Previous Topic: Command for Defining Specific Encryption Key Protection Profiles

Next Topic: Sample Key Protection Scenarios Using IBM Security Server RACF

PERMIT Command for Defining Key Permission for RACF

Use the PERMIT command to define permissions for a specific key and one or more specific users on a specified subsystem for IBM Security Server RACF. Use this command with an associated RDEFINE command for the key.

This command has the following format:

PE   BESn.key_type.key_name                                        
     ACCESS(READ)                                                 
     GENERIC                                                     
     CLASS(CA@BES)                                            
     ID(username[,username,…])                                       
PE

Indicates the PERMIT command.

n

Indicates the local BES subsystem number (1-8). If you specify BES without a subsystem identifier, the profile becomes a global profile and is applied to all BES subsystems.

key_type

Indicates the type of key to define. Options for this parameter are as follows:

KEYCODE

Specifies a code book.

KEYCERT

Specifies a digital certificate key pair.

KEYSYMM

Specifies a symmetric key.

key_name

Specifies the name of the key.

ACCESS

Specifies the permission access granted. This value is always READ. It allows the specified user to use the key.

GENERIC

Specifies that the key name name is treated like a generic name, even if no generic characters are specified.

CLASS(CA@BES)

Specifies the general resource class for CA Tape Encryption. For keys, this is always CA@BES.

ID(username)

Specifies one or more user names that have permission to use the key.

Example: Permit a user to access a key on a specific subsystem

This example defines permission for user SECADMIN to use a symmetric key named AES256_KEY on BES4.

PE   BES4.KEYSYMM.AES256_KEY                                     
     ACCESS(READ)                                               
     GENERIC                                                    
     CLASS(CA@BES)                                        
     ID(SECADMIN)