Preparing the IBM Communications Server › Authorize Product Region Command Access
Authorize Product Region Command Access
Note: If you are using CA ACF2 for z/OS, you do not need to perform this task unless it is set up to protect operator commands.
Your product uses z/OS operator VARY commands to perform some functions. These functions include:
- Packet tracing
- Device activations and deactivations
- Dropping connections
- Verifying Telnet LU status
The user ID associated with your product region must be authorized by your security system to issue these commands. The following OPERCMDS resources require UPDATE access level:
- MVS.VARY.TCPIP.PKTTRACE
- MVS.VARY.TCPIP.OBEYFILE
- MVS.VARY.TCPIP.DROP
- MVS.VARY.TCPIP.TELNET.ACT
- MVS.VARY.TCPIP.TELNET.INACT
Authorize individual users to the OPERCMDS resources if you:
- Plan to configure your system to use SAF user security
- Are using a partial security exit that returns a SAF UTOKEN (for example, NMSAFPX)
Example: Authorization in a CA ACF2 System that Protects Operator Commands
$KEY(MVS) TYPE(OPR)
VARY.TCPIP.- UID(uid_string) SERVICE(UPDATE) ALLOW
Example: Authorization in a CA Top Secret System
TSS PER(XXXXXX) OPERCMD(MVS.VARY.) ACCESS(UPDATE)
Example: Authorization in a RACF System
PE MVS.VARY.TCPIP.* CLASS(OPERCMDS) ID(uuuuuuu) ACCESS(UPDATE)
Copyright © 2010 CA.
All rights reserved.