|
|
|
Use the CA Top Secret PERMIT command to define to CA Top Secret the commands that a specific user is permitted to run.
Note: Unlike other resource definitions, command definitions for specific commands are defined in the OPERCMDS resource class. The CA Top Secret PERMIT command grants access to defined resources. The BES PERMIT command defines security levels to specific BES subsystems at the local level or to all BES subsystems at the global level.
This command has the following format:
TSS PERMIT(acidname) OPERCMDS(BESn.command_name.qualified_name) ACCESS(READ)
Indicates a CA Top Secret command.
Specifies the PERMIT command.
Specifies the accessor ID
Specifies the general resource class for console commands, OPERCMDS.
Indicates the BES task number. If you specify BES with no subsystem identifier, the profile applies to all BES subsystems.
Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:
Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:
Specifies the COMPROMISE= command.
Specifies all forms of the DISPLAY command.
Specifies the DUMP command.
Specifies all forms of the MIGRATE= command.
Specifies the RELOAD=PASSPHRASE command.
Specifies the REFRESH=CAEKM_API_OPTIONS command.
Specifies the REFRESH=CODEBOOKS command.
Specifies the REFRESH=KEYRINGS command.
Specifies the REFRESH=NKMPARMS command.
Specifies the REFRESH=OPTIONS command.
Specifies the REFRESH=SYMKEYS command.
Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.
Specifies the SET CONSOLE command.
Specifies the SHUTDOWN command.
Specifies the START NKM command.
Specifies the permission access granted. For granting access to run commands, the minimum value that you need to specify is READ. It allows the specified user to execute the command.
Example: Permit specific users access to a command on all subsystems on CA Top Secret
This example shows that users SECADMIN and SYSADM01 are defined to CA Top Secret with permission to use the DISPLAY commands on all BES subsystems.
TSS PERMIT(SECADMIN) OPERCMDS(BES.DISPLAY) ACCESS(READ) TSS PERMIT(SYSADM01) OPERCMDS(BES.DISPLAY) ACCESS(READ)
Example: Permit users access to a command for a specific subsystem on CA Top Secret
This example shows that users SECADMIN and SYSADM01 are defined to CA Top Secret with permission to use the RELOAD=PASSPHRASE command on BES2.
TSS PERMIT(SECADMIN) OPERCMDS(BES2.PASSPHRASE) ACCESS(READ) TSS PERMIT(SYSADM01) OPERCMDS(BES2.PASSPHRASE) ACCESS(READ)
Example: Permit group access to all functions of the RELOAD command for BES1 on CA Top Secret
This example uses the PERMIT command for CA Top Secret to specify that users in the group SYSTEMS can run the RELOAD commands on BES1. This definition requires an associated ADDTO command, as shown in the example for controlling access to the RELOAD commands on BES1 in the section ADDTO Command for Defining Specific Commands in CA Top Secret.
TSS PERMIT(SYSTEMS) OPERCMDS(BES1.RELOAD.**) ACCESS(READ)
Example: Restrict universal access for a command on CA Top Secret
This example shows the use of the PERMIT command for CA Top Secret to exclude external users from using the DISPLAY commands on BES7. This example assumes that an associated ADDTO command has been used to define the DISPLAY commands on CA Top Secret. You can use this associated PERMIT command to specify ACCESS of FAIL. This allows all users to run the DISPLAY commands except for the users specified in parentheses after the PERMIT, in this case, EXT001 and EXT002.
TSS PERMIT(EXT001) OPERCMDS(BES7.DISPLAY.*) ACCESS(FAIL) TSS PERMIT(EXT002) OPERCMDS(BES7.DISPLAY.*) ACCESS(FAIL)
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |