Protecting Special Resources › IUCV, APPC/VM, and VMCF Validation and Logging › System Access through Resource Rules

System Access through Resource Rules

When you issue a request to establish or terminate a one‑way IPC path connection, CA ACF2 for VM optionally validates the action through a resource rule.

You can define target machines in the COMSEC operand of the SRVMOPTS macro to secure them from unauthorized accesses. The default value is COMSEC=(INCLUDE,-), securing all virtual machines, CP services, and resource IDs for IPC resource rule validation.

When you define the target machines, you can explicitly name the machines, CP system services, and resource IDs in the INCLUDE= option or name the target machines that are not secured in the EXCLUDE= option. You can specify COMSEC=(EXCLUDE,-) in the VMXAOPTS macro to totally disable it.

CA ACF2 for VM then checks the resource rule (if implemented through COMSEC). Each rule entry defines a one way IPC path connection from an initiator virtual machine to a target machine.

CA ACF2 for VM:

• Validates the logonid, appropriate service machine name, CP system service, or resource ID as the $KEY value for resource rules. It validates the target machine (the recipient of a request to perform a data or message transfer) as a rule set $KEY value. You can specify the resource rule's type code in the TYPES field of the RESTYPE VMO record to mask this value.
• Validates the user ID of the initiator machine (the invoker of a request to perform a data or message transfer) as a UID value of an entry in the rule set. Standard UID masking applies for this value.
• The rule set type codes are IUC (to validate IUCV and APPC/VM) and VMC (to validate VMCF) by default. These type codes are defined in the IUCV and VMCF fields of the RESCLASS VMO record.