Switch Operations Facility › SOF Server Configuration and Start-up › Secure User Access to SOF

Secure User Access to SOF

(Optional) You can secure user access to SOF using the following Automated Operations Facility (AOF) rules:

• AOF Command rules

  Secures user access to SOF through z/OS MODIFY console commands. For examples, see the sample command rules SOFCMDR and SOFCMDU in the &hlq.CCLXRULS data set.

• AOF Security rules

  Secures user access to SOF through OPS/REXX ADDRESS SOF. A new Security event SOF has been added for this purpose. For examples, see the sample security rules SOFSECR and SOFSECU in the &hlq.CCLXRULS data set. This method will also secure access using OPSVIEW option 3.5, because that dialog is implemented using OPS/REXX ADDRESS SOF. By default, all users with TSO OPER authority are granted access to SOF through OPS/REXX ADDRESS SOF, and therefore OPSVIEW option 3.5.

Both sample rules SOFCMDR and SOFSECR use the OPSECURE function to invoke the SAF security interface, and therefore require security resource definitions. The code within the samples establishes a prefix for the COMMAND series, and a prefix for the QUERY series, as shown below. The actual resource name is the result of appending the QUERY or COMMAND target to the prefix. COMMAND DISPLAY and the entire QUERY series are tagged as READ access, and all others are UPDATE.

Example: COMMAND and QUERY Sample Rules

COMMAND RESTORE etc.

Produces the full resource name: OPSMVS.SOF.COMMAND.RESTORE

QUERY CHPIDS etc.

Produces the full resource name: OPSMVS.SOF.QUERY.CHPIDS

Both sample rules require the definitions listed below. Actual implementation will vary across the different security products. The syntax is intended to demonstrate functionality, and may not reflect the most efficient usage.

• Resource Class Name = OPERCMDS
• Resource Name Prefix Query = OPSMVS.SOF.QUERY
• Resource name Prefix Command = OPSMVS.SOF.COMMAND
• Commands REMOVE and RESTORE are identified separately to illustrate the capability for special handling

Corresponding CA Top Secret definitions are as follows:

XA OPERCMDS= OPSMVS.SOF.COMMAND.*                          OWNER(SYSPDEPT)
   ACCESS  = UPDATE
   ADMIN BY= BY(SECMST  )    SMFID(CA11)   ON(03/17/2008)  AT(11:13:12)
XA OPERCMDS= OPSMVS.SOF.COMMAND.REMOVE                     OWNER(SYSPDEPT)
   ACCESS  = UPDATE
   ADMIN BY= BY(SECMST  )    SMFID(CA11)   ON(03/17/2008)  AT(11:13:12)
XA OPERCMDS= OPSMVS.SOF.COMMAND.RESTORE                    OWNER(SYSPDEPT)
   ACCESS  = UPDATE
   ADMIN BY= BY(SECMST  )    SMFID(CA11)   ON(03/17/2008)  AT(11:13:12)
XA OPERCMDS= OPSMVS.SOF.COMMAND.DISPLAY                    OWNER(SYSPDEPT)
   ACCESS  = READ
   ADMIN BY= BY(SECMST  )    SMFID(CA11)   ON(03/17/2008)  AT(11:13:12) 
XA OPERCMDS= OPSMVS.SOF.QUERY.*                            OWNER(SYSPDEPT)
   ACCESS  = READ

Equivalent CA ACF2 definitions are as follows:

RESOURCE
compile * store
.$key(OPSMVS) type(opr)
. SOF.COMMAND.-  uid(uid string) service(update) allow
. SOF.COMMAND.REMOVE  uid(uid string) service(update) allow
. SOF.COMMAND.RESTORE  uid(uid string) service(update) allow
. SOF.COMMAND.DISPLAY  uid(uid string) service(read) allow
. SOF.QUERY.-  uid(uid string) service(read) allow
.end

Sample RACF syntax are as follows:

RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.*  OWNER(SYSPDEPT)  UACC(UPDATE)
RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.REMOVE  OWNER(SYSPDEPT) UACC(UPDATE)
RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.RESTORE  OWNER(SYSPDEPT) UACC(UPDATE)
RDEFINE OPERCMDS OPSMVS.SOF.COMMAND.DISPLAY  OWNER(SYSPDEPT)  UACC(READ)
RDEFINE OPERCMDS OPSMVS.SOF.QUERY.*  OWNER(SYSPDEPT)  UACC(READ)