How Command Protection Profiles Work

Using Your Security System › Command Protection Profiles › How Command Protection Profiles Work

How Command Protection Profiles Work

Command protection profiles provide the following levels of protection for CA Tape Encryption console commands:

Each user can be granted generic permission to execute a scope of commands.
Each user can be granted specific permission to execute a specific command.
A selected set of commands can be defined to require this added level of security protection. All other commands can be unrestricted.
The IBM Security Server RACF UACC (Universal Access) parameter of READ can be defined for the resource if you want to grant that level of access to all users.
The security definitions can range from generic pattern matching to a fully-qualified command. This lets you define security profiles in different ways depending on your needs. The pattern masking substitution characters are unique to each external security manager, you should use the one appropriate for your system.
Command authorization is verified against the ACEE of the TSO user or console user (if the console was signed on using the z/OS LOGON console command) to determine if the user is authorized to use the command.
The error message BESnX0200E is displayed on the console if a user does not have authority to run the command.
Security violations are logged in the BES Logger and to your external security manager violations log and optionally on the z/OS system console.

If you are familiar with using control statements for your security system to manage security, you can create your own control statements to define these protection profiles.

Note: You can use the TBESAF99 command generation utility to create these control statements. For information about this utility, see the chapter “Using the TBESAF99 Utility to Generate Security Profiles.”

Tell Technical Publications how we can improve this information