Defining Security Protection Profiles in IBM Security Server RACFEncryption Key Protection ProfilesSample Key Protection Scenarios Using IBM Security Server RACF › Sample Scenario for Restricting Global Access to Keys and Permitting a Specific Key

Previous Topic: Sample Scenario for Permitting Global Key Use and Restricting a Specific Key

Next Topic: Utility Protection Resource Protection Profiles

Sample Scenario for Restricting Global Access to Keys and Permitting a Specific Key

This sample scenario shows how to restrict key access using the RDEF and PE commands on IBM Security Server RACF. The first RDEF statement restricts all users from accessing any key on any BES subsystem. The second RDEF statement indicates that you want to control access to the symmetric key named AES256_KEY on BES1. The PE statement indicates that only users SECADMIN and SYSADMIN are permitted to use this key on BES1. Because the first RDEF statement defines the default behavior for key protection as PROTECT, no other users can use any key on any active subsystem.

RDEF CA@BES BES.KEYS.PROTECT                                        

     OWNER(SECADMIN)                                                
     DATA('CA Tape Encryption GLOBAL KEY PROTECTION OPTION   '       )
RDEF CA@BES BES1.KEYSYMM.AES256_KEY                                 
     OWNER(SECADMIN)                                                
     DATA('CA Tape Encryption KEY PROTECTION PROFILE'                )
PE   BES1.KEYSYMM.AES256_KEY                                        
     ACCESS(READ)                                                   
     GENERIC                                                        
     CLASS(CA@BES)                                                  
     ID(SECADMIN,SYSADMIN)

If you wanted to permit other keys to be available, you would have to use an RDEF statement and a PE statement for each key and each subsystem to define the permissions for each subsystem.