Security Displays › External Security Section Display

External Security Section Display

The External Security Section display shows the System Authorization Facility (SAF) definitions that are used to interface with external security products.

The External Security Section display has the following fields:

SAF Entity Class Name

Specifies the SAF resource class name to use when you want external security to validate commands and other resources.

Specify NONE to use internal security definitions to validate all commands and resources and thus bypass the SAF authorization calls.

Default: NONE

Suggested SAF resource class names:

• CAGSVX for CA Top Secret
• SYSVIEW for CA ACF2
• FACILITY for IBM RACF

Specifying a class name in the security group overrides any specified value in the GLOBAL group.

Bypass Internal Security Call

Specify a value of YES if you want only your external security determining access. CA SYSVIEW calls the external security before calling the internal security. Normally, access that internal security failed external security cannot override and allow. This option lets you use the external security exclusively without having to allow all access in the DEFAULT internal security group.

Note: When you set this option, Command Groups that are defined in internal security do not participate in determining command and subcommand access.

Default: NO

SAF Entity Name Prefix

The prefix, or first node name, used to build the entity names for SAF calls. The prefix is only used when a SAF entity class is defined.

Default: SV

Call SAF if failed internally

Specify a value of YES to call SAF to validate access to the resource when internal security already failed the access. External security cannot grant access to a resource that internal security failed. Setting this value to YES lets you log violations in the external security database that would otherwise not be recorded.

Default: NO

Use JESSPOOL for Job Validation

Specify a value of YES if you want to use the JESSPOOL resources for all job name validation calls. All other resource checks (CMND, SUBC, RESN, and so on) continue to use resources that are defined for the SAF Entity Class Name.

SAF only verifies the JESSPOOL resources (no SAF calls for CMND, SUBC, RESN, and so on) when JESSPOOL is the SAF Entity Class Name.

Default: NO

Use System SMFID in Entity Name

Specifies whether the SAF entity name contains the system SMFID as the third node when a SAF entity class is defined.

Default: YES

Use System QUAL in Entity Name

Specifies whether the SAF entity name contains a qualifier following the resource type when a SAF entity class is defined. Some example qualifiers would be JES2 for JES resource types, or the subsystem ID for IMS resources.

Default: YES

SAF Exit Name

Specifies the name of an optional user exit to invoke before SAF. The entity class and entity name is passed to the exit.

Default: NONE

Pass JES JCT addr to the SAF exit

Specify a value of YES to pass the address of the JES JCT to the SAF exit. This value only applies if an exit is coded.

Default: YES

Access Entity Table Size

Specifies the initial size of the SAF Access Entity Table (AET). The AET is used to cache responses to SAF calls so subsequent calls for the same entity name can retrieve the responses. The size of the AET is specified in KB. AET storage is allocated above the 2-GB bar. A value of zero uses no AET.

Default: 256

Maximum: 1024