Customization › Implementing Security with SAF › How to Use External Security › Use RACF to Secure CA Spool

Use RACF to Secure CA Spool

The following procedure shows how to configure RACF to secure CA Spool. This procedure includes steps for defining users and groups to both products and for defining the CA Spool started task to CA Top Secret. This procedure provides guidelines but is not necessarily comprehensive. See your RACF administrator to determine whether to perform more customizations for your site.

Important! Before you perform these steps, shut down CA Spool. After you complete these steps, start CA Spool.

To secure CA Spool with RACF, follow this process in RACF:

1. Perform one-time system setup tasks.
2. Define users according to role.

Perform One-Time System Setup Tasks

1. Define the ESF APPL for the CA Spool address space, using the following command:

   RDEFINE APPL ESF
   

2. Define the CA Spool dataset resources to match your EXTernal SAFTYPE record resources. Use the following commands as models:

    ADDSD 'ESFSECU.**'                              GENERIC
   ADDSD 'ESFSECU.AUTH.GLACC'                      GENERIC
   ADDSD 'ESFSECU.AUTH.ALLGR'                      GENERIC
   ADDSD 'ESFSECU.CMND.*'        UACC(READ)        GENERIC
   ADDSD 'ESFSECU.CMND.REINIT'   UACC(NONE)        GENERIC
   ADDSD 'ESFSECU.CMND.SHUTDOWN' UACC(NONE)        GENERIC
   ADDSD 'ESFSECU.NOGR%%.G0000001'                 GENERIC
   ADDSD 'ESFSECU.NOGR%%.G0000002'                 GENERIC
   ADDSD 'ESFSECU.NONO%%.PRT1A'                    GENERIC
   ADDSD 'ESFSECU.FIGR%%.G0000001.**'              GENERIC
   ADDSD 'ESFSECU.FIGR%%.G0000001.JUNIOR.*'        GENERIC
   ADDSD 'ESFSECU.FIGR%%.G0000001.ORDINA.*'        GENERIC
   ADDSD 'ESFSECU.FIGR%%.G0000002.JUNIOR.*'        GENERIC
   ADDSD 'ESFSECU.FINO%%.PRT1A.TINY.*'             GENERIC 
   

Define Users According to Role

Define users according to role, to grant them access rights to CA Spool resources. Repeat these steps each time that you grant a user access to CA Spool.

For login, CA Spool requires that a userid have both valid RACF login credentials and associated DATA, as follows:

• Access to the APPL associated with the CA Spool job or task.
• Userids must be a SUPER type user or have access given to the group or node associated with their userid.

  CA Spool makes EXTernal checks to see if the user has SUPER authority or access to the entry in the DATA.

  CA Spool checks for DATA information for the GRPx associated with the CA Spool userid.

• Access to the SAFTYPE resources for their SAFTYPE role

To meet these requirements, first associate userids to groups. Next, assign the access rights to the userids. Use the following steps as models:

1. Associate userids to groups. For example, to associate GROUP1 with userids USER001 and USER002, enter the following commands:

   ALTUSER USER001 DATA('ESFDGRP(1)')
   ALTUSER USER002 DATA('ESFDGRP(1)')
   

   Parameter ESFDGRP(1) relates to the default group of G0000001.

2. Define additional users according to role. Assign access rights to the users to meet the requirements of the SAFTYPE statement that you want. Use the following examples as models.

Sample Commands for Defining Users According to Role

The following sample RACF commands illustrate how to define users with the appropriate authorizations for their type and access rights. Use the following examples as models.

Verify that the resource to which you grant access matches its appropriate SAFTYPE external entry. For a detailed explanation, see the example for the ORDINA userid USER001.

To define the SUPER userid SUPER01, use the following commands as a model:

PERMIT 'ESF' CLASS(APPL)    ID(SUPER01)  ACCESS(READ)
ALTUSER SUPER01 DATA('ESFDGRP(1)')
PERMIT 'ESFSECU.**'         ID(SUPER01)  ACCESS(UPDATE)

To define an OPER userid OPER01, use the following commands as a model:

PERMIT 'ESF' CLASS(APPL)        ID(OPER01)   ACCESS(READ) 
ALTUSER OPER01 DATA('ESFDGRP(1)')
PERMIT 'ESFSECU.**'             ID(OPER01)   ACCESS(UPDATE)
PERMIT 'ESFSECU.CMND.REINIT'    ID(OPER01)   ACCESS(READ) 
PERMIT 'ESFSECU.CMND.SHUTDOWN'  ID(OPER01)   ACCESS(READ) 

To define a JUNIOR userid JUNIOR1, use the following commands as a model:

PERMIT 'ESF' CLASS(APPL)                 ID(JUNIOR1) ACCESS(READ)
ALTUSER JUNIOR1 DATA('ESFDGRP(1)')
PERMIT 'ESFSECU.AUTH.GLACC'              ID(JUNIOR1) ACCESS(READ) 
PERMIT 'ESFSECU.AUTH.ALLGR'              ID(JUNIOR1) ACCESS(READ) 
PERMIT 'ESFSECU.NOGR%%.G0000001'               ID(JUNIOR1) ACCESS(UPDATE)
PERMIT 'ESFSECU.NOGR%%.G0000002'              ID(JUNIOR1) ACCESS(UPDATE)
PERMIT 'ESFSECU.FIGR%%.G0000001.JUNIOR.*’ ID(JUNIOR1) ACCESS(UPDATE)
PERMIT 'ESFSECU.FIGR%%.G0000002.JUNIOR.*' ID(JUNIOR1) ACCESS(UPDATE)

To define an ORDINA userid USER001, use the following commands as a model:

PERMIT 'ESF' CLASS(APPL)                 ID(USER001) ACCESS(READ) 
ALTUSER USER001 DATA('ESFDGRP(1)')
PERMIT 'ESFSECU.NOGR%%.G0000001'            ID(USER001) ACCESS(UPDATE)
PERMIT 'ESFSECU.FIGR%%.G0000001.**'      ID(USER001) ACCESS(READ) 
PERMIT 'ESFSECU.FIGR%%.G0000001.ORDINA.*'   ID(USER001) ACCESS(UPDATE)

To define a TINY userid TINY01, use the following commands as a model:

PERMIT 'ESF' CLASS(APPL)                  ID(TINY)   ACCESS(READ) 
ALTUSER TINY01 DATA('ESFDGRP(1)')
PERMIT 'ESFSECU.NONO%%.PRT1A'               ID(TINY)   ACCESS(UPDATE)
PERMIT 'ESFSECU.FINO%%.PRT1A.TINY.*'       ID(TINY)   ACCESS(UPDATE)