CA ACF2 for VM next validates AUTOLOG resource rules, regardless of the CA ACF2 for VM access mode setting and any special privileges you might have (for example, SECURITY). When checking AUTOLOG resource rules,
CA ACF2 for VM:
For example, the following rule set lets OPERATOR, MAINT, or SYSMGR (the initiators) autolog TLCAMS (the target):
$KEY(TLCAMS) TYPE(ALG) UID(OPERATOR) ALLOW UID(MAINT) ALLOW UID(SYSMGR) ALLOW
During validation of the AUTOLOG resource rule, CA ACF2 for VM also checks the logonid of the initiator machine (the machine performing the autolog) for the AUTOALL privilege. This is a super AUTOLOG privilege similar to NON‑CNCL for data access. If AUTOALL is specified, the autolog occurs, even if there is no rule explicitly allowing the request. CA ACF2 for VM records this override, and all other loggings and invalid accesses, in the Resource Event Log (ACFRPTRV).
AUTOLOG resource rules replace the AUTOLOG or XAUTOLOG CP directory statements in native VM. For example, the following two user definitions are in the CP directory:
USER TLCAMS TLCAMS 2M 8M G AUTOLOG RON BOB TIM USER AUTOLOG1 AUTOLOG1 2M 8M G XAUTOLOG JANE ANN MARY
In native VM, the first AUTOLOG statement lets Class G users (RON, BOB, and TIM) autolog the target virtual machine (TLCAMS) using XAUTOLOG. The second statement lets class G users (JANE, ANN, and MARY) autolog AUTOLOG1 using XAUTOLOG. These directory statements apply only to the XAUTOLOG command.
CA ACF2 for VM ignores AUTOLOG or XAUTOLOG directory statements. Instead, autolog resource validation is enforced. To autolog as the above directory defines, you need the following resource rules:
$KEY(TLCAMS) TYPE(ALG) UID(RON) ALLOW UID(BOB) ALLOW UID(TIM) ALLOW $KEY(AUTOLOG1) TYPE(ALG) UID(JANE) ALLOW UID(ANN) ALLOW UID(MARY) ALLOW
We provide a REXX EXEC called ACFCVALG to help you create AUTOLOG resource rules from the CP directory. You can run this exec while installing CA ACF2 for VM on VM after a system IPL.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|