Command models are an important component of command limiting. These models describe the valid syntax, format, and operands of a CP command to CA ACF2 for z/ VM. One command model exists for each CP command. However, there can be multiple command models for the same CP command with different operating system and release identifiers.
For example, the following command limiting rules can coexist:
$KEY(IPL) MDLTYPE(510) $KEY(IPL) MDLTYPE(520) $KEY(IPL) MDLTYPE(530) $KEY(IPL) MDLTYPE(540) $KEY(IPL) MDLTYPE(610) $KEY(IPL) MDLTYPE(620) $KEY(IPL) MDLTYPE(630)
While the $KEY identifying the IPL command is the same, the MDLTYPEs identifying the operating system and release are different.
We supply command models for each standard CP command. Typically, they are compiled and stored on the Infostorage database during the initial installation of CA ACF2 for z/ VM. You can modify these models. For information about using MDLTYPE, see the chapter "Syntax Model Command Language."
The ACFRPTCL report formats the logging and violation records that are written when CA ACF2 for z/ VM validates the execution of a command. For more information about this report, see the Reports and Utilities Guide.
Most CP commands accept many different types of operands that are translated (or transposed) in some way when CP interprets them. Transposition routines convert CP command operands and run time values into a common variable for rule writing. This lets you write general rules so you do not have to account for every command variation. You should be aware of the role transposition plays during command validation. Knowing the operands transposed and how they are transposed makes it easier to write rules that require minimal future maintenance while providing a high degree of CP command security.
As an example of how transposition routines work, assume you want to write a rule to allow the user ID MAINT to execute the ATTACH command. You create the following rule entry:
*- TO OWNER AS *- UID(MAINT) ALLOW
This rule entry is transposed to:
*- TO MAINT AS *- UID(MAINT) ALLOW
MAINT then issues the following command:
ATTACH 0381 TO * AS 381
CA ACF2 for z/ VM interprets this command as:
ATTACH 0381 TO MAINT AS 0381
Comparing the command to the rule, CA ACF2 for z/ VM makes the following determinations:
Since all operands and the user ID match the rule, CA ACF2 for z/ VM now checks the authorization that was specified in the rule entry (ALLOW) and the command is allowed.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|