Defining Security Protection Profiles in CA ACF2 › CA@BES General Resource Class › CA@BES Overview

CA@BES Overview

The CA Tape Encryption SAF Interface uses the CA@BES general resource class to warehouse the profiles. CA ACF2 uses a three letter resource name identifier when referencing these resources. The CA@BES resource class is referenced as BES referencing the class in CA ACF2.

The architecture of CA ACF2 provides resource protection for all z/OS system resources by default. This type of architecture imposes several limitations with the CA Tape Encryption SAF Interface. CA Tape Encryption does not support the following SAF Interface features when running under CA ACF2:

• Global “PERMIT” scope processing mode.
• Local “PERMIT” scope processing mode.

  Note: For more information about these global and local PERMIT modes, see Pseudo-Global Resource Profile Definitions.

• Definition of explicit global resources. All resources must be defined to the local BESn subsystem or use pseudo-global definitions. The only two explicit global exceptions are the BES.SECURITY control parameter and BES.DEFAULT global default data set selection encryption key.
• Definition of any PROTECT or PERMIT resource protection levels. Protect is assumed.
• Users with the “Non-CNCL” or “SECURITY” attributes on a LID will not invoke the SAF Interface.
• GSO records that override or prohibit SAF calls to OPR (OPERCMDS), BES (CA@BES), or other SAFDEF definitions that intercept CA Tape Encryption SAF calls

Note: Each CA@BES and OPERCMDS key set has the ability to define the owner of the rule set. This field is an informational field only, CA ACF2 does not use this field for any processing and it does not grant the specified user any special privileges regarding the rule set.