Controlling Access Using an External Security Package

Implementing Resource-Level Security › Controlling Access Using an External Security Package

Controlling Access Using an External Security Package

Your external security package can provide resource-level security if it supports SAF. It can provide security on its own or in conjunction with NPF.

SAF calls to your external security package are used to access permissions for user’s requests to menus, resources, and commands. This is enabled when $RMSXS-prefixed member is specified in the NPF Resource List Member field of a UAMS definition.

The following diagram shows the relationship between UAMS and SAF within an external security package. The $RMSXS-prefixed member can either be empty (as shown in the diagram) or contain NPF statements. Sample members are listed in the table in Sample NPF Members.

The diagram shows a UAMS record using the $RMSXSAF member.

The following NPF members (with names prefixed by $RMSXS) indicate that an external security package is to be used:

$RMSXSAF: Contains a special indicator—NPF will be bypassed in favor of an external security package.
$RMSXSAD: Contains permissions for administrators—combined NPF and external security package.
$RMSXSOP: Contains permissions for operators—combined NPF and external security package.
$RMSXSNO: Contains permissions for network operators—combined NPF and external security package.
$RMSXSMO: Contains permissions for monitors—combined NPF and external security package.

Sample Security Profiles

Sample security profiles are provided for each of the supported external security packages in the following libraries:

The SMP target zone library, dsnpref.pvpref.CC2DSAMP
The SMP distribution zone library, dsnpref.pvpref.AC2DSAMP

dsnpref: Specifies your site-specific data set name prefix.
pvpref: Specifies your product version prefix.

Note: On z/VM systems, these profiles are on the vmid 293 G-disk.

Each library includes the following security profiles:

$RMSXACF: Specifies permissions for all groups of users for CA ACF2 versions earlier than Version 6.
$RMSXAC6: Specifies permissions for all groups of users for CA ACF2 Version 6 and later.
$RMSXTSS: Specifies permissions for all groups of users for CA Top Secret.
$RMSXRCF: Specifies permissions for all groups of users for RACF.

Defining Security Profiles

To define the appropriate security profiles to an external security package, complete these steps:

Copy the required security member to the security PDS (which is the first library in the COMMANDS concatenation of libraries).
If necessary, modify the members to suit your requirements.
Add a valid job card to run the batch job.
When the job has completed successfully, enter a $RMSXS-prefixed member in the NPF Resource List Member field of your user’s group or user ID definition, to indicate that an external security package is required to control security.

The security requirements for the sample groups—$RMADMIN, $RMOPER, $RMNOPER, and $RMMON—are now defined to your external security package and will apply to users attached to these groups.

More information:

Securing Data Set Members

Modifying Security Members

The supplied security members define each group’s access to functions and resources. These security members can be modified to suit your own security requirements. Use the syntax specified in the following sections to specify your own requirements for access to menu options, the knowledge base, system images, Automation Services commands, system commands, and product commands.

Controlling Access to Menu Options

To control access to menu options, specify:

$RMMENU.menu-id.option-code

menu-id: Identifies the menu. The ID of the main Primary Menu is $NM001. To display the ID of another menu, enter MENUID at the Select Option prompt.
option-code: Identifies the option (for example, A for the Administration and Definition option on the main Primary Menu).

Use an asterisk (*) to represent all menu options; for example, $RMMENU.menu-id.* means all options from menu-id.
Use $RMMENU.** to allocate access to all menus and their options.

Note: The asterisk (*) represents null, or one or more characters. Two asterisks (**) represent any suffix. This may not apply to your security system, in which case, you must use the equivalent wildcard character that does apply.

Controlling Access to the Knowledge Base

The knowledge base contains definitions of Automation Services components. To control access to knowledge base definitions, specify:

$RMDB.system-image-name.system-image-version.class-number.
definition-name.action-type

system-image-name

Names the system image.

system-image-version

Identifies the version of the system image.

class-number

Identifies the class of component. The following table lists the valid classes. A product uses a subset of these classes.

class-number	Component Definition
01	System image
02	Started task
03	SNA group
04	CICS transaction
05	CICS file
06	CICS database
07	CICS link
08	CONNECT:Direct manager
09	CONNECT:Direct monitor
10	Initiator
11	Printer
13	Spool
14	JES line
16	DASD
17	USRCLS—user-defined resource class
18	Tape or cartridge unit
19	Batch job
20	Job entry subsystem (JES)
21	Internal resource
22	FTS manager
23	FTS monitor
24	File transfer schedule
25	FTP manager
26	FTP monitor
27	CONNECT:Mailbox manager
28	CONNECT:Mailbox monitor
29	Sysplex component
30	Console message profile
31	VM guest
32	Linux image
33	Linux application
35	User profile
36	Status monitor filter Resource group filter SNA resource filter File transfer rule set File transfer rule
38	FTP policy rule set or rule
39	IP Node Monitor group
40	Command
41	Logical state table
42	IP node
43	IP address space monitor
44	Channel Interface Processor
46	Open Systems Adapter
47	Enterprise Extender
48	Communications storage manager
49	VIPA
50	Availability map
51	TCP/IP stack
52	CICS monitor
53	APPN/HPR
54	Network control program (NCP) monitor
55	SNA resource model template
56	SNMP host details
57	VTAM state
60	Resource group
61	Service
62	CA-XCOM manager
63	CA-XCOM monitor
64	Monitoring attribute
70	Macro
71	Process
74	Calendar criteria
75	Calendar
76	Calendar keyword
78	Activity schedule
80	Icon
81	Icon panel
90	Prompt list
93	Rule set
94	Message rule
95	Message group rule
96	Learnt message
98	Timer rule
9A	Included rule set
9B	Initial action

Note: Resource classes 30, 35, 36, 39, 40, 41, 56, 60, 61, 64, 70, 74 to 76, 78, 80, 81, 90, 93 to 96, 98, 9A, and 9B are independent of system images.

definition-name

Identifies the component definition.

action-type

Identifies the action to be performed on the definition. Valid values are:

CREATE: Creates a new definition.
DELETE: Deletes an existing definition.
SET: Updates a definition.

Use an asterisk (*) to represent all knowledge base components. The following example shows the ability to create started task resource definitions for all versions of system-image-name:
```
$RMDB.system-image-name.*.02.*.CREATE
```
Use $RMDB.** to allow all knowledge base functions on all knowledge base components.

Controlling Access to System Images

You can control which functions a user can perform on a system image. To control access to system image resources, specify:

$RMSYS.system-image-name.system-image-version

system-image-name: Names the system image.
system-image-version: Identifies the version of the system image.

Use an asterisk (*) to represent all of a resource type; for example, $RMSYS.*.0001 indicates all version 1 system images.
Use $RMSYS.** to allocate permission to perform all functions on all system images.

Controlling Access to Automation Services Commands

You can control whether a user can issue an Automation Services command on an Automation Services component. To control the use of these commands, specify:

$RMCMD.system-image-name.system-image-version.
class-number.component-name.as-command-name

system-image-name

Names the system image.

system-image-version

Identifies the version of the system image.

class-number

Identifies the class of component. The table in Controlling Access to the Knowledge Base lists the valid class numbers.

If you want to restrict the use of a command on SNA resources in CA NetMaster Network Automation, specify 55 for the class number.

component-name

Identifies the component.

as-command-name

Names the command.

Note: For information about how to view the list of registered commands, see the Reference Guide.

The following list shows non-registered commands:

DBSYNC: Synchronizes databases.
REPLUNLD: Enables a user to unload command replacement NCL procedures.
TRANSMIT: Transmits a system image or other database components.
SETUP: The express setup facility calls $NMSEC with the command name SETUP to check if the user ID has authority to run the facility.

Use an asterisk (*) to represent all of a resource type. The following example shows the ability to issue commands relating to file transfer schedules in all versions of system-image-name:
```
$RMCMD.system-image-name.*.24.*.*
```
Use $RMCMD.** to allocate permission to perform all commands on all components in all system images.

Controlling Access to System Commands

To control the use of system commands, specify:

$RMSYCMD.system-command-name.operand-1.operand-2…operand-n

system-command-name: Names the system command.
operand-n: Specifies the operands of the command.

Use an asterisk (*) to represent all of a resource type. For example, to secure the MODIFY system command for the following commands in all regions:
- For the FSTOP command, use $RMSYCMD.F.*.FSTOP.
- For the SHUTDOWN command, use $RMSYCMD.F.*.SHUTDOWN*. The trailing asterisk ensures that every variation of the command is covered.
Use $RMSYCMD.** to allocate permission to perform all system commands.

Controlling Access to Product Commands

To control the use of product commands, specify:

$RMNMCMD.product-command-name

product-command-name: Names the command. See the 3270 Online Help for the list of product commands.

Use $RMNMCMD.** to allocate permission to perform all product commands.

When you issue a command from the OCS window or command entry panel, you issue the command under the control of your command authority level and the external security profile of the region. You do not normally issue the command under the control of your own security profile.

If you want to issue a command under the control of your own security profile, replace the command with an NCL procedure.

Note: This does not affect system commands that are already controlled by SAF.

More information:

Product Commands from the OCS Panel or Command Entry Panel

Controlling Access to Customizer Parameter Groups

To control the type of access to Customizer parameter groups, specify:

$RMICS.action.parameter-group-name

action

Specifies the type of access to the Customizer parameter groups. The access can be one or more of the following types:

GET: Gets parameter group.
SET: Files parameter group.
SETPARM: Actions parameter group.
UPDPARM: Updates parameter group.
BROPARM: Browses parameter group.

parameter-group-name

Names the Customizer parameter group.

Use the asterisk (*) as a wild card. The following example shows the ability to retrieve all parameter groups:
```
$RMICS.GET.*
```
Use $RMICS.** to allow all types of access to Customizer parameter groups.