Defining Security Protection Profiles in IBM Security Server RACFEncryption Key Protection Profiles › RDEFINE Command to Define Encryption Key Resource Protection Scope and Level

Previous Topic: Encryption Key Protection Profiles

Next Topic: Command for Defining Specific Encryption Key Protection Profiles

RDEFINE Command to Define Encryption Key Resource Protection Scope and Level

Use the RDEFINE command to define global and local permissions for all keys to IBM Security Server RACF. This command indicates the default permissions for using all keys on the specified BES subsystem.

This command has the following format:

RDEF CA@BES BESn.KEYS.permissions                                    
     OWNER(username)                                                 
     DATA('comments')
RDEF

Specifies the RDEFINE command.

CA@BES

Specifies the general resource class for CA Tape Encryption. This is always CA@BES.

n

Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.

KEYS

Specifies that this statement defines the default key permissions for the specified BES subsystem or globally for all BES subsystems.

permissions

Specifies the permission setting. Options for this parameter are as follows:

PERMIT

Specifies that all keys are permitted for all users on the specified BES subsystem unless otherwise defined.

PROTECT

Specifies that all keys are prohibited to all users on the specified BES subsystem unless otherwise defined.

OWNER(username)

Specifies the user name of the principle owner of the profiles, typically the security administrator.

DATA('comments')

Specifies user-written comments to describe the profile.

Example: Global permissions for all keys on all BES subsystems

This example specifies that all users are permitted to use any available keys on any BES subsystem.

RDEF CA@BES BES.KEYS.PERMIT                                          
     OWNER(SECADMIN)                                                 
     DATA('CA Tape Encryption GLOBAL KEY PROTECTION OPTION   ')

Example: Global restrictions for all keys on all BES subsystems

This example specifies that no users are permitted to use any available keys on any BES subsystem unless otherwise defined.

RDEF CA@BES BES.KEYS.PROTECT                                         
     OWNER(SECADMIN)                                                 
     DATA('CA Tape Encryption GLOBAL KEY PROTECTION OPTION   ')

Example: Local permissions for all keys on a specific BES subsystem

This example specifies that all users are permitted to use any available keys on BES1.

RDEF CA@BES BES1.KEYS.PERMIT                                         
     OWNER(SECADMIN)                                                 
     DATA('CA Tape Encryption LOCAL KEY PROTECTION OPTION   ')

Example: Local restrictions for all keys on a specific BES subsystem

This example specifies that no users are permitted to use any available keys on the specified BES subsystem unless otherwise defined.

RDEF CA@BES BES1.KEYS.PROTECT                                        
     OWNER(SECADMIN)                                                 
     DATA('CA Tape Encryption LOCAL KEY PROTECTION OPTION   ')