Configuring Your Product › Activate the CA Disk System › Activate CA Disk Features › Activate Miscellaneous Security Features › Activate CA Disk Storage Administration FACILITY Class Profiles

Activate CA Disk Storage Administration FACILITY Class Profiles

Storage Administration FACILITY Class Profiles allows an installation to control access to sensitive data. This feature is optional. The Storage Administration FACILTY Class Profiles feature removes the necessity for storage administrators to have security access to the data sets. Instead, it allows them access to the Storage Management Functions. The Storage Management Functions have unlimited access to the data sets.

To understand this concept, consider the following scenario. User 1 is a storage administrator whose job function is to do the backups, archives, and restores. User 1 is allowed to run the commands ARCHIVE, BACKUP and RESTORE in storage administration mode. Any CA Disk jobs that User 1 submits, that perform those specific commands, will execute in Storage Administration mode and User 1 will be able to process any data set. Any other job that User 1 submits, uses the standard security system profiles to verify access to a referenced data set, preventing User 1 from viewing or modifying sensitive data. In Storage Administration mode, CA Disk also allows the installation to restrict access to sensitive command operands, such as NEWNAME and NEWHLQ.

Note: Storage Administration FACILITY Class Profiles do not restrict access to commands, operands or data sets. The commands and operands can be used regardless of a user’s access, or lack thereof, to the FACILITY Class Profiles. The Facility Class Profiles allows users designated as Storage Administrators and access to the FACILITY (command, operand or function) in use to use that FACILITY on data sets regardless of security system access restrictions.

Some operands of commands are individually authorized: such as NEWNAME and NEWHLQ. This is due to the potential to gain access to data that would normally not be accessible but would be so if the data set name were changed. Any command, which uses these operands, goes through two qualifications. First, the command itself must be authorized to the user. If the command is authorized, and one of these protected operands is specified, the user must be authorized. Both must be true for the command to execute in Storage Administration mode.

DMSAR is a special case in regards to the Storage Administration FACILITY Class Profiles. The function of DMSAR is authorized individually rather than the commands that DMSAR executes. DMSAR is a special case where RESTORE commands are executed, but the function being authorized is $AUTORES. In the profile list, $AUTORES would be specified rather than the RESTORE command. This function name will only be used for a procedure that is actually performing an auto-restore. So the userid that the procedure is executing will need to be permitted access to the resource defined in the profile list for $AUTORES.

A series of steps activates the use of Storage Administration FACILITY Class Profiles. The first step can be executed in any order, but the final step should always be the last one executed so that access to Storage Management mode is not accidentally granted to users who should not have it.

To activate the use of Storage Administration FACILITY Class Profiles

1. The Security Administrator has to permit each user who is to have access to Storage Management FACILITY Class Profiles READ access to the resource defined in the Sysparm SMSSTGAD. This designates the user(s) as a Storage Administrator.

   Note: If this resource is undefined, by default the user is a Storage Administrator. If a user is defined as a Storage Administrator, CA Disk will check the access to the Storage Administration FACILITY Class profile for the function.

2. Create a Storage Administration FACILITY Class profile list in a secured source PDS. A sample list with all of the supported functions, commands, and operands is in PARMLIB called SAMPZADM. The default resource name is STGADMIN.DMS.STGADMIN.command [.operand]. A command will not be able to execute in Storage Administration mode, if there is no definition for it in the profile list.
3. The profiles referenced in the profile list created in #2 above now have to be defined to the security system and the storage administrators have to be permitted access to them.
   • Protect all Storage Administration profiles as a blanket.

     For example, if you have CA Top Secret and are using the default profile names, issue the command:

     TSS ADDTO (deptacid) IBMFAC (STGADMIN.DMS.STGADMIN.**)
     

     If you have RACF, issue the command:

     RDEFINE FACILITY STGADMIN.DMS.STGADMIN.** +
     UACC (NONE) NOTIFY (security administrator)
     

     where security administrator is the user ID of a person to whom optional violation messages are to be sent.

   • If you want to allow your storage management group of users to be able to execute most or all of the CA Disk functions in Storage Administration mode, you can instruct your security package to allow that.

     If you have CA Top Secret, you can issue the command:

     TSS PERMIT (acid) IBMFAC (STGADMIN.DMS.STGADMIN.**) ACC (READ)
     

     where acid is the acid to whom you want to be able to use run-time sysparm overrides.

     If you have RACF, you can issue the command:

     PERMIT STGADMIN.DMS.STGADMIN.** CLASS (FACILITY) +
     ACCESS (READ) ID (storagemanagementgroup)
     

     where storagemanagementgroup is the group name (or list of userids) of your storage administrators.

   • If you want to restrict your storage management group from executing certain functions in Storage Administration mode, you can individually protect them.

     For example, if you have CA Top Secret, issue the commands:

     TSS ADDTO (deptacid) IBMFAC (STGADMIN.DMS.STGADMIN.command)
     TSS PERMIT (acid) BMFAC (STGADMIN.DMS.STGADMIN.command) + ACC (READ)
     

     where acid is the acid to you want to be able to use run-time sysparm overrides.

     If you have RACF, issue the commands:

     RDEFINE FACILITY STGADMIN.DMS.STGADMIN.command + UACC (NONE) NOTIFY (security administrator)
     PERMIT STGADMIN.DMS.STGADMIN.command CLASS (FACILITY) + ACCESS NONE) ID(storagemanagementgroup)
     

4. The PARMAUTH member has to be updated to activate the feature. Parameter STGADMIN has to be set to ‘YES’ or ‘LIBRARY’ to activate the feature. If STGADMIN is set to ‘YES’ it will also be necessary to specify the SECURITY parameter on the PARMAUTH macro as ‘YES’ and supply a list of authorized PARMLIBS. This is a security feature so that a profile list isn’t used from an unsecured PARMLIB. The parameter STGADTBL will then need to be updated with the name of the PDS member that contains the profile list. If STGADMIN is set to ‘LIBRARY’ it will be necessary to supply both of the parameters STGADLIB and STGADTBL. Parameter STGADLIB will have to be specified with the data set name of the PDS and STGADTBL with the member name that contains the profile list. It is easier to administer a single list of profiles, so the use of the LIBRARY parameter is suggested.