Using Your Security System › Security Profiles › How Global and Local Security Profiles Work Together

How Global and Local Security Profiles Work Together

With the exception of CA ACF2, you can use global and local security profiles together to control permissions for commands, keys, and utilities. LOCAL resource profiles, when defined, take precedence. GLOBAL resource profiles are used if a local resource is not defined. CA Tape Encryption executes the following steps to determine resource protection:

1. CA Tape Encryption examines CA@BES to determine whether BES.SECURITY is defined and the APPLDATA states active. If this check fails, then access is automatically granted to the resource.
2. Local Scope processing parameters are checked for PERMIT or PROTECT resource protection.
3. Global scope processing parameters are checked for PERMIT or PROTECT resource protections if local has not been defined.
4. CA Tape Encryption then examines CA@BES or OPERCMDS to locate the associated local resource profile.

If scope is PERMIT the following steps are used to determine whether the resource is protected or access is granted:

1. Examine CA@BES or OPERCMDS to locate the local profile definition.
2. Examine CA@BES or OPERCMDS to locate the global profile definition.
3. If the profile is not defined at the local or global level, access is granted.
4. If a profile is located, the external security manager will be queried to determine the user's access level.

If scope is PROTECT the following steps are used to determine whether the access is granted to the resource:

1. Examine CA@BES or OPERCMDS to locate the local profile definition
2. Examine CA@BES or OPERCMDS to locate the global profile definition.
3. If the profile is not defined at the local or global level, access is denied.
4. If the profile is located, the external security manager will be queried to determine whether the user has access to the resource.