This IRM serves as the help guide for all SACS Security command codes.

Purpose: These sections provides information of the formats, variables and related description of SACS Security command codes.

Audience: IDRS Security Officers.

Policy Owner: IT Cybersecurity.

Program Owner: IT Cybersecurity, IDRS Security/IORS.

Primary Stakeholders: IT Cybersecurity, IDRS Security/IORS and Enterprise Operations (EOPS).

Program Goals: Provide information of the formats, variables and related description of SACS Security command codes.

Program Management and Review: SACS maintains the contents of this help guide with information and concurrence from Cybersecurity.

Program Controls: The help guide is updated whenever there are new updates to the existing command code formats or when new command codes are added.

ADDEM adds a user's ESRF to the SACS system. There are three different ways to add an employee to the system:

Format 1 adds returning IDRS users or Console users to their previous unit.

Format 2 adds new IDRS users or new Console users or returning users to a different unit.

Format 3 adds new IDRS users or Console users or returning users and specifies all 10 digits of the Employee Number.

In all three options, definer N establishes a Production Profile which may only be used when the employee has changed mode to a Foreign Location (CMODE) -- they have NO Profile at their Home Location.

ADMAF can create the MPAF for a new Unit. The MPAF determines what Command Codes can be given optionally to users within the Unit.

ADMAF can delete the MPAF for a Unit.

ADMAF with a definer of 'Z’ creates up to ten (10) new Units, copies the Command Code bitmaps and characteristics of the existing Unit to the new Units, moves all active employees from the existing Unit to the first new Unit, thus allowing the employees to keep their Production Command Code bitmaps, then deletes the existing Unit. If the first unit is in a different campus (within the same Computing Center), the restrictions and bypasses for the employees in the old campus are copied over to the new campus. The Revenue Agent and 809 Receipt Book User restrictions and bypasses are deleted for the employees at the old campus.

ADMAF with a definer of 'U' creates up to ten (10) new Units, and copies the Command Code bitmaps and characteristics of an existing Unit to the new Units.

ADTRM can authorize a single terminal or multiple terminals for addition to the SACS network and to set a specific time frame during which a terminal/terminals can be used to access the network.

ADTRM can remove a terminal's authorization from the network.

Format 1 adds the UCCP for a unit. The Command Codes in the UCCP are inserted into all user profiles in the Unit. This format also lets workload management to be turned ON or OFF for a unit.

Format 2 deletes a UCCP for a unit.

Format 3 sets a unit’s Universal Access Switch.

Authorize USR to input command code at additional OI.

Remove USR ability to input command code at additional OI.

View USR permissions to input command codes at additional OIs.

View permissions to input command codes at additional OIs for all USRs.

ASNPW assigns a password to an employee. This is necessary when a user's password is forgotten or is compromised.

ATSID displays all 2-character TSID prefixes assigned to a Campus.

ATSID displays all available TSIDs at a Campus that start with a given 2-character TSID prefix.

BYPAS can activate a temporary bypass to a restriction on an employee profile at a given campus.

BYPAS can remove a temporary bypass to a restriction on an employee profile at a given campus.

BYPAS can display all employees in a campus Designated User Listing (DUL) with a specific restriction bypass.

CMODE allows authorized users to switch from their Home Location to an authorized Foreign Location. At the same time, it changes their terminal association to the corresponding location and their default IDRS Command Code routing to that location. The routing of CFOL commands is not affected.

CMODE is also used to change back to the Home Location or to a different Foreign Location.

Employees cannot execute security Command Codes from a Foreign Location, except for CMODE, SFDIS, SINOF and STATS. If an employee signs off (SINOF) from a terminal while using their foreign number, their employee status and terminal status will be reset to the Home Location.

DIPID displays a list of terminals in a specified Campus that have not been used for six months or more.

DISCC displays the attribute settings of Command Codes on the Security Command Code Table (CCT) in SACS. It is a Command Code which provides IDRS users with the same functionality as the SACS Operator Command CCDIS.

DISGR can display a list of all the Command Code Group names.

DISGR can display a list of all Command Codes within a specific Command Code Group.

DISNC displays network configuration information on SACS terminals, data lines, and sites. DISNC is an IDRS user Command Code which provides the same functionality as the SACS Operator Command NCDIS.

Users may display information about single network resources using the Terminal Security ID, or the Terminal PID, or the Location ID of a terminal or site.

Users may also display multiple resources by Resource type (line, site or terminal), or by Connection type.

Access is to this command code is restricted to Cybersecurity IDRS Security staff only.

Access is to this command code is restricted to Cybersecurity IDRS Security staff only.

FIEMP displays employee case information, using an Employee Number key.

FIEMP displays the case owner's name, Standard Employee Identifier (SEID), telephone number, and status (active or inactive).

LOKME allows an employee to lock their own profile for a specific number of days or until a specific date. In either format, the employee can lock their profile for up to 45 days. The lock does not take effect until SINOF. An employee may cancel the lock request prior to SINOF.

Employees who return to duty before the locked period ends must be unlocked by security personnel with the UPEMP Command Code.

MDPCC adds or deletes command codes to/from the Prohibited Command Code Table (PCC). This command code is only available to Computing Center Security Officers.

MRINQ can display employee history information, using a Social Security Number key, an Employee Number key, or a Standard Employee Identifier (SEID) key.

MRINQ can display limited information for an employee when using the Social Security Number key (just the SEID, phone number, and investigation date).

MRINQ can display the next available Employee Number.

MRINQ can display a list of all Employee Numbers for a given Office Identifier and Sequence Number.

MRUPD can update a user's Social Security Number, their Investigation status and date, or their Assignment or Origin dates.

MRUPD can display and update and delete workload management. (See also Workload Management Examples below.)

PIDTM displays available PIDS or PIDS in use at a given campus.

PWACT is used by employees to activate their password management function.

IDRS Password Management capability that will enable IDRS users who have forgotten their IDRS password to get a new temporary IDRS password without having to submit an Online 5081 request. To use this capability, you must activate the IDRS Password Management capability (PWACT) while signed onto IDRS. After the capability has been activated, if you have forgotten your IDRS password you can use this feature to create a new temporary IDRS password which will then let you create a new user password.

This field is imbedded in the SINON template.

Possible Errors:

REPTS authorizes user access to the SACS security reports application IORS via SACS. Users must login to IORS using their SACS login information (SEID, Last Name, First Initial, password). SACS provides user authentication, making sure the user is profiled with REPTS and has an active user account in SACS before allowing them access to IORS. SACS also provides the preliminary security checks to ensure the user access request is issued from an authorized IORS server/terminal. An Audit Trail Record will be produced for all IORS login inputs made using REPTS.

Command code RMODE authorizes an employee to use the command codes contained in their Training Profile in a Research Mode. Employees should contact their USR for instructions on modifying their Training Profile.

The Research Mode differs from Production Mode in that production files are accessed but not updated. It differs from Training Mode in that the training files are not accessed.

The Research Mode is to be used only by:

In order to use the research capability, a user shall have command code RMODE in their Production Profile, and input command code SlNON with a Production/Training Indicator of R.

An Audit Trail Record will be produced for all inputs made in the Research Mode.

All Research Mode security violations will be included in IDRS security reports.

ROUTE displays the name, code, number, and Office Identifier (OID) used to identify each Campus' IDRS database. It also displays the current status of the route to that database.

Format: ROUTE

RSTRK (meaning restrict) prevents an IDRS user with a certain role type from having specified command codes in their profile. Restrictions added under an Office Identifier can not be removed by security personnel in another Officer Identifier. Restrictions added on a campus in the same computing center will update to the employee profile on the active campus. Restrictions added on a campus on the opposite computing center from the employee's active IDRS account, will need to be manually updated by security personnel. RSTRK can be added to the employee data base for an employee SSN who has no active IDRS account.

RSTRK can add and delete restrictions against a employee's profile for a given campus.

RSTRK can display the Command Codes that are restricted for a user role.

RSTRK can display all employees in a campus Designated User Listing (DUL) with a specific restriction.

RSTRK can display all employees (any or no restriction) in a campus DUL.

RSTRK can display the restriction and bypass history for a specific employee.

RSTRK can change an employee name in the DUL

SECOP unlocks a terminal that has received a security lock as a result of three consecutive security violations.

SETPW allows Security Officers and Unit Security Representatives to change the number of days users in a Unit have until their passwords automatically expire. The range must be in increments of 30 days.

The default for a Unit is 120 days. Security Officers may set the range lower than the default or reset it higher, but may never exceed 120 days. Unit Security Representatives may set the range lower or reset it higher, but never higher than the Security Officer's setting.

SFDIS allows users to display their own Profiles. The response to this command will include the user's current (signed on) profile, the Info-connect ID, the user's active restriction/bypasses, password management activation status and availability, individual Command Code profile and authorized Foreign Locations for CMODE. User must be signed on in "T" mode to view his/her training profile.

SFINQ can display employee information such as name, Employee Number, SEID, user type, locked or unlocked status, active/inactive restrictions and bypasses, authorized foreign access, NULL status and password management status.

SFINQ can display the employee's Production or Training Command Code Profiles.

SFINQ can display all employees in a Unit in Employee Number order or name order, show their SEID, Operator Type, whether signed on or off, the TSID of the terminal if signed on, and their locked or unlocked status.

SFINQ can display all Command Codes allowed in a Unit plus the Unit's Universal Access (reroute) status.

SFINQ can display for one or more Units a list of all employees' names, Employee Numbers, NULL Status, and authorized Foreign Locations Office Identifiers (OIDs).

SFINQ can display, by terminal TSID, the employee number for any user signed on, or the allowed Time On/Off for that terminal.

SFINQ can display a list of the last usage dates for all Command Codes in a particular Unit, plus indicate which Command Codes have been turned off for non-use.

SFINQ can display authorized Multiple Access (CMODE) locations.

Finally, this SFINQ displays Command Codes turned off for a Unit. This option has six different options:

Display LAST 30 days for BOTH System and Security Officer turn-offs.

Display LAST 30 days for EITHER System or Security Officer turn-offs.

Display ALL dates for BOTH System and Security Officer turn-offs.

Display ALL dates for EITHER System or Security Officer turn-offs.

Display SPECIFIED NUMBER of days for BOTH System and Security Officer turn-offs.

Display SPECIFIED NUMBER of days for EITHER System or Security Officer turn-offs.

Display Password Management Status for a unit - SFINQW.

SINOF is used to deactivate your session with IDRS.

Format: SINOF

SINON is used to access the IDRS system. SINON is used to retrieve the template or to actually sign on using the CASL macro.

SOMSG updates the message that appears when a user signs on to IDRS. It also can be displayed with the STATS Command Code.

STATS displays general information relative to the session such as TSID, PID number, InfoConnect ID, date, time, and whether IDRS is up.

Format: STATS

SWTCH queries the status setting of the Campus Domain Indicator (@APSW1 global) or TURNON/TURNOFF status for the Campus Domain Indicator. Security Officers can query the Campus Domain Indicator Status, or set the status of the Campus Domain Indicator.

UNLEM unlocks an employee who has been locked by the system after a 17-day period of inactivity. This allows Terminal Security Administrator (TSAs) to unlock system-locked employees without needing to have UPEMP in their profiles.

Add or Delete Restriction.

Display Restriction Record.

UPEMP can change an employee (user) name, their Unit Number, their SAT or Programmer type (in Test only), their TRDB status, their Standard Employee Identifier (SEID), or their telephone number.

UPEMP can add / delete Command Code(s) to / from the user's Profile. This option also displays and changes their IMF - BMF status.

UPEMP can lock or unlock a user's Profile (unlocks system lock, security lock, or self lock) or delete a user.

UPEMP can delete an authorized Foreign Location.

UPEMP can perform workload maintenence functions.

UPEMP can delete an employee's profile.

Employees' access to multiple databases is controlled by using UPEMP to add Foreign (secondary) Locations.

Multi-Access employees can have their Command Code Profile set to NULL at their Home Campus.

UPHST displays or changes the list of Command Codes in a host profile. This feature controls the cross-routing of Command Codes from host to host. A host may only forward Command Codes which are on its authorized list. There is an additional feature that allows the updating of all ten IDRS hosts with the inputting of 1 transaction.

UPMAF adds Command Code(s) to or deletes Command Code(s) from the Maximum Profile Authorization File (MPAF) for a Unit.

UPMAF also allows for the locking and unlocking of up to 5 units.

UPTRM changes the permanent or temporary Time On/Off parameters for a terminal.

UPUNT is used to maintain a Unit's Minimum Command Code Profile (UCCP).

Update the Command Codes in a Unit.

Turn workload management on or off for a Unit

Allow or disallow rerouting also known as Universal Access for a Unit

Enable or disable TRDB dual SINON for a Unit