|
Record ID |
Fields |
|---|---|
|
SAFDEFqual |
ID(name) |
The SAFDEF record defines the SAF environment and instructs CA ACF2 for VM how to process a SAF call. CA ACF2 for VM provides internal SAFDEFs for SAF default protection. Both internal and external SAFDEFs display when you issue a SHOW SAFDEF command.
You can use the SAFDEF record to override how CA ACF2 for VM processes SAF calls. CA ACF2 for VM performs validation based on the environment you define in this record. You can create multiple SAFDEF records.
Specifies an ID name associated with the record. You can specify up to eight characters. This field is optional. We recommend you specify an ID because this name will appear as the first field displayed in the SHOW SAFDEF output.
Select a name that is unique and that conveys meaning about the type of SAF call you are defining. For example, VERSMS would be an appropriate ID for a SAFDEF record that defines the environment for a REQUEST=VERIFY call from DFSMS.
Specifies the SAF function‑dependent return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. For detailed descriptions of these return codes, refer to the IBM document entitled External Security Interface (RACROUTE) Macro Reference Guide. The default is four.
Specifies the SAF function‑dependent reason code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. For detailed descriptions of these reason codes, refer to the IBM document entitled External Security Interface (RACROUTE) Macro Reference Guide. The default is zero.
Specifies the user ID of the service machines that apply to this SAFDEF record. You can specify an eight‑character user ID or a mask. The default is all service machines.
Specifies the mode you want CA ACF2 for VM to use to process this SAF request. This field defaults to GLOBAL; a value is required. You can specify any one of the following values:
Bypass processing this SAF request.
Process this SAF request with the mode specified in the VMO OPTS record. For generalized resource validations, use the CA ACF2 for VM recommendation to allow or deny the SAF request.
Upon return of the validation call, allow access even if access is denied. LOG does not force logging if a logonid is allowed access.
Process this REQUEST=AUTH call in QUIET mode.
This field is not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS and OS/390 Administrator Guide.
Identifies the SAF request being made. Use this field to specify any valid RACROUTE parameters and values. This is a multi‑value field. The maximum length that you can specify for the parameter keyword, operator, and value is 64 characters. Separate the entries with commas or blanks.
Note: There are SAFDEF restrictions with FASTAUTH processing. FASTAUTH does not allow the use of ENTITY on the RACROUTE field.
You can specify the following relational operators (depending on your type of keyboard) to indicate the presence of a particular value (for example, ENVIR=CREATE) or the presence of a pointer address (ACEE=>).
= Equal to ¬= Not equal to <> Not equal to != Not equal to => Pointer value ¬=> No pointer value !=> No pointer value
Pointer values are valid only if the keyword operand is specified as a pointer to a data area or data structure (for example, ACEE). When you specify a pointer value, do not also specify a value for the operand. For example, the following request defines a VERIFY request for all user IDs except JOHN, where an ACEE is supplied:
RACROUTE(REQUEST=VERIFY,ACEE=>,USERID¬=JOHN)
You can mask character data types using the standard CA ACF2 for VM masking characters (asterisk and dash). You can mask other types of data only if the mask is complete. A complete mask indicates that the parameter matches all values. For example, you can specify the following to indicate that this parameter matches all values of USERID:
USERID=‑
Whereas, the following indicates that the USERID option does not apply to this RACROUTE request.
USERID¬=‑
This field is not active for VM sites. For more information for this field, see the CA ACF2 for VM for z/OS and OS/390 Administrator Guide.
Specifies the SAF return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE.
Allow the request.
Let the caller decide how to process the request.
Deny the request.
The default is four.
Specifies the user ID that applies to this SAFDEF record. The default is all user IDs.
To create multiple SAFDEF records, append a qualifier to the record name in the format SAFDEFqual so that you can define a unique record ID for that SAFDEF record for a particular SYSID. The RECID can be a maximum of 16 bytes. Therefore, you can specify a qualifier of up to ten characters. It must immediately follow the characters SAFDEF. If you use a period (.) as part of the qualifier string for the record name, CA ACF2 for VM counts it as one of the ten available characters.
For example, if you want to create a SAFDEF record for a VERIFY call from HSM and an AUTH call from HSM, you must use a qualifier to distinguish these two records. You could name the SAFDEF record for the VERIFY call SAFDEF.VERHSM and the SAFDEF record for the AUTH call SAFDEF.AUTHHSM. Naming records using qualifiers enables you to describe multiple unique environments and allows CA ACF2 for VM to add those records to the Infostorage database with unique identifiers.
CA ACF2 for VM processes all SAF calls by default. To override the default SAF processing for a specific security event, you can specify a SAFDEF record.
The SHOW SAFDEF and SHOW ALL subcommands display the values in the SAFDEF record.
This section shows a simple SAFDEF record that you can create when you want CA ACF2 for VM to ignore validating the request.
A basic SAFDEF record that you may have to create is shown below:
set control(VMO)
CONTROL(VMO)
list like(safdef‑)
PRD1 / SAFDEF.XYZ LAST CHANGED BY USER01 ON 07/03/00‑12:13
ID(AUTHXYZ) MODE(IGNORE) RETCODE(0)
PROGRAM(********) JOBNAME(XYZ‑)
RACROUTE(REQUEST=AUTH,CLASS=DATASET)
In this example, the SAFDEF record is for the XYZ product. The products makes a SAF call that CA ACF2 for VM intercepts. In this case, suppose the SAF call is a RACROUTE REQUEST=AUTH,CLASS=DATASET. The site decided to instruct CA ACF2 for VM to bypass processing of this request because it did not want CA ACF2 for VM to validate these calls.
By specifying MODE(IGNORE) and RETCODE(0), CA ACF2 for VM allows the product XYZ to access the data set without creating a logging record. The site does not have to create a rule.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|