PERMIT Command for Command Protection Profiles

Defining Security Protection Profiles in IBM Security Server RACF › Command Protection Profiles › PERMIT Command for Command Protection Profiles

PERMIT Command for Command Protection Profiles

Use the IBM Security Server RACF PERMIT command to permit a user or group access to the CA@BES system command.

Note: Unlike other resource definitions, command definition profiles are defined in OPERCMDS. The RACF PERMIT command grants access to defined resources. The BES PERMIT command defines security levels to specific BES subsystems at the local level or to all BES subsystems at the global level.

This command has the following format:

PE   BESn.command_name.qualified_name                          
     ACCESS(READ)                                                
     GENERIC                                               
     CLASS(OPERCMDS)                                     
     ID(username[,username,…])

PE

Specifies the PERMIT command.

n

Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.

command_name.qualified_name

Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:

COMPROMISE: Specifies the COMPROMISE= command.
DISPLAY: Specifies all forms of the DISPLAY command.
DUMP: Specifies the DUMP command.
MIGRATE: Specifies all forms of the MIGRATE= command.
PASSPHRASE: Specifies the RELOAD=PASSPHRASE command.
REFRESH.CAEKMAPI: Specifies the REFRESH=CAEKM_API_OPTIONS command.
REFRESH.CODEBOOKS: Specifies the REFRESH=CODEBOOKS command.
REFRESH.KEYRINGS: Specifies the REFRESH=KEYRINGS command.
REFRESH.NKMPARMS: Specifies the REFRESH=NKMPARMS command.
REFRESH.OPTIONS: Specifies the REFRESH=OPTIONS command.
REFRESH.SYMKEYS: Specifies the REFRESH=SYMKEYS command.
RELOAD: Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.
SET.CONSOLE: Specifies the SET CONSOLE command.
SHUTDOWN: Specifies the SHUTDOWN command.
START.NKM: Specifies the START NKM command.
STOP.NKM: Specifies the STOP NKM command.

ACCESS

Specifies the permission access granted. For granting access to run commands, the minimum value that you need to specify is READ. It allows the specified user to execute the command.

GENERIC

Specifies that the command name is treated like a generic name, even if no generic characters are specified.

CLASS(OPERCMDS)

Specifies the general resource class for console commands, OPERCMDS.

ID(username)

Specifies one or more user names or groups that have permission to execute the command.

Example: Permit specific users access to a global command protection profile

This example shows that users SECADMIN and SYSADM01 are defined to IBM Security Server RACF with permission to use the RELOAD=PASSPHRASE command on all BES subsystems.

PE   BES.PASSPHRASE                                            
     ACCESS(READ)                                             
     GENERIC                                                 
     CLASS(OPERCMDS)                                        
     ID(SECADMIN,SYSADM01)

Example: Permit users access to a command for a specific subsystem on RACF

This example shows that users SECADMIN and SYSADM01 are defined to IBM Security Server RACF with permission to use the RELOAD=PASSPHRASE command on BES2.

PE   BES2.PASSPHRASE                                            
     ACCESS(READ)                                           
     GENERIC                                                 
     CLASS(OPERCMDS)                                           
     ID(SECADMIN,SYSADM01)

Tell Technical Publications how we can improve this information