Addressing Security Requirements › Define Security Authorizations for CA Compliance Manager

Define Security Authorizations for CA Compliance Manager

In the pre-installation planning phase, you determined which CA Compliance Manager components and repositories to implement. This affects how you customize the security definitions required for CA Compliance Manager in the jobs provided.

The security definition jobs for CA ACF2, CA Top Secret, and IBM RACF (CMGRIACF, CMGRITSS, and CMGRIRAC) define the security environment for all of the CA Compliance Manager components by creating the security definitions for the MUF and the CA Compliance Manager repositories and the authorizations for the users who access the repositories.

These jobs do the following:

• Define the CA Compliance Manager started task user (STC) IDs and gives the STC users USS capabilities for the following:
  • Define the z/OS USS Groups to the ESM
  • Assign a z/OS USS Group to the STC users in the ESM
  • Assign a z/OS USS UID to the STC users in the ESM
  • Assign the STC users to a default group in the ESM

  Note: The name of the STC user created is the same as the procedure name of the started task (e.g., CMGRRTR, CMGRMON, CMGRALRT, CMGRWHSE, CMGRLOGR, ).

• Permit access to datasets
• Permit access to datasets for DB2
• Permit access to resources
• Permit access to resources for DB2
• Permit access to DB2 resources
• Define security for CA Datacom/AD MUF and repositories

Follow these steps:

1. Edit the appropriate job in CAI.CEIQJCL0 for your security product:

   CMGRIACF for CA ACF2

   CMGRITSS for CA Top Secret

   CMGRIRAC for IBM RACF

   Modify the job to conform to your installation standards. Follow the instructions in the job to customize the job for your environment.

2. Submit the job.
3. Review the output of the job to verify that the security definitions are successfully defined.
4. Verify that the Warehouse component is authorized to access the Warehouse repository by checking the job output in the following cases:
   • If you are implementing a CA Datacom/AD Warehouse repository, verify that you created appropriate authorizations. See the job output of the CMGRIACF, CMGRITSS, and CMGRIRAC jobs respectively, if you are running CA ACF2, CA Top Secret, or IBM RACF.
   • If you are implementing a DB2 Warehouse repository and use native DB2 security, verify the appropriate authorizations are created during execution of the CMGRIDB2 installation job, which defines the DB2 Warehouse repository. See the job output of the CMGRIDB2 installation job.
   • If you are using CA ACF2 Option for DB2 or CA Top Secret Option for DB2 for your DB2 security, the appropriate authorizations were created during the execution of the CMGRIACF or CMGRITSS jobs, respectively. See the job output of the CMGRIACF or CMGRITSS jobs.

     Note: This action helps ensure that records can be successfully inserted into the Warehouse repository.

5. Verify that the Monitor component is authorized to access the Monitor repository by checking the job output in the following cases:
   • If you are implementing a CA Datacom/AD Monitor repository, verify that you created appropriate authorizations. See the job output of the CMGRIACF, CMGRITSS, and CMGRIRAC jobs respectively, if you are running CA ACF2, CA Top Secret, or IBM RACF.
   • If you use native DB2 security, the appropriate authorizations are created during execution of the CMGRIDB2 installation job, which defines the DB2 Warehouse repository. See the job output of the CMGRIDB2 installation job.
   • If you are using CA ACF2 Option for DB2 or CA Top Secret Option for DB2 for your DB2 security, the appropriate authorizations were created during the execution of the ESM configuration jobs, CMGRIACF or CMGRITSS, respectively.

     Note: This action helps ensure that records can be successfully inserted into the Monitor repository.

6. Verify that Data Mart users have UPDATE access to the DATAMART entity in the CACMGR resource class by checking the job output from CMGRIACF, CMGRITSS or CMGRIRAC job respectively, if you are running CA ACF2, CA Top Secret, or IBM RACF.

   Note: The Data Mart repository contains information about security events the ESM product generates and processes. Allow use of the Data Mart only by those people who already can view this information directly from the mainframe security system.

7. Verify that the CAI.CEIQLOAD library is APF-authorized.

   This step ensures that program ECARTINT, which resides in CAI.CEIQLOAD, is also APF-authorized. The Router does not initialize if it is executed from an unauthorized library.

   Note: If you specified a different CEIQLOAD data set during installation, verify that this data set if APF-authorized.