CA ACF2 for z/VM controls access to your computer system, data, and resources. Unique CA ACF2 for z/VM records and rules define users to the system and control how data and resources are accessed. CA ACF2 for z/VM design is based on the philosophy that only authorized system users are granted access at the data and resource level.
CA ACF2 for z/VM controls access to your VM system. It lets an account manager assign a unique logonid for each user. CA ACF2 for z/VM stores the logonid and other information that defines the user’s privileges in logonid records on the Logonid database. In addition to the logonid, account managers can also specify a user’s specific privileges, such as whether he can create, update, and delete logonid records, and whether his access privileges are confined to a specific shift or time period.
CA ACF2 for z/VM protects logonid records in two ways. Although CA ACF2 for z/VM allows each user to display his own logonid record, he cannot grant himself sensitive privileges or view the logonid records of other users unless he is authorized. Only privileged users can display, create, update, and delete logonid records of other users.
CA ACF2 for z/VM also protects logonids by requiring users to enter their logonids and passwords to gain access to the system. After you enter your logonid and password, CA ACF2 for z/VM brings your logonid record into storage to verify your privileges. If you are authorized and your logonid and password match, you can access the system. If you are not authorized to access the system or your password does not match, CA ACF2 for z/VM aborts your request and you cannot log on. CA ACF2 for z/VM creates audit records that log the unsuccessful access attempt. To further protect your system from unauthorized access or prevent the misuse of logonids, CA ACF2 for z/VM provides an option that lets you deny access or suspend the logonid of a user who cannot match his password a specified number of times in a given day. Only a security administrator can reactivate a suspended logonid.
CA ACF2 for z/VM gives a data owner unlimited access to his data. In the VM environment, each VM user ID is assigned a minidisk or SFS file space. The person who is assigned to a virtual machine is considered the owner of the virtual machine minidisks and SFS file space. You can redirect data ownership through the PREFIX field of the logonid record.
To allow others to access data, you must write access rules. Access rules specify who can access specific data and under what conditions access can occur. If your site runs under the centralized security option, security administrators must write the access rules. If you are running under the decentralized option, data owners can write access rules. If no access rules exist, only the data owner or security administrator can access the data. For more information on centralized and decentralized security, see Centralized and Decentralized Security Administration in “How Does CA ACF2 for z/VM Work?”
Access rules are stored on the Rule database in records called rule sets. The first request to access data brings the appropriate rule set into memory and places it in a cache for future reference. CA ACF2 for z/VM validates the request against the rule set to determine whether the level of access to the data is prevented (the default), allowed but logged, or allowed. If the rule set instructs CA ACF2 for z/VM to prevent the access, or if no rule set exists, the access is automatically prevented and CA ACF2 for z/VM writes an SMF record. If the rule set instructs CA ACF2 for z/VM to log the access, the access is allowed, and CA ACF2 for z/VM writes an SMF record. If the request is allowed by a rule entry, access is allowed and CA ACF2 for z/VM does not create an SMF record.
Unlike data sets, which can be owned by a user, the resources of a computer system cannot be owned. Resources are the AUTOLOG command, group user IDs, the DIAL command, or any other resource your site wants to define. To control the use of resources, security administrators can write resource rules. Resource rules specify whom and under what conditions resources can be shared. CA ACF2 for z/VM stores the rule sets for accessing logical resources in the Infostorage database.
CA ACF2 for z/VM validates requests against resource rule sets to determine whether access to a specific resource is prevented (the default), allowed but logged, or allowed. If the rule set instructs CA ACF2 for z/VM to prevent the access or if no rule set exists, CA ACF2 for z/VM denies access to the resource and creates an SMF record. If the rule set instructs CA ACF2 for z/VM to log the access, CA ACF2 for z/VM allows access to the resource and creates an SMF record. If the request is allowed by an entry in the rule set, CA ACF2 for z/VM lets the user access the resource.
CA ACF2 for z/VM stores other types of records in the Infostorage database that further restrict access to the system, data, and resources. For example, you can create infostorage records that:
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|