|
|
|
CA MIM provides the capability to control access to its commands through command validation using the operating system security system software.
CA MIM command validation support is activated by specifying the statement MIMINIT SAFCMDAUTH=ON. If this feature is activated but the security system does not support SAF operator command validation, then CA MIM terminates during initialization.
Once the security system is activated, CA MIM extracts the user ID of the command issuer and sends a command authorization call to the security system software using the OPERCMDS class. CA MIM builds a two-level entity name comprised of a subsystem identifier prefix (the default is MIMGR), followed by the full name of the command verb.
For example, if you issue a DISPLAY command, then the entity name is MIMGR.DISPLAY. You can provide your own one- to eight-character prefix by specifying the MIMINIT SAFPREFIX statement. Optionally, you can request that CA MIM use the job name of its address space (user ID in z/VM) as the subsystem prefix value in the entity name. This can be useful if you run different CA MIM facilities in different address spaces, and you want to limit command access based on the facility.
CA MIM requires a user to have READ access to permit the execution of DISPLAY commands. All other commands require UPDATE access. CA MIM interprets a “no decision” return code from the security system (that is, no profile exists) as a denial for command access.
Note:
CA MIM provides a user exit point in the command authorization processing prior to the system authorization call for the command. This installation exit called MIMATHXT, can unconditionally permit the command, unconditionally reject the command, or continue normally, in which case the command is conditionally executed based on the security system authorization decision.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |