During installation, the conversion utility GSVXCNVS converts the security data set from a previous CA SYSVIEW release to the current release.
By default, the security file conversion marks command authorization for new commands as allowed.
Note: In previous releases, the default action was to fail new commands.
You can modify the default behavior by coding the SYSIN data set for the GSVXCNVS utility. The following example fails new commands for all groups except ADMIN:
//SYSIN DD * FAILNEWCMDS=YES,GROUP=*ALL* FAILNEWCMDS=NO,GROUP=ADMIN /*
The input processes in the order that it is read and uses the last setting that applies to the user group.
The SPOOL resource has also been expanded to accommodate JES3:
Note: In prior releases of CA SYSVIEW, the SPOOL resource was a 2-byte suffix of the JES2 spool volume. Therefore, modify the resource name of your existing internal security rules for JES2 SPOOL to be the full spool volume name.
New commands have been added to CA SYSVIEW in this release. Additional external security rules could be required.
Modify any existing rules and profiles for the JES2 SPOOL resource if they were not generic enough to allow access to all spool volumes.
The entity:
SV.RESN.<system>.SPOOL.<JES2_ssid>.<2-byte_spool_volume_suffix>
Changed to:
SV.RESN.<system>.SPOOL.<JES2_ssid>.<6-byte_spool_volume>
The sample SAF exits SAFSECX and JSPLSECX are no longer supported. SAF entity checking is now internal to CA SYSVIEW. Enable SAF entity checking by defining a SAF entity class. You can define this class in the External Security Section of the internal security group for the user, or in the GLOBAL group.
You can call the pre-SAF notification exit before calling SAF. CA SYSVIEW passes the class name and entity name to the exit.
Note: For more information, see the Security Guide.
SAF resource calls can now be suspended for a specific resource type. Previously, the ability to suspend all resource calls could be done by granting a user read access to entity SV.SUSP.<system>.RESN. Now, a specific resource type can be suspended by granting a user read access to entity SV.SUSP.<system>.RESN.<resource>.
Example: Suspend Resource Checking
Code the following suspend rule to suspend all resource checking for the output class a job on the spool is in:
SV.SUSP.<system>.RESN.OUTCLASS
The following enhancements have been made to existing commands.
Security administration
The Miscellaneous Section of a CA SYSVIEW security user group controls user access to commands that have been defined in multiple command groups.
This option now has a default value of No. New commands added to the current release are allowed by default.
You can only modify this setting using the GSVXCNVS utility when the security file is being converted from a prior release.
Note: For more information, see the security conversion job that gets generated as part of installation.
The External Security Section of a CA SYSVIEW security user group contains the following new option to control external security requests:
Specify to generate a message at session initialization indicating that external security is active for the user using the SAF class specified.
Default: No
|
Copyright © 2012 CA.
All rights reserved.
|
|