Defining Security Protection Profiles in IBM Security Server RACFCommand Protection Profiles › Define Command Protection Resource Protection Scope and Level

Previous Topic: Command Protection Profiles

Next Topic: Define Command Protection Profiles in RACF

Define Command Protection Resource Protection Scope and Level

Use the RDEFINE command to define the security protection scope used for command protection. The scope can be defined globally for all BES subsystems or locally for a specified BES subsystem.

This command has the following format:

RDEF CA@BES BESn.COMMANDS.permissions                               
     OWNER(username)                                                  
     DATA('commments'       )
RDEF

Specifies the RDEFINE command.

Note: RDEFINE and RDEF are synonyms. IBM Security Server RACF accepts RDEF as the minimum control word.

CA@BES

Specifies the general resource class for CA Tape Encryption. This is always CA@BES for command protection processing parameter profiles.

n

Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.

COMMANDS

Specifies that this definition is for a command profile.

permissions

Specifies the permission setting. Options for this parameter are as follows:

PERMIT

Specifies that all the commands are permitted.

PROTECT

Specifies that all the commands are protected.

OWNER(username)

Specifies the user name of the primary profile owner, typically the security administrator.

DATA('comments')

Specifies user-written comments to describe the profile.

Note: For the RDEFINE and PERMIT commands in the command protection profiles, the DATA field is a comment field for providing user-supplied comments about the profile.

Example: Define command protection globally to all BES subsystems

This example defines a global command protection profile to IBM Security Server RACF for the console commands for all BES subsystems, indicated by BES with no subsystem identifier, and permits the user of the resource to run these commands, indicated by COMMANDS.PERMIT. These permissions can be overridden by a protect option specified for a particular BES subsystem or a particular command.

RDEF CA@BES BES.COMMANDS.PERMIT                                     
     OWNER(SECADMIN)                                              
     DATA('CA Tape Encryption GLOBAL COMMAND PROTECTION OPTION'       )

Example: Define command protection locally to a specific BES subsystem

This example defines a local command resource protection profile for BES2. The scope parameter of PROTECT requires a PERMIT command for each user to allow access to the resource

RDEF CA@BES BES2.COMMANDS.PROTECT                                   
     OWNER(SECADMIN)                                                
     DATA('CA Tape Encryption GLOBAL COMMAND PROTECTION OPTION'      )

Example: Allow all commands on a specific BES subsystem by defining a local definition for RACF

This example defines a local command profile to IBM Security Server RACF for BES2, and uses the BES2.COMMANDS.PERMIT parameter to allow the use of all commands on that subsystem. These permissions can be overridden by a protect option specified for a particular command for this subsystem or by explicitly defining a command protection profile.

RDEF CA@BES BES2.COMMANDS.PERMIT                                    
     OWNER(SECADMIN)                                                
     DATA('CA Tape Encryption LOCAL COMMAND PROTECTION OPTION'       )