Defining Security Protection Profiles in CA ACF2 › Pseudo-Global Resource Profile Definitions

Previous Topic: Alter Data Set Selection Profiles

Next Topic: Command Protection Profiles

Pseudo-Global Resource Profile Definitions

CA ACF2's architecture protects all resources by default at the individual resource level. CA Tape Encryption's architecture PERMIT resource protection processing is counterintuitive to the CA ACF2 architecture and therefore not supported. As an alternative, CA Tape Encryption sites running CA ACF2 can define CA@BES and OPERCMDS “Pseudo-Global” resource profile definitions. Pseudo-Global resource protection profiles, when defined, emulate PERMIT processing. As the name implies, pseudo-global resource definition profiles are used as defaults and grant implicit access to CA Tape Encryption resources).

Pseudo-Global resource protection profiles can be defined at either the global level for all BES subsystems or to individual local BESn subsystems. CA recommends defining pseudo-global resource profiles at the local BESn subsystem and by function type. This will allow for more comprehensive reporting within the DISPLAY SECURITY commands and can limit implicit access.

Example: Define pseudo-global resource profiles definitions for BES2

The following pseudo-global profile definitions grant implicit access to BES2. An example of each resource that can be defined is shown.

ACF                                                     
                                                        
COMPILE STORE                                           
$KEY(BES2.KEYCODE.**************************) TYPE(BES) 
  UID(*) ALLOW                                          
                                                        
COMPILE STORE                                           
$KEY(BES2.KEYCERT.**************************) TYPE(BES) 
  UID(*) ALLOW                                          
                                                        
COMPILE STORE                                           
$KEY(BES2.KEYSYMM.**************************) TYPE(BES) 
  UID(*) ALLOW                                          
                                                        
COMPILE STORE                                           
$KEY(BES2.UTILITY.TBE***********************) TYPE(BES) 
  UID(*) ALLOW                                          
                                                        
COMPILE STORE                                           
$KEY(BES2.**********************************) TYPE(OPR) 
  UID(*) ALLOW

Example: Define a specific resource to be protected

This example show how you define a specific resource and grant permission based on rule set definitions. This definition would be used where pseudo-global profiles have been defined and the security administrator wants to explicitly protect a resource.

ACF                                                     
                                                        
COMPILE STORE                                           
$KEY(BES2.DISPLAY***************************) TYPE(OPR) 
  UID(*) PREVENT