Previous PageTable Of ContentsNext Page

Chapter 3. SafeAccess CP Component

SafeAccess CP Interception Operation


SafeAccess modifies the behavior of CP commands and functions. This section discusses the commands and functions modified. The SafeAccess CP component is loaded with the SACLDCP utility. SafeAccess intercepts the CP commands or functions listed below and, in the cases where SafeAccess simulated minidisks are involved, modifies the behavior of the command to simulate a normal minidisk. When SafeAccess simulated minidisks are not involved, SafeAccess calls the appropriate CP command or function so that it can process the command or function as normal. Listed below are the CP commands and functions that are intercepted and a description of the SafeAccess processing that occurs.

LOGON (CP Exit 117F)
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess creates SDEVs from any SACDISKs the user has and from any SACLINKs the user has. Each link is run through the SafeAccess server for access control. Any disks residing in SafeSFS controlled file pools are given SACMODE rules. If the user logging on is the SafeAccess server, a message is sent to the SafeAccess server to cause it to become quiesed.

LOGOFF (CP Exit 11FF)
SafeAccess removes any SDEVs that the user has. Each SDEV is run through the SafeAccess server to allow it to remove any SACMODE rules.

LINK
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess determines if the target of the link is a SACDISK. If not, it runs the real CP LINK command after ensuring that the linkas address is not an SDEV. If so, it runs the link through the SafeAccess server for access control, creating a SACMODE rule and/or an SDEV if appropriate, and generates an appropriate response.

DETACH
SafeAccess parses the command to determine if it is detaching a virtual device. Non virtual device requests are passed to CP. SafeAccess detaches all SDEVs on the command and passes all non-SDEV addresses to CP. SafeAccess also sends up detach messages to the SafeAccess server to allow it to remove any SACMODE rules that apply.

DEFINE/REDEFINE
SafeAccess checks to see if the user is IGNORED. If not, it determines if the device being redefined is an SDEV. If not, it is passed to CP. In all cases, SafeAccess checks the "define as" address to ensure that it does not overlap an SDEV.

GIVE
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess checks to ensure that the address the device is being attached to is not an SDEV. If it is, the ATTACH fails and an appropriate response is generated. If not, the command is given to CP.

ATTACH
SafeAccess checks to see if the user is IGNORED. If not, it parses the ATTACH command to ensure that the target address is not an SDEV. If not, it is passed to CP. If so, an appropriate error is generated.

QUERY MDISK
SafeAccess checks to see if the user is IGNORED. If not, an appropriate response is created for each minidisk or SACDISK in the list of devices on the command.

QUERY LINKS
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess determines if the virtual address is an SDEV. If so, an appropriate response of other links to this SACDISK is generated. If not, it is passed to CP.

QUERY VIRTUAL device and QUERY device (CLASS G only)
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess generates an appropriate response for each device in the device list that is an SDEV. SafeAccess calls CP for each device in the list that is not an SDEV. When a non-priviledged user issues QUERY device, CP treats this as a QUERY VIRTUAL device command. SafeAccess cannot use the CP Exit facility to gain control for this situation so it updates the CMDBK in CP storage to cause it to call SafeAccess for QUERY device commands. SafeAccess updates this field when the CP Component is loaded and resets it to its original value when the SafeAccess CP Component is unloaded.

QUERY VIRTUAL ALL
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess generates an appropriate response for each virtual device that the user has.

QUERY VIRTUAL DASD
SafeAccess checks to see if the user is IGNORED. If not, SafeAccess generates an appropriate response for each SDEV or minidisk that the user has linked. For each SDEV, the DASD value is set to "SDSK" and the SUBCHANNEL="FFFF".

DIAGNOSE 24/210
SafeAccess checks to see if the user is IGNORED. If not, it generates an appropriate response if the target of the Diagnose is an SDEV.

DIAGNOSE 88
Diagnose 88 is handled just like a LINK command.

DIAGNOSE 1DC
This is the SafeAccess database diagnose. All communication between user's and the SafeAccess database services is done via this diagnose. The SafeAccess server uses this diagnose to request/receive messages from CP.

Previous PageTable Of ContentsNext Page