|
|
|
Command protection profiles are used by your security system to control the ability of users to perform CA Tape Encryption console commands. These command profiles are stored in the OPERCMDS, not CA@BES, resource class. These profiles add a level of security verification to command processing that lets you limit the console commands a user is allowed to enter.
All CA Tape Encryption commands are unsecured resources by default for external security managers except CA ACF2. In effect, the default implies a PERMIT command for all commands for all BES subsystems.
To allow a user to access a particular command, you must define the command to the security system and issue an associated PERMIT command to IBM Security Server RACF, CA Top Secret, or specify “ALLOW” on the CA ACF2 UID(userid) rule set.
If you need to protect only a small number of CA Tape Encryption commands, you should specify a security scope of PERMIT. Then all you have to define are specific resources you want to protect. This type of environment could be used on a test subsystem or on a test LPAR.
Consequently, a security scope of PROTECT would explicitly protect all resources and allow the security administrator to decide which users should have access to the CA Tape Encryption system commands. This type of configuration is used for production environments where you want to restrict the use of the CA Tape Encryption commands.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |