|
|
|
Use the TYPE=LOCAL command to define to TBESAF99 the default command protection profiles, utility protection profiles, and key protection profiles for each BES subsystem that you want to protect with your security system.
The TYPE=LOCAL entries provide more flexibility and control by letting you add definitions at the individual BES subsystem level. If you do not define a LOCAL entry, the GLOBAL rule is used, if it is specified. If no global rule is specified, the resource is considered to be not protected.
Use these commands as input to TBESAF99, which generates control statements for your security system. These local commands are optional and are only useful if you want to override the PERMIT or PROTECT statements for COMMANDS=, UTILITIES=, or KEYS= specified by the global command for default security profiles.
Note: For CA ACF2 the TYPE=LOCAL processing parameters of COMMANDS, UTILITES, and KEYS are not supported. If you use these statements, a warning message is issued and the erroneous statement is discarded.
The following syntax considerations apply to the local command for defining protection profiles to individual BES subsystems:
This command has the following format:
BESn TYPE=LOCAL,
COMMANDS=permissions, CAEKMAPI=permissions, UTILITIES=permissions, KEYS=permissions
n
Indicates the BES task number.
Specifies that this is a local command that applies to the specified BES subsystem.
Defines the default protection profile for the Option for Application Management on the specified BES subsystem. Options for this parameter are as follows:
Specifies that any user can use the Option for Application Management.
Specifies that no user can use the Option for Application Management unless explicitally permitted to do so.
Defines the default protection profile for all commands on the specified BES subsystem. Options for this parameter are as follows:
PERMIT
Specifies that all the commands are permitted.
PROTECT
Specifies that all the commands are protected.
Defines the default protection profile for CA Tape Encryption utility programs on the specified BES subsystem. Options for this parameter are as follows:
PERMIT
Specifies that all the utilities are permitted.
PROTECT
Specifies that all the utilities are protected.
Defines the default protection profile for all keys on the specified BES subsystem. Options for this parameter are as follows:
PERMIT
Specifies that all keys are permitted.
PROTECT
Specifies that all keys are protected.
Example: Local commands for command, key, application management, and utility profiles for specific BES subsystems
The first command specifies that you want to grant implicit access to all CA Tape Encryption console commands, encryption keys, and utilities on BES1. Conversely, the LOCAL statement for BES2 specifies just the opposite: all commands, keys, and utilities are explicitly protected and the security administrator can give permission to the resource or resources. These commands override any global commands previously defined by the GLOBAL command for these resources.
After defining the LOCAL security processing parameters, you must further define to each BES subsystem the specific commands, keys, application management, and utilities that you want to control by creating command, key, and utility profiles for the specific resources.
BES1 TYPE=LOCAL,
COMMANDS=PERMIT, CAEKMAPI=PERMIT, UTILITIES=PERMIT, KEYS=PERMIT
BES2 TYPE=LOCAL,
UTILITIES=PROTECT, COMMANDS=PROTECT, CAEKMAPI=PERMIT, KEYS=PROTECT
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |