The security logon operation is a four-stage process that involves:
- TDP
- The z/OS System Authorization Facility (SAF)
- Your external security manager
- Database
- At logon time, if the security logon function is enabled, TDP compares the database system user id supplied by the logon application with the authid associated with the requesting mainframe address space:
IF there is . . . THEN . . . a match, either explicit or implicit (no database system userid supplied) TDP allows the logon to proceed with no further security processing. not a match TDP sends logon validation and authorization requests to the SAF interface to determine: - First, whether the user/authid is valid (validation)
- And, if it is valid, whether the user/authid is allowed access to the particular TDP (authorization)
- The SAF interface routes the logon validation and authorization requests to the external security manager.
- The external security manager checks its own database or repository to identify the user and verify access authorization.
- The external security manager response to the SAF validation and authorization requests indicates:
- Whether the validation request succeeded or failed
- Whether the authorization request was approved or disapproved
- Any reason codes associated with a failed or disapproved request