CA ACF2 for VM validates all VM dataspace accesses. This validation occurs at PERMIT time, not at actual access time.
CA ACF2 for VM activates dataspace protection by default at installation time. You can turn it off by changing the OPTS VMO record to NODSPVLD. To turn it back on, change the OPTS VMO record to DSPVLD.
The resource rule type for dataspace validation is the DSPACE(xxx) keyword of the RESCLASS VMO record. The default DSPACE resource rule type for dataspaces is DSP.
Like IUCV validation, the owner of a dataspace must be defined in the COMSEC list before dataspace validation can occur. Unlike IUCV validation rules, dataspace rules must distinguish between READ and WRITE access to the dataspace. Therefore, dataspace rules use the SERVICE keyword of resource rules to distinguish between READ access (which is read‑only) and UPDATE access (both READ and WRITE).
Following is a sample dataspace access rule that permits TLCAMS read access to any dataspaces TLCJAM created, and lets TLCMEG have write access:
$KEY(TLCJAM) TYPE(DSP) UID(TLCAMS) SERVICE(READ) ALLOW UID(TLCMEG) SERVICE(UPDATE) ALLOW
CA ACF2 for VM issues the following message to the issuer of the ADRSPACE MACRO PERMIT function for dataspace violations:
Dataspace WRITE access denied for userid TLCAMS
CA ACF2 for VM issues the following message to the system operator and the target user ID, TLCAMS, at the same time:
Dataspace WRITE access to userid TLCJAM denied for userid TLCAMS
Since a long‑running server usually grants dataspace permission on behalf of a user, CA ACF2 for VM does not increment the violation count of the server issuing the dataspace permit. This is so CA ACF2 for VM does not log off the server.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|