External Security Manager Information › ESM SAF Class Descriptor Table (CDT) Analysis

ESM SAF Class Descriptor Table (CDT) Analysis

The CDT is a general data structure used to define the generalized SAF resource classes and characteristics.

The SAF CLASS is a general grouping of the type of authorization. Requests for:

• z/OS data sets are grouped together under the pre-defined DATASET SAF class
• z/OS MVS console commands are grouped together under the OPERCMDS SAF class

Within each class, the ENTITY refers to the resource.

If an authorization request is issued for a SAF CLASS not defined via a CDT entry, the request fails.

Controls within the CDT affect how authorization processing is performed. For example, maximum entity length and whether CLASS allows mixed-case entity names.

Each ESM has its own way of specifying CDT entries:

• CA ACF2—Defines a series of global system option records known as CLASMAPS, which map a one-to-eight character SAF class name to a three-character ACF2 resource rule type code.
• CA Top Secret—Defines a set of records known as resource definition table.
• RACF—Supplies the default CDT table for default SAF classes. Users can add CDT definitions but they cannot alter or delete general characteristics of the default classes.

The CDT is an auditable element of the ESM. If a default CDT class is deleted security could be bypassed. If the maximum entity length is improperly adjusted valid entity names could be truncated or disallowed. If the CASE class attribute is changed from the default value of UPPER to MIXED unpredictable results may occur. A SAF class may be changed to a lesser-known and lesser secured SAF class allowing users access to resources that they should be denied access to.

This function compares the in-storage CDT defined for the ESM to the IBM defaults.