|
|
|
Use the RDEFINE command to define a specific command to IBM Security Server RACF for individual CA Tape Encryption console commands. You can specify this profile globally for all BES subsystems or locally for a specified BES subsystem.
Note: CA Tape Encryption command protection resource profiles are defined in the OPERCMDS resource class.
This command has the following format:
RDEF OPERCMDS BESn.command_name.qualified_name
UACC(authority)
OWNER(username)
DATA('commments' )
Specifies the RDEFINE command.
Specifies the general resource class for console commands, OPERCMDS.
Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.
Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:
Specifies the COMPROMISE= command.
Specifies all forms of the DISPLAY command.
Specifies the DUMP command.
Specifies all forms of the MIGRATE= command.
Specifies the RELOAD=PASSPHRASE command.
Specifies the REFRESH=CAEKM_API_OPTIONS command.
Specifies the REFRESH=CODEBOOKS command.
Specifies the REFRESH=KEYRINGS command.
Specifies the REFRESH=NKMPARMS command.
Specifies the REFRESH=OPTIONS command.
Specifies the REFRESH=SYMKEYS command.
Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.
Specifies the SET CONSOLE command.
Specifies the SHUTDOWN command.
Specifies the START NKM command.
Specifies the STOP NKM command.
Specifies RACF universal access authority, READ or NONE.
Specifies the user name of the primary profile owner, typically the security administrator.
Specifies user-written comments to describe the profile.
Note: For the RDEFINE and PERMIT commands in the command protection profiles, the DATA field is a comment field for providing user-supplied comments about the profile.
Example: Define a specific command for all subsystems for RACF
This example defines the RELOAD=PASSPHRASE command to IBM Security Server RACF globally for all BES subsystems.
RDEF OPERCMDS BES.PASSPHRASE
OWNER(SECADMIN)
DATA(CA Tape Encryption GLOBAL RESTRICT RELOAD PASSPHRASE COMMAND')
Example: Define a specific command for a specific subsystem for RACF
This example defines the RELOAD=PASSPHRASE command to IBM Security Server RACF locally for BES2.
RDEF OPERCMDS BES2.PASSPHRASE
OWNER(SECADMIN)
DATA(CA Tape Encryption LOCAL RESTRICT RELOAD PASSPHRASE COMMAND')
Example: Control access to the RELOAD commands for BES1 on RACF
This example uses the RDEFINE command for IBM Security Server RACF to define a generic resource profile that will control the use of all versions of the RELOAD command on BES1.
RDEF OPERCMDS BES1.RELOAD.**
OWNER(SECADMIN)
DATA('CA Tape Encryption RESTRICT RELOAD COMMANDS TO BES1' )
Example: Define universal access for a command on RACF
This example shows the use of the RDEFINE command for IBM Security Server RACF to define all forms of the DISPLAY command to BES7 with universal access (UACC) to run the command. Because READ is specified for UACC, all users have access to the command and you do not need an associated PERMIT command.
RDEF OPERCMDS BES7.DISPLAY.**
UACC(READ)
OWNER(SECADMIN)
DATA('CA Tape Encryption ALLOW DISPLAY COMMANDS ON BES7' )
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |