Configuring Your Product › Activate the CA Disk System › Activate CA Disk Features › Activate Miscellaneous Security Features › System Parameter Override Security — SYSPAUTH

System Parameter Override Security — SYSPAUTH

CA Disk sysparm overrides are controlled through use of the //SYSPARMS dd statement. Use of this dd statement is described in the Overriding Sysparms Instream section in the Systems Guide. Users can override sysparms only if SYSPARMO is specified with a value of Y in the SYSPARMS member of your CA Disk parmlib.

If you do not have a security package that is compatible with SAF, you cannot limit access to sysparm overrides for a subset of users, or for a subset of sysparms.

If your security package is SAF-compatible, and if you want to restrict your users to a subset of CA Disk sysparms that they can override, or restrict sysparm overrides to a certain group of users, you can activate the System Parameter Override Security Feature by installing user exit USERMOD5 according to the following procedure.

To activate the System Parameter Override Security Feature by installing user exit USERMOD5

1. Locate the source for the System Parameter Override Security Feature in member SYSPAUTH, located in the library associated with the CCUWSAMP DDDEF. The following illustration is a sample source for SYSPAUTH:

   

2. To ensure that the changes you make to SYSPAUTH are protected during future CA Disk installs or maintenance, copy this member into the source library associated with the //USERASM dd statement in USERMOD5.
3. Customize SYSPAUTH as follows:
   1. Activate the System Parameter Override Security Feature by specifying YES to the SECURITY= parameter. The default is NO, which deactivates the feature.
   2. Alter the RESOURCE= parameter as required. The value you specify is the prefix of the resource. The default is DISK.SYSPARMS.
   3. Alter the CLASS= parameter as required. We recommend you specify FACILITY for CA ACF2 and RACF security packages, or IBMFAC for CA Top Secret.
   4. The value specified for the APPL= parameter is recorded by SMF. The default value is DMSOS.
4. Save your work by issuing SAVE at the TSO command line.
5. Activate the FACILITY (IBMFAC if you have CA Top Secret) class of your security package. For example, if you have RACF, issue the command:

   SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY) +
   GENCMD(FACILITY)
   

   When SYSPARMO is specified with a Y, CA Disk uses the FACILITY (IBMFAC if you have CA Top Secret) class of your security package to determine if the user has READ access to the resource DISK.SYSPARMS.sysparmname before allowing the override.

   Note: The check for READ access is with the FACILITY (IBMFAC if you have CA Top Secret) class, not the DATA SET class. Therefore the name does not refer to the name of an actual data set; there could be other rules on the DATA SET class that refers to data sets with that same name. RACF users must execute this command before creating the following generic profile.

6. Protect all sysparm overrides as a blanket. For example, if you have RACF, issue the command:

   RDEFINE FACIITY DISK.SYSPARMS.* +
   UACC(NONE) NOTIFY(security administrator)
   

   Where security administrator is the userid of a person to whom optional violation messages are to be sent.

   If you have CA ACF2, issue the command:

   TSS ADDTO(deptacid) IBMFAC(DISK.SYSPARMS.*)
   

7. To allow your storage management group of users to override most or all of the system parameters, you can instruct your security package to allow that. For example:
   • If you have RACF, issue the command:

     PERMIT DISK.SYSPARMS.* CLASS(FACILITY) +
     ACCESS(READ) ID(storagemanagementgroup)
     

     Where storagemanagementgroup is the group name (or list of userids) of your storage administrators.

   • If you have CA Top Secret, you can issue the command:

     TSS PERMIT(acid) IBMFAC(DISK.SYSPARMS.*) ACC(READ)
     

     Where acid is the acid to whom you want to be able to use run-time sysparm overrides.

8. To prevent your storage management group from overriding certain system parameters, you can individually protect them. For example:
   • if you have RACF, issue the commands:

     RDEFINE FACILITY DISK.SYSPARMS.sysparmname +
     UACC(NONE) NOTIFY(securityadministrator)
     PERMIT DISK.SYSPARMS.sysparmname CLASS(FACILITY) +
     ACCESS(NONE) ID(storagemanagementgroup)
     

   • If you have CA Top Secret, issue the commands:

     TSS ADDTO(depacid)IBMFAC(DISK.SYSPARMS.sysparmname)
     TSS PERMIT(acid) BMFAC(DISK.SYSPARMS.sysparmname) +
     ACC(READ)
     

     Where acid is the acid to whom you want to be able to use run-time sysparm overrides.

9. If you want to allow all users to override certain system parameters, such as ARC0NAME and ARCCNAME, you can individually allow that. For example:
   • If you have RACF, issue the commands:

     RDEFINE FACILITY DISK.SYSPARMS.sysparmname +
     UACC(READ) NOTIFY(securityadministrator)
     

   • If you have CA Top Secret, issue the command:

     TSS ADDTO(deptacid)IBMFAC(DISK.SYSPARMS.sysparmname)
     

10. With this security feature activated, CA Disk allows the override of a sysparm only if CA Disk receives a return code of less than 8 from SAF using the macro:

    RACROUTE REQUEST=AUTH,
    RELATED='DMS/OS AUTH CHECK',
    APPL='DMSOS ',
    ATTR=READ,
    CLASS='FACILITY',
    ENTITY=DISK.SYSPARMS.sysparmname
    

    Where sysparmname is the 8-character name of the system parameter. CA Disk issues a message and ignore overrides of those sysparms to which the user does not have sufficient authority.

    Note: CA Top Secret translates this FACILITY class check to IBMFAC.

11. Submit USERMOD5 according to the instructions under USERMOD5.