|
|
|
CA SMF Director can provide SMF and RMF records containing performance and accounting information to anyone. Therefore, it may be necessary to restrict certain functions of this product from certain users.
The functions of this product can be secured by using an external security product such as CA TOP SECRET, CA ACF2, or IBM's RACF. The resource class CA$MSMF must be defined to the external security product prior to using CA SMF Director. IBM RACF customers accomplish this using the ICHERCDE macro to modify the Class Descriptor Table (CDT) and the ICHRFRTB macro to modify the RACF Router Table. CA TOP SECRET customers should modify their Resource Definition Table (RDT) using the TSS ADD(RDT) command. CA ACF2 customers should create a CLASMAP and GSO SAFDEF records. For more details, see the administrator guide for the security product.
The resource class CA$MSMF must allow alphanumeric resource names up to 20 characters in length, and access levels of UPDATE, READ or NONE. CA SMF Director issues a RACROUTE REQUEST=AUTH using the resource class of CA$MSMF, application id of SMFDIR, and an ENTITY name (resource name) consisting of the format: PRM.xxxxxx or CMD.xxxxxx. 'PRM' indicates that the function was requested via the JCL EXEC PARM keyword, whereas 'CMD' represents the function was requested via the SYSIN data set.
We recommend that the default for the CA$MSMF resource class should be to disallow access. To allow use of this function, the following resources must be defined or permitted to the user's security record:
|
The Resource name... |
Performs the function... |
|---|---|
|
PRM.BACKUP |
Backup of the SCDS file. |
|
PRM.RESTORE |
Restore of the SCDS file. |
|
PRM.INIT |
SCDS Initialization. |
|
PRM.DUMP |
Dumping of the SMF files. |
|
CMD.xxxxxx |
of the indicated command statement where xxxxxx is one of the following: ADDX, BEGIN, CHECKIT, COMPILE, DELETEX, DUMPOPTIONS, DUMPTAPES, DUMP, EXTRACT, END, LISTC, LISTH, OPTIONS, SOURCE, SPLIT, TAPEINIT, or UPDTX. |
If the CASFDUMP procedure is started by operators or via the auto dump feature, then the default batch or STC security record must contain permissions to PRM.DUMP and/or CMD.DUMP. If other functions will be performed by the CASFDUMP procedure such as backup or restore, security permissions must also be allowed.
The following example illustrates how a CA TOP SECRET security Administrator might define this product to the security system and allow John Doe to perform PRINT or EXTRACT requests only:
TSS ADD (RDT) RESCLASS (CA$MSMF) RESCODE (XX) MAXLEN (20) ATTR (MASK) ACLST (READ=4000, UPDATE=8000, NONE=0000, ALL=FFFF)
The above CA TOP SECRET command can be used as an example of how to update the Resource Descriptor Table. The resource class is CA$MSMF for CA SMF Director. An available resource code should be selected by the user.
The following CA Top Secret commands define the ownership of resources to an already existing user USER01.
TSS ADD (USER01) CA$MSMF (PRM)
TSS ADD (USER01) CA$MSMF (CMD)
The following CA Top Secret commands remove access to all users, and define access for JOHNDOE to the EXTRACT and PRINT commands.
|
TSS PERMIT(ALL) |
CA$MSMF(PRM.*) |
ACCESS(NONE) |
|
TSS PERMIT(ALL) |
CA$MSMF(CMD.*) |
ACCESS(NONE) |
|
TSS PERMIT(JOHNDOE) |
CA$MSMF(CMD.EXTRACT) |
ACCESS(UPDATE) |
|
TSS PERMIT(JOHNDOE) |
CA$MSMF(CMD.PRINT) |
ACCESS(UPDATE) |
The next example illustrates how a RACF security administrator would define CA SMF Director to RACF. The class descriptor table is used to describe resource classes to be used by this product.
ICHERCDE CLASS=CA$MSMF, X
id=128, X
FIRST=ALPHA, X
OTHER=ANY, X
POSIT=25, X
MAXLNTH=20, X
DFTUACC=NONE
For the RACF router table enter the following:
ICHRFRTB CLASS=CA$MSMF, X
ACTION=RACF
Use the RACF RDEFINE command to define all RACF resources belonging to the new classes specified in the class descriptor table.
|
RDEFINE CA$MSMF |
(PRM.BACKUP) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(PRM.RESTORE) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(PRM.INIT) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(PRM.DUMP) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.ADDX) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.BEGIN) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.CHECKIT) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.COMPILE) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.DELETEX) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.DUMPOPTIONS) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.DUMPTAPES) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.DUMP) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.EXTRACT) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.END) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.LISTC) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.LISTH) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.OPTIONS) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.SOURCE) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.SPLIT) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMS.STREAMOPTIONS) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.TAPEINIT) |
UACC(NONE) |
|
RDEFINE CA$MSMF |
(CMD.UPDTX) |
UACC(NONE) |
When using an external security product to secure the CA SMF Director functions, the security product will either allow or deny access to the resources mentioned above. If the security product denies access to a resource, CA SMF Director will not continue to process the command. A message is issued indicating that authority was denied for the request and a return code of 12 is set.
By default this product requires update access to the SCDS file. Specifying PARM=READ on the EXEC statement calling program SMFD will allow this product to process functions that require read only access. This can be done provided that the external security product will grant access to the SCDS file, any related programs, and the specific function to be processed. Functions that require SCDS Update access will fail with a message that READONLY processing was requested.
In addition to defining the above resources, the security product must allow access to the CA SMF Director programs, the SCDS file and SMF history files. The DUMP function requires create access for the SMF history files, with update access to the SCDS file. Read access to the SMF history files for the EXTRACT and PRINT functions are needed.
The following commands require UPDATE access to the SCDS file. Use these commands to perform the specified actions.
start a series of configuration commands.
compile the configuration definition.
end the configuration definition.
define specifications for SMF history files for a specific stream.
define specifications for SMF history files for each system.
define specifications for all systems.
modify the pool of tapes available for dumped SMF data.
switch the current dump tape.
empty the contents of one or more SMF files.
generate application-ready SMF files while dumping.
add index entries of SMF data.
remove one index entry of SMF data at a time.
modify a range of index entries.
The following commands require READ access to the SCDS file. Use these commands to perform the specified actions.
copy SMF data to be processed by another product.
print SMF data.
list configuration information for one or more SIDs.
list index information for SMF history files.
redefine the input source of data to be used in processing by CA SMF Director.
to be used as a diagnostic tool used to display SCDS records in dump format.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |