You can grant special privileges to a user in their logonid record. You can restrict these privileges with scope records. Scope records have a record class of S and a type of SCP. They are stored on the Infostorage database. They can limit a user’s ability to access any or all of the following:
A scope record does not become effective for a given user until you specify the name of the scope record in the SCPLIST field of that user’s logonid record.
The special logonid record privileges are designed to promote separation of function. The most often used privileges are:
Gives a user authority to write access rules for all data, to modify all Infostorage database records, and to modify most fields of the logonid record.
Gives a user authority to insert, list, change, and delete logonid records.
Gives a user authority to display all access rules, all Infostorage database records, and all logonid records. An AUDIT user can display records, but cannot change or create records.
A scope record is from 1 to‑ 44 characters long and contains specific information depending on the type of record. A scope record name is from one‑ to eight‑characters long and is specified in the SCPLIST field of the logonid record. The scope record name specified in the SCPLIST field points to the associated scope record on the Infostorage database. A scope entry that limits a user’s authority over logonid records can contain the actual logonid and UID or masked logonid and UID.
For example, in a decentralized environment, the Director of the Financial Division for the True Lock Company may have the ACCOUNT privilege to create and maintain logonid records for his division, but only his division. If the UID format at the True Lock Company is defined as company (TLC), division (FIN), and the user’s logonid, a scope record for the Finance director would specify UID(TLCFIN—) and the associated logonid (or masked logonid). Logonid entries limit him to only the financial group of logonid records. You can also limit a SECURITY user to particular groups of filenames for rule writing.
The presence of any SCPLIST value, regardless of the actual entries in the related scope record itself, limit that user. A security administrator whose scope record contains only entries that govern logonid records is limited, even though his scope record contains no entries for access rules. A logonid record must match both LID and UID SCPLIST entries for that user to modify the record. If a user has SCPLIST, you must specify all matching scope lists for that user.
If there is no scope definition present (LID, UID, or DSN), no records match.
Note: We will not support DSNSCOPE, LIDSCOPE, and UIDSCOPE in future releases. We recommend that you use SCPLIST to impose restrictions.
A restricted security administrator or account manager has limited power to perform specific CA ACF2 for z/VM functions. An account manager or security administrator with no scope list is unrestricted. The SCPLIST determines the user’s restriction.
Security administrators can create scope records and specific scope entries by using the ACF command and its subcommands under the SCOPE setting in a way similar to the creation of other CA ACF2 for z/VM records. Use the INSERT, LIST, CHANGE, and DELETE subcommands of the ACF command to create and maintain scope records. You can find complete details on how to use the ACF subcommands to process scope records in the Administrator Guide.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|