Previous Topic: Using ACF TEST to Test Resource RulesNext Topic: Account Support through CA ACF2 for VM

Protecting Special Resources

Protecting Special Resources

In CA ACF2 for VM, there are eight CA ACF2 for VM‑supplied type codes. These type codes are classified in storage class “R” for special kinds of resource rules. These resources and their default type codes are:

VM account support (ACT default)

Specifies that if a VM account number is assigned, you can change it with the SET ACCOUNT command whenever you issue the LOGON or AUTOLOG commands. Resource rules and VMACCT logonid values provide account number validation.

AUTOLOG resource rules (ALG default)

Validate AUTOLOG commands automatically. This is necessary because
CA ACF2 for VM lets you execute the AUTOLOG command without a password in predefined instances. This default also applies to the XAUTOLOG command.

Group machine logon resource rules (GRP default)

Validate group logon resource rules when you log onto a group virtual machine with the GRPLOGON privilege. This ensures that only authorized individuals who are specifically defined through resource rules can log onto group machines.

DIAL resource rules (DIA default)

Validate DIAL resource rules automatically unless the target user ID has the DIALBYP privilege in his logonid record. This ensures that only authorized individuals who are specifically defined through resource rules can dial into machines that have been secured for DIAL validation.

IUCV resource rules (IUC default)

Provide a fine degree of audit and control in establishing and terminating Inter User Communication Vehicle (IUCV) paths for transferring data.

APPC/VM resource rules (IUC default)

Provide a fine degree of audit and control in establishing and terminating Advanced Program‑to‑Program Communication/VM paths for transferring data.

POSIX resource rules (PGR default)

Specifies the groups, both primary and supplemental, that each system user can use.

ESA dataspace resource rules (DSP default)

Validates access to ESA dataspaces at permit time. This ensures that only authorized individuals who are specifically defined through resource rules can access dataspaces.

VMCF resource rules (VMC default)

Provide a fine degree of audit and control in establishing and terminating Virtual Machine Communication Facility (VMCF) paths for transferring data.

This chapter describes the types of resource rules specific to CA ACF2 for VM and how they work with other CA ACF2 for VM controls.

This section contains the following topics:

Account Support through CA ACF2 for VM

VM Native AUTOLOG Support

AUTOLOG or XAUTOLOG Validation

AUTOLOG or XAUTOLOG Implementation

The GRPLOGON Privilege: Logging onto Group Machines

Protecting the DIAL Command

IUCV, APPC/VM, and VMCF Validation and Logging

POSIX Supplemental Group Validation

VM Dataspace Security