Many sites allow multiple users access to a single virtual machine. It is sometimes necessary to have a virtual machine that several users can access. For example, several database administrators from different departments maintain a centralized database. They could perform the necessary maintenance from one virtual machine. To access the machine, all of the administrators enter the same logonid and password of the machine. Only one person can have access to the machine at a time.
Although using a virtual machine this way serves a valuable purpose, it imposes a possible security breach. From an auditing standpoint, there is no way to determine who is using the machine (other than someone logged on). Individual accountability is lost and passwords are shared.
You can solve this problem by defining a virtual machine with the special GRPLOGON privilege in its logonid record. A machine with this privilege is called a group virtual machine.
Many people can use this machine, but only one person can have access at a time. They all can be identified through auditing. The following terms are introduced in this section:
Specifies a virtual machine defined with the GRPLOGON privilege in the Logonid database. Many people can use it and still be individually identified by the system.
Specifies someone who uses a group virtual machine.
This section describes the user interface and requirements for each method of gaining access to a group virtual machine. It also includes a brief account of the mechanisms that are involved with each method, with an explanation of how individual accountability is enforced. A group virtual machine can also be autologged, just like any other virtual machine. For complete details on autologging virtual machines, see the Protecting the AUTOLOG and XAUTOLOG Commands in this chapter. After entering LOGON MAINT to use the MAINT group machine, group users supply their own logonids and passwords, not the MAINT password.
logon maint ACFpgm263R Enter your ACF2 logonid TLCAMS ACFpgm244R Enter ACF2 password PSWD
After a user has gained access, CA ACF2 for z/VM performs all validations as if the group virtual machine were logged on as a regular user. CA ACF2 for z/VM validates normal data and resource accesses against the group machine, not the group user. The SMF records that CA ACF2 for z/VM creates contain information on the group machine and also identify the group user. The user who logged onto the group virtual machine is identified in the CA ACF2 for z/VM reports. This enforces individual accountability.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|