|
|
|
This sample scenario shows how to create a command protection profile for CA Top Secret to prohibit all users from running all commands except for allowing specific users to run the RELOAD=PASSPHRASE command on BES1 and BES2. The first ADDTO statement indicates that all users are prohibited from using all commands unless otherwise defined. The second and third ADDTO statements indicate that we want to control the use of the command on BES1 and BES2. The PERMIT commands indicate that only the SECADMIN and SYSADM01 users can run this command on BES1 and BES2. Because command protection is governed by the first ADDTO statement and commands are not defined to any other BES subsystems, all users are prohibited from running any command on any subsystem, except for the two users defined to BES1 and BES2.
TSS ADDTO(DEPT01) CA@BES(BES.COMMANDS.PROTECT) TSS ADDTO(DEPT01) OPERCMDS(BES1.PASSPHRASE) TSS PERMIT(SECADMIN) OPERCMDS(BES1.PASSPHRASE) TSS PERMIT(SYSADM01) OPERCMDS(BES1.PASSPHRASE) TSS ADDTO(DEPT01) OPERCMDS(BES2.PASSPHRASE) TSS PERMIT(SECADMIN) OPERCMDS(BES2.PASSPHRASE) TSS PERMIT(SYSADM01) OPERCMDS(BES2.PASSPHRASE)
If you wanted to allow any users to run commands on any other subsystems, you would have to use an ADDTO statement for each subsystem and each command to indicate that you wanted to control the command. You would then need a PERMIT statement for each subsystem to define each permitted command and to specify the authorized users for each command.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |