Using Your Security System › Security Profiles › How You Use PROTECT and PERMIT Commands
How You Use PROTECT and PERMIT Commands
Use the PROTECT and PERMIT commands together to control which commands, keys, and eligible utilities users have access to on the BES subsystems in your environment. The following points outline this process:
- Define the command, key, or utility to the security system
- You can define all commands, keys, application management, and eligible utilities, globally to BES. This defines the profile to all BES subsystems
- You can define all commands, keys, application management, and eligible utilities,to a specific BES subsystem. This defines the profile to the specified BES subsystem.
- Define permit and protect options.
- A local PROTECT restricts the commands, keys, application management, or utilities on the specified BESn subsystem.
- A global PROTECT restricts the commands, keys, application management, or utilities to all BES subsystems.
- You grant access to protected resources by using the PERMIT command for CA Top Secret and IBM Security Server RACF and from the rule set definition on the $KEY CA ACF2 definition.
Note: A global PROTECT command can be overridden by a local PERMIT command.
A local PERMIT makes the commands, keys, application management, or utilities available to all users on the specified BESn subsystem.
- A global PERMIT makes the commands, keys, application management, or utilities available to all BES subsystems.
If PERMIT is used, you can restrict certain CA Tape Encryption resources by defining the resource to CA@BES or OPERCMDS.
Note: A global PERMIT control statement can be overridden by a local PROTECT control statement.
Note: If a resource is not defined to the security system, and either PERMIT is in control or the SAF Interface is not being used, it is considered to be available for all CA Tape Encryption users.