Using Your Security System › Security Profiles › How You Set Global PROTECT and PERMIT Commands

How You Set Global PROTECT and PERMIT Commands

Note: CA ACF2 does not support the GLOBAL processing or the definition of PROTECT or PERMIT security parameters. By design, CA ACF2 protects all resources. However, you can define pseudo-global profiles that will emulate PERMIT processing.

The following points outline how you set global PROTECT and PERMIT commands on all BES subsystems:

1. Define permissions to each BES for all commands, keys, application management, or eligible utilities using the PROTECT or PERMIT command. This sets the global processing security options for all BES subsystems that share this security system database by defining permissions for all commands, keys, application management, and utilities for all BES subsystems.
2. Define specific commands, keys, application management, or eligible utilities to BES. This identifies to the security system that you want to control a specific command, key, application management, or utility for all BES subsystems. At the security system level, this definition prevents the command, key, application management, or utility from being used.

   Note: You can override these restrictions by specifying a corresponding PERMIT (IBM Security Server RACF or CA Top Secret) or UID(userid) ALLOW (CA ACF2) command. For IBM Security Server RACF you can define the resource with a universal access of READ (at a minimum).

3. Define a PERMIT command for a specific command, key, application management, or utility and identify which users or groups are allowed to run the command, access the key, or execute the batch utility. This identifies to the security system that the specified users are allowed to run the command, use the key, application management, or execute the batch utility maintenance programs on any BES subsystem.