|
|
|
CA ACF2 controls data set access to both tape and disk data sets. Data center security administrators grant access privileges in two ways. Administrators can write data set access rules that permit or deny each access type by data set. They can also assign global data set access privileges to individual users. Each data set access falls into one of four access types:
Required to open a data set for input. CA Auditor users must have read access for all CA Auditor data sets and all system data sets identified in the previous table. They must also have read access for all other data sets that CA Auditor analyzes or processes.
Installers must have read authority to all data sets on the distribution tape. The data set names of the tape files have the format AUD.EXAMINE.dsname.
Required to open a data set for both input and output. You must have write access authority to add or update information in a data set. All CA Auditor users must have write access authority for the user profile database, prefix.EXAMINE.DBASE1 (prefix.CAIDBS1 for SMP/E installations). No other CA Auditor data sets are updated. CA Auditor never updates z/OS system data sets.
Installers must have write access authority for all CA Auditor data sets so that the installation program can load CA Auditor data sets from the corresponding distribution tape data sets.
Required to initially allocate, rename, or scratch a disk‑resident data set. You must have allocate access authority to create, rename, or delete a data set. CA Auditor users do not need allocate access authority for any system or CA Auditor data sets.
Installers must have allocate access authority for all CA Auditor data sets so that the installation program can dynamically allocate the CA Auditor data sets on the selected disk volume.
Required to open a program library to load and execute a program. The data center security administrator can provide this type of protection for the CA Auditor program library, prefix.EXAMINE.LOAD (PRODHLQ.CAJ0LOAD or SMP/E installations).
The security administrator can also add the READALL privilege to the logonid records of selected CA Auditor users. This privilege permits read access to all data sets, regardless of the content of any associated access rules. This is very helpful if CA Auditor performs a complete review of the z/OS system. The READALL privilege permits selected CA Auditor users to conduct system reviews without the need of CA ACF2 access rule updates.
Other CA ACF2 logonid record attributes, including NON‑CNCL (non‑cancelable) and SECURITY (security officer), also provide suitable access capabilities to users, but are much more powerful than required for CA Auditor use.
Some CA ACF2 sites also use the CA ACF2 Panvalet interface. This optional interface provides a security control point that extends CA ACF2 security to CA Panvalet data sets. Special considerations for CA ACF2 Panvalet interface users are described in the appendix “Interfacing with Other Products.”
If CA ACF2 denies access to data sets that CA Auditor attempts to open, a security violation occurs. CA Auditor usually receives control in this case and informs the user of the violation. However, if the number of security violations that occur in the session exceeds the MAX‑VIO (maximum violation) level, CA ACF2 terminates the session in accordance with normal CA ACF2 operation.
Auditors must have READ access to the CSVDYNEX.LIST ENTITY of the FACILITY CLASS to use the Dynamic Exit Analysis and SMF Dynamic Exit Analysis facilities. For more information, see the Technical Reference.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |