CA ACF2 for VM access rules control real DASD devices. You can attach real DASD devices to a virtual machine using the CP ATTACH command or the DEDICATE VM directory control statement.
The dsn format for attachable DASD devices is Rccuu where R indicates real devices and is a required constant. You must specify the device address portion of the rule as a four‑digit hexadecimal number.
In the examples that follow, references to the ATTACH command also apply to the DEDICATE VM directory control statement. Both ATTACH and DEDICATE perform the same function, except that ATTACH is a command issued from a user console, and DEDICATE is a VM directory control statement that causes an automatic ATTACH when a virtual machine is logged on. CA ACF2 for VM validates both the same way.
If you use permanently‑mounted DASD devices, such as 3390s, you might construct rule entries for ATTACH commands as shown below:
$KEY(SYSTEM) *ALLOW REAL 130 TO BE ATTACHED TO UID ACCPGRDLT R0130 UID(ACCTLCDLT) WRITE(A) *ALLOW UID ACCTLCDLT TO ATTACH THE REAL 230 R0230 UID(ACCTLCDLT) WRITE(A)
This rule lets any user attach DASD device 130 to ACCPGRDLT. This rule applies to all ATTACH 130 or 230 commands TLCDLT issued, regardless of the volume serial number of the volume mounted on these two devices. This rule is sufficient for DASD devices that always have the same volume mounted. We do not recommend this rule format if you use removable DASD devices (such as 3330s) because it does not effectively control access to a particular volume serial number (specific disk pack).
When you use removable DASD devices, use the VOL parameter to indicate the specific volume serial number that a user can ATTACH. The following rule allows any DASD device that has volume PAY001 mounted, to be attached to UID ACCTLCDLT:
$KEY(SYSTEM) *ALLOW PAY001 TO BE ATTACHED TO UID ACCTLCDLT R‑ UID(ACCTLCDLT) VOL(PAY001) WRITE(A)
This rule provides more flexibility and control over attachable devices because PAY001 can only be attached to user ACCTLCDLT only if volume PAY001 is mounted. You can specify the VOL parameter as a mask, such as PAY***. If you specified the rule shown above, in VOL(PAY***), user ACCTLCDLT could attach any DASD device that had a volume with a serial number beginning with PAY.
You can use other combinations of the dsn and VOL parameters to provide the proper balance between flexibility and control. For example, the rule shown below lets user ACCTLCDLT attach only 13x DASD devices that have a PAY volume mounted:
$KEY(SYSTEM) *ALLOW UID ACCTLCDLT TO ATTACH ANY 13x WITH PAYxxx VOLUME R013* UID(ACCTLCDLT) VOL(PAY***) WRITE(A)
You can enforce tape volume access protection through CA ACF2 for VM validation and system operator procedures.
For validation, you must specify the volume serial label (volser) for the volume in the TAPEVOLS VMO record. Volume serial labels must consist of one to six alphanumeric characters. They can be masked using asterisks in any or all of the six characters. For example, in TAPEVOLS(767305, 123***) the TAPEVOLS field specifies that CA ACF2 for VM validates tape volumes with volser 767305 and volsers beginning with 123, followed by zero to three alphanumeric characters. The default TAPEVOLS specification is null, no volumes are protected tape volume access validation does not occur. Issue the SHOW STATE subcommand to display the current TAPEVOLS setting. For more information on the TAPEVOLS field, see the “About the Logonid Record” chapter.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|