Selecting CA ACF2 for z/VM Options

Planning the Implementation › Selecting CA ACF2 for z/VM Options

Selecting CA ACF2 for z/VM Options

Select CA ACF2 for z/VM options to customize implementation to your needs in phases. You must use certain options for the first IPL. You can select temporary values for other options to phase CA ACF2 for z/VM protection into your system. Indicate these choices by setting up various CA ACF2 for z/VM parameters. The Implementation Team should review all the options and select appropriate values for the first IPL and later use (with target dates for changing the significant ones). A few special areas are highlighted below.

UID Format

Carefully plan the structure of the User Identification string (UID). If the current VM directory user IDs have a high information content, such as information about division, department, or job responsibility, it may be adequate to carry over such conventions directly to the UID. But if this is not the case, you can add fields to the logonid record that contains this information. You can instruct CA ACF2 for z/VM to build its UID from a concatenation of these new fields and the logonid record. A UID constructed with a high information content lets the SA manage groups of individuals very easily because data access rules can specify UID patterns for access. In this way, you can give all users in a department or location access to protected resources (such as minidisks, CMS files, and OS data sets) by specifying one rule (you do not have to specify lists of the individual logonids of that group).

Boundaries of CA ACF2 for z/VM Controls

CA ACF2 for z/VM options are specified in the CA ACF2 for z/VM Field Definition Record (ACFFDR) macros and the VMO records. The ACFFDR macros and VMO records affect the overall bounds of controls on your system. These include options such as:

The mode (QUIET, LOG, WARN, ABORT, or RULE) that CA ACF2 for z/VM is running in
How centralized or decentralized CA ACF2 for z/VM administration is handled
Which Control Program (CP) commands and diagnose codes are validated
Whether to control IUCV or VMCF
How to handle directory minidisk passwords.
Because the values chosen for these options have a significant effect on the scope and completeness of CA ACF2 for z/VM controls, the IT should review each of the possible options carefully. This should include an item‑by‑item review of each individual option in the Field Definition Record and VMO records. See the Installation Guide for details about the ACFFDR. For more information about VMO records, consult the Administrator Guide.

Using the VM Directory and DirMaint

CA ACF2 for z/VM does not replace the VM directory information for each user. Virtually all information contained in the VM directory is valid, except for the password associated with your logonid. For example, you must enter your CA ACF2 for z/VM password when you log on instead of the VM user ID password. The directory minidisk password can be ignored or enforced. If you install the optional CA ACF2 for z/VM interface for DirMaint (the IBM Directory Maintenance Program Product), you must enter the CA ACF2 for z/VM password whenever DirMaint requires a password revalidation. The interface cannot replace the standard DirMaint password revalidation message and prompt. You should be aware that DirMaint prompts you with its standard password revalidation message, although it is the CA ACF2 for z/VM password that you must enter. CA ACF2 for z/VM also provides optional command limiting validation and logging for the DIRM command. When activated, CA ACF2 for z/VM can validate both privileged and general user DIRM commands and log all DIRM command activities. You can use this DIRM command support to detect and control minidisk overlaps, minidisk deletions, and minidisk transfers. It also provides an effective way to control directory maintenance functions. See the Command and Diagnose Limiting Guide for complete details.

Data Ownership

In the VM environment, MDISK entries in the VM Directory determine the data ownership of a minidisk. This is particularly important in decentralized security environments, where you are responsible for writing access rules for your own data. To share a minidisk with other users, the owner of the minidisk (or a security administrator) must compile and store an access rule set. This rule set specifies who can access the minidisk and what conditions must be met before the access is allowed. You can store a rule entry that allows access to other users for each CMS file that resides on the minidisk. See the “Writing Access Rules” chapter for more information.

Attachable Devices

CA ACF2 for z/VM validates all ATTACH commands issued for DASD devices. This validation is similar to minidisk and CMS file validation (you must write an access rule set for each DASD device that could be attached through a CP command). See the “Writing Access Rules” chapter for more information.

CA ACF2 for z/VM Exits

You can use CA ACF2 for z/VM exits to resolve unique user dependencies or provide specialized transition paths. An example is using the validation exit during migration to full security. You can use this exit to allow accesses, even though CA ACF2 for z/VM considers the access a violation. We supply sample source code for some exits with the distribution tape.

Sharing CA ACF2 for z/VM Databases between VM Systems

You can let several different VM systems that run CA ACF2 for z/VM share the same CA ACF2 for z/VM databases.

Synchronizing CA ACF2 for z/VM Databases

You can also synchronize CA ACF2 for z/VM databases between VM and CA ACF2 for z/VM for z/OS and OS/390 with the Database Synchronization Component.