After you install CA ACF2 for z/VM and have written enough rules to control access to data, you may want to migrate to LOG mode. LOG mode lets you check to see that the appropriate users can access certain data and that CA ACF2 for z/VM creates SMF records when unauthorized users try to access that data. In LOG mode, CA ACF2 for z/VM checks users at system entry, as it did in QUIET mode. It also checks the Rule database for any access rules that apply to the request. If it determines that an attempted access permission or type is invalid according to a rule, or if CA ACF2 for z/VM cannot find a matching rule set, it allows access, but logs the violation.
From the reports, the security administrator writes, compiles, and stores rules to reduce the number of future violations. The security administrator should consult with data owners to determine whether the accesses are valid. You can also use a decentralized administration with multiple security administrators writing rules (each for his own department or group).
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|