: String
    CustomText: "" #Attribute type: String
    Audit: True #Attribute type: Boolean

Use the mfsecconv command to import or export security data. See The mfsecconv Command for more information.