Controlling the Use of FTP › Examples of Using Your SAF Qualifier

Examples of Using Your SAF Qualifier

These examples show how you can allow specific users or groups of users to have access to various combinations of incoming and outgoing file transfers.

Example 1

FTP.SAFSAMP.172.24.215.17.FTP.DATA.FILE
  1. Connect this sample profile to user ID FTPUSER with read access in your security system.
  2. Define a policy rule allowing FTP transfers to the users you want, with the SAF qualifier coded as SAFSAMP.

If FTPUSER requests a transfer to open a connection to 172.24.215.17 and put a file from there into FTP.DATA.FILE, then the request is rejected, because FTPUSER has only read access to the file as governed by your security system through the SAF qualifier.

However, if FTPUSER requests a transfer to get the FTP.DATA.FILE, the request is allowed, because FTPUSER has read access.

Example 2

FTP.SAFSAMP.172.24.215.17.**
  1. Connect this sample profile to user ID FTPUSER with read access in your security system.
  2. Define a policy rule allowing FTP transfers to the users you want, with the SAF qualifier coded as SAFSAMP.

In this case, FTPUSER has read access to the above profile and cannot download any file on the mainframe, from the IP address 172.24.215.17; however, FTPUSER can send any file out to this IP address.

Example 3

FTP.SAF SAMP.*.**
  1. Connect this sample profile to user ID FTPUSER with read access in your security system.
  2. Define a policy rule allowing FTP transfers to the users you want, with the SAF qualifier coded as SAFSAMP.

In this case, FTPUSER has read access to the above profile and cannot download any file on the mainframe, from any IP address; however, FTPUSER can send any file out to any IP address.

Example 4

FTP.SAFSAMP.*.FTP.DATA.FILE
  1. Connect this sample profile to user ID FTPUSER with write access in your security system.
  2. Define a policy rule allowing FTP transfers to the users you want, with the SAF qualifier coded as SAFSAMP.

In this case, FTPUSER has write access to the above profile and cannot download any file on the mainframe EXCEPT FTP.DATA.FILE from any IP address; however, FTPUSER can send FTP.DATA.FILE out, and only that file, to any IP address.

Copyright © 2010 CA. All rights reserved.