(Optional) You can secure user access to SOF using the following Automated Operations Facility (AOF) rules:
Secures user access to SOF through z/OS MODIFY console commands. For examples, see the sample command rules SOFCMDR and SOFCMDU in the &hlq.CCLXRULS data set.
Secures user access to SOF through OPS/REXX ADDRESS SOF. A new Security event SOF has been added for this purpose. For examples, see the sample security rules SOFSECR and SOFSECU in the &hlq.CCLXRULS data set. This method will also secure access using OPSVIEW option 3.5, because that dialog is implemented using OPS/REXX ADDRESS SOF. By default, all users with TSO OPER authority are granted access to SOF through OPS/REXX ADDRESS SOF, and therefore OPSVIEW option 3.5.
Both sample rules SOFCMDR and SOFSECR use the OPSECURE function to invoke the SAF security interface, and therefore require security resource definitions. The code within the samples establishes a prefix for the COMMAND series, and a prefix for the QUERY series, as shown below. The actual resource name is the result of appending the QUERY or COMMAND target to the prefix. COMMAND DISPLAY and the entire QUERY series are tagged as READ access, and all others are UPDATE.
Example: COMMAND and QUERY Sample Rules
Produces the full resource name: OPSMVS.SOF.COMMAND.RESTORE
Produces the full resource name: OPSMVS.SOF.QUERY.CHPIDS
Both sample rules require the definitions listed below. Actual implementation will vary across the different security products. The syntax is intended to demonstrate functionality, and may not reflect the most efficient usage.
Corresponding CA Top Secret definitions are as follows:
XA OPERCMDS= OPSMVS.SOF.COMMAND.* OWNER(SYSPDEPT) ACCESS = UPDATE ADMIN BY= BY(SECMST ) SMFID(CA11) ON(03/17/2008) AT(11:13:12) XA OPERCMDS= OPSMVS.SOF.COMMAND.REMOVE OWNER(SYSPDEPT) ACCESS = UPDATE ADMIN BY= BY(SECMST ) SMFID(CA11) ON(03/17/2008) AT(11:13:12) XA OPERCMDS= OPSMVS.SOF.COMMAND.RESTORE OWNER(SYSPDEPT) ACCESS = UPDATE ADMIN BY= BY(SECMST ) SMFID(CA11) ON(03/17/2008) AT(11:13:12) XA OPERCMDS= OPSMVS.SOF.COMMAND.DISPLAY OWNER(SYSPDEPT) ACCESS = READ ADMIN BY= BY(SECMST ) SMFID(CA11) ON(03/17/2008) AT(11:13:12) XA OPERCMDS= OPSMVS.SOF.QUERY.* OWNER(SYSPDEPT) ACCESS = READ
Equivalent CA ACF2 definitions are as follows:
RESOURCE compile * store .$key(OPSMVS) type(opr) . SOF.COMMAND.- uid(uid string) service(update) allow . SOF.COMMAND.REMOVE uid(uid string) service(update) allow . SOF.COMMAND.RESTORE uid(uid string) service(update) allow . SOF.COMMAND.DISPLAY uid(uid string) service(read) allow . SOF.QUERY.- uid(uid string) service(read) allow .end
Sample RACF syntax are as follows:
RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.* OWNER(SYSPDEPT) UACC(UPDATE) RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.REMOVE OWNER(SYSPDEPT) UACC(UPDATE) RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.RESTORE OWNER(SYSPDEPT) UACC(UPDATE) RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.DISPLAY OWNER(SYSPDEPT) UACC(READ) RDEFINE OPERCMDS OPSMVS.SOF.QUERY.* OWNER(SYSPDEPT) UACC(READ)
Copyright © 2014 CA Technologies.
All rights reserved.
|
|