Define System Specific Command Protection Profiles in CA ACF2

Defining Security Protection Profiles in CA ACF2 › Command Protection Profiles › Define System Specific Command Protection Profiles in CA ACF2

Define System Specific Command Protection Profiles in CA ACF2

This command has the following format:

$KEY(BESn.command_name.qualified_name) TYPE(OPR) 
$OWNER(ownerid) 
  UID(logon-ID) access

$KEY

Key name for this rule set - the fully qualified command protection key name.

n

Indicates the local BES subsystem number (1-8) this rule will govern.

command_name.qualified_name

Specifies the name of the command you want to manage, and the qualifying name of the command, if any. Options for this parameter are as follows:

COMPROMISE

Specifies the COMPROMISE= command.

DISPLAY

Specifies all forms of the DISPLAY command.

DUMP

Specifies the DUMP command.

MIGRATE

Specifies all forms of the MIGRATE= command.

PASSPHRASE

Specifies the RELOAD=PASSPHRASE command.

REFRESH.CAEKMAPI

Specifies the REFRESH=CAEKM_API_OPTIONS command.

REFRESH.CODEBOOKS

Specifies the REFRESH=CODEBOOKS command.

REFRESH.KEYRINGS

Specifies the REFRESH=KEYRINGS command.

REFRESH.NKMPARMS

Specifies the REFRESH=NKMPARMS command.

REFRESH.OPTIONS

Specifies the REFRESH=OPTIONS command.

REFRESH.SYMKEYS

Specifies the REFRESH=SYMKEYS command.

RELOAD

Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.

SET.CONSOLE

Specifies the SET CONSOLE command.

SHUTDOWN

Specifies the SHUTDOWN command.

START.NKM

Specifies the START NKM command.

STOP.NKM

TYPE(OPR)

Indicates that the CA ACF2 rule set being compiled is an operator command rule.

$OWNER(ownerid)

Specifies the owner of the rule. You can specify up to 24 characters in the $OWNER control statement. CA ACF2 provides the $OWNER statement in case you want to track ownership of a rule.

UID(login-ID) ALLOW | PREVENT

Specifies the specific CA ACF2 logon ID that you want to define to the rule set. Two permissible values for the access parameter is ALLOW to grant access to the command resource or PREVENT to withhold access.

Example: CA ACF2 fully-qualified command protection profile

This example defines the fully-qualified resource name REFRESH.CODEBOOKS key set for CA ACF2. The associated rule set grants access to USERA and USERB on BES2.

$KEY(BES2.REFRESH.CODEBOOKS) TYPE(OPR) 
$OWNER(BES)     
  UID(USERA) ALLOW
  UID(USERB) ALLOW

Example: CA ACF2 generic command protection profile definition

This example defines a generic rule set for all forms of the REFRESH command and grants all users of BES1 access to use the command.

$KEY(BES1.REFRESH****************************) TYPE(OPR)
$OWNER(BES)                                      
  UID(*) ALLOW

Example: CA ACF2 generic rule set definition for all commands

This example defines a generic key set for all commands on BES8. The rule set grants all users access to all commands.

$KEY(BES8.***********************************) TYPE(OPR)
$OWNER(BES)                                      
  UID(*) ALLOW

Example: CA ACF2 fully-qualified discrete rule set definition for specific users

This example defines a fully-qualified (discrete) key set definition to control access to the DISPLAY commands on BES1. The rule set entries allow the following IDs access to the command: SYSADMIN, SYSPROG, and OPER. The additional rule statement prevents DALSYS from using the command.

$KEY(BES1.DISPLAY) TYPE(OPR)
$OWNER(BES)   
  UID(SYS-) ALLOW
  UID(OPER) ALLOW
  UID(DALSYS) PREVENT

Tell Technical Publications how we can improve this information