|
|
|
Note: By default, all CA ACF2 resources are protected therefore CA ACF2 does not support the definition of PROTECT and PERMIT CA@BES processing parameters.
The most secure level of protection is PROTECT. This level explicitly protects all resources and requires individual access be granted to the user or group. The external security manager verifies the specific user has been granted access to the resource. Conversely, the PERMIT security level states all users have implicit access to all of CA Tape Encryption's resources. If a particular resource requires a restricted access, that specific resource must be defined within CA@BES and the security administrator grants resource access to the user. In other words, PERMIT processing does not perform any access verification unless a specific resource (system command, encryption key, or utility) has been specifically defined.
You can use the PROTECT and PERMIT commands to manage profiles at the global level for all BES subsystems and at the local level for each BES subsystem. You can protect all commands, keys, and eligible utilities, and then permit specific ones. Alternatively, you can permit all commands, keys, and eligible utilities, and then protect specific ones. Determine which scenario will work best for your environment. The security protection level can be refreshed dynamically by updating the specific CA@BES entity and having an authorized user issue the appropriate BESn RELOAD=SECURITY command.
Specifies that all CA Tape Encryption resources are protected by default. Each user must be granted explicit permission to access the resource. This option offers a greater level of protection than the PERMIT option, but requires more maintenance. PROTECT could be used to restrict access to a production BESn subsystem
Specifies that all CA Tape Encryption resources are generally available unless they are specifically defined to the external security manager as being protected. You then determine which resources require added security. Only resources that have been specifically defined to the security system are protected. This option is for environments that only require minimal security definitions. The PERMIT command turns on command and key protection but you must define specific commands, keys, and eligible utilities, and specify user permissions for them. PERMIT could be used in a test or development environment, this allows all users access to all resources not specifically defined.
Note: The term PERMIT should not be confused with the CA Top Secret or IBM Security Server RACF PERMIT command.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |