This report can tell you who has access to certain resources. In addition, it can give you important information about users’ abilities to access resources. It tells you why users can access the resource and whether they can give access to other users. If you know why users can access a resource, you can tell how much authority they have over the resource. If they are granted access because of a rule entry, access is limited according to the rule entry. If they are security administrators, they can access the resource in any way because they can change the rule set. They can also grant others access to the resource. If they are owners of the resource, they can access the resource as owners but cannot grant privileges to others.
For example, ACFRPTRX tells you when a user’s UID matches:
For users who match the rule entry, CA ACF2 prints the rule entry. Access is determined by the rule entry’s access permission.
The user or users who match this control statement can change the rule entry to give himself and other users access to the resource. He can also delegate this rule‑writing authority by giving other users the ability to change the rule set.
The user or users who match this control statement can change the rule entry to permit himself and others access to the resource. However, this user cannot delegate this rule‑writing authority.
Users identified by these control statements have DB2 ownership privileges (except for security administrative privileges, such as the ability to change the rule set). These users do not have to match a rule entry to be granted access to the resource.
The ACRRPTRX report also tells you when a logonid specifies SECURITY and NON‑CNCL. These special privileges enable logonids to access resources and CA ACF2 Option for DB2 security information without written rules. Logonids that specify SECURITY can also create and change rule sets, thus giving users access to resources.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|