Previous Topic: Define Command Protection Resource Protection Scope and Level

Next Topic: PERMIT Command for Command Protection Profiles

Define Command Protection Profiles in RACF

Use the RDEFINE command to define a specific command to IBM Security Server RACF for individual CA Tape Encryption console commands. You can specify this profile globally for all BES subsystems or locally for a specified BES subsystem.

Note: CA Tape Encryption command protection resource profiles are defined in the OPERCMDS resource class.

This command has the following format:

RDEF OPERCMDS BESn.command_name.qualified_name 
     UACC(authority)                                 
     OWNER(username)                             
     DATA('commments'       )
RDEF

Specifies the RDEFINE command.

OPERCMDS

Specifies the general resource class for console commands, OPERCMDS.

n

Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.

command_name.qualified_name

Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:

COMPROMISE

Specifies the COMPROMISE= command.

DISPLAY

Specifies all forms of the DISPLAY command.

DUMP

Specifies the DUMP command.

MIGRATE

Specifies all forms of the MIGRATE= command.

PASSPHRASE

Specifies the RELOAD=PASSPHRASE command.

REFRESH.CAEKMAPI

Specifies the REFRESH=CAEKM_API_OPTIONS command.

REFRESH.CODEBOOKS

Specifies the REFRESH=CODEBOOKS command.

REFRESH.KEYRINGS

Specifies the REFRESH=KEYRINGS command.

REFRESH.NKMPARMS

Specifies the REFRESH=NKMPARMS command.

REFRESH.OPTIONS

Specifies the REFRESH=OPTIONS command.

REFRESH.SYMKEYS

Specifies the REFRESH=SYMKEYS command.

RELOAD

Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.

SET.CONSOLE

Specifies the SET CONSOLE command.

SHUTDOWN

Specifies the SHUTDOWN command.

START.NKM

Specifies the START NKM command.

STOP.NKM

Specifies the STOP NKM command.

UACC(authority)

Specifies RACF universal access authority, READ or NONE.

OWNER(username)

Specifies the user name of the primary profile owner, typically the security administrator.

DATA('comments')

Specifies user-written comments to describe the profile.

Note: For the RDEFINE and PERMIT commands in the command protection profiles, the DATA field is a comment field for providing user-supplied comments about the profile.

Example: Define a specific command for all subsystems for RACF

This example defines the RELOAD=PASSPHRASE command to IBM Security Server RACF globally for all BES subsystems.

RDEF OPERCMDS BES.PASSPHRASE                               
     OWNER(SECADMIN)                                       
     DATA(CA Tape Encryption GLOBAL RESTRICT RELOAD PASSPHRASE COMMAND')

Example: Define a specific command for a specific subsystem for RACF

This example defines the RELOAD=PASSPHRASE command to IBM Security Server RACF locally for BES2.

RDEF OPERCMDS BES2.PASSPHRASE                     
     OWNER(SECADMIN)                                       
     DATA(CA Tape Encryption LOCAL RESTRICT RELOAD PASSPHRASE COMMAND')

Example: Control access to the RELOAD commands for BES1 on RACF

This example uses the RDEFINE command for IBM Security Server RACF to define a generic resource profile that will control the use of all versions of the RELOAD command on BES1.

RDEF OPERCMDS BES1.RELOAD.**                         
     OWNER(SECADMIN)                               
     DATA('CA Tape Encryption RESTRICT RELOAD COMMANDS TO BES1'   ) 

Example: Define universal access for a command on RACF

This example shows the use of the RDEFINE command for IBM Security Server RACF to define all forms of the DISPLAY command to BES7 with universal access (UACC) to run the command. Because READ is specified for UACC, all users have access to the command and you do not need an associated PERMIT command.

RDEF OPERCMDS BES7.DISPLAY.**               
     UACC(READ)                     
     OWNER(SECADMIN)                         
     DATA('CA Tape Encryption ALLOW DISPLAY COMMANDS ON BES7'   )