You define privileged users by assigning special fields to their logonid records. CA ACF2 groups these fields under the PRIVILEGES group of the logonid record. These privilege fields give users authority over certain administrative functions such as the abilities to display and change CA ACF2 Option for DB2 infostorage records. See the CA ACF2 Administrator Guide for information about updating logonid records.
Of the CA ACF2 logonid privileges available to users, only the NON‑CNCL, SECURITY, and AUDIT privileges apply to CA ACF2 Option for DB2 users. (An CA ACF2 Option for DB2 user is a logonid that is attempting access to DB2 resources or is administering CA ACF2 Option for DB2 security.) Users with these privileges can access information stored in the Infostorage database where CA ACF2 Option for DB2 keeps all of its information. Other privileges give users the ability to access information in other databases that do not affect CA ACF2 Option for DB2 users.
The NON‑CNCL, SECURITY, and AUDIT privileges are described below:
Indicates that CA ACF2 Option for DB2 cannot cancel this logonid because of security violations. Users with this field in their logonids can access any resource. CA ACF2 logs the access and shows that the user cannot be canceled.
Indicates that this user is a security administrator who has access to z/OS data sets, protected programs, and DB2 resources. In CA ACF2 Option for DB2, the security administrator can create, maintain, and delete CA ACF2 Option for DB2 rules and DB2 records in the Infostorage database. This means that a security administrator can access any DB2 resource. In CA ACF2, the security administrator can also process access rules, resource rules, entry records, scope records, shift and zone records, and Global System Options (GSO) records. He can change certain fields in logonid records, display logonid records, and access any data set. CA ACF2 logs any accesses made by this security administrator that are not allowed through ownership or through CA ACF2 Option for DB2 rules.
Indicates that this user can use the ACF subcommands to inspect, but not modify, the parameters of the CA ACF2 system. This user cannot update or delete logonid records, nor access any data that is not authorized through CA ACF2 Option for DB2 rules.
See the CA ACF2 Administrator Guide for information about assigning these fields to logonids.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|