Previous Topic: SAFTYPE StatementNext Topic: Command Verification

CustomizationImplementing Security with SAFExamples

Examples

The following examples are based on a CA Spool system using the SAFTYPE statements shown earlier. These statements correspond to the default setting if no SAFDEF/SAFTYPE statements are present.

If a certain user is found to have global access to CA Spool resources (for example, full access to SAFTYPEs 12, 13, and 14), no further checking is done. In the following examples, it is assumed that CA Spool has determined that users do not have global access to the system.

Example 1: Create a File for a Printer

User ADAM attempts to create a file for printer HPBARCDE with a filename of BARCODES. HPBARCDE is defined in group number 8.

CA Spool checks the SAFTYPE 1 statement to see if access is allowed for UPDATE to resource ESFSECU.FIGR00.G0000008.ADAM.BARCODES. If it is not allowed, the access for UPDATE to ESFSECU.FINO00.HPBARCDE.ADAM.BARCODES is checked based on the SAFTYPE 2 statement.

Example 2: Change a File Destination

User BERTA attempts to change the destination (route) of the file that was created in example 1 to HPOTHER. HPOTHER is defined in group number 22.

CA Spool checks, based on the SAFTYPE 3 statement, to see if access for UPDATE to resource ESFSECU.FIGR23.G0000008.ADAM.BARCODES is allowed. If it is not allowed, the access for UPDATE to ESFSECU.FINO23.HPBARCDE.ADAM.BARCODES is checked based on the SAFTYPE 4 statement.

If user BERTA is allowed to modify the existing file, a check is made to determine if this user is allowed to route a file to destination HPOTHER. CA Spool performs checks based on the SAFTYPE 5 statement, whether access for UPDATE to resource ESFSECU.FIGR18.G0000022.ADAM.BARCODES is allowed. If this is not allowed, access for UPDATE to ESFSECU.FINO18.HPOTHER.ADAM.BARCODES is checked against the SAFTYPE 6 statement.

Depending on the capabilities of the external security system being used, and on individual requirements, system administrators can set up generic profile definitions in their security system. In this way, multiple users are allowed access to multiple groups using just a single profile definition in the security system. Some examples of how to define profiles in RACF or internal SAF are provided later in this section.