Defining Security Protection Profiles in IBM Security Server RACFCommand Protection ProfilesSample Command Protection Scenarios › Sample Scenario to Globally Restrict All Operator Commands

Previous Topic: Sample Scenario to Permit All Commands and Restrict a Specific Command

Next Topic: Encryption Key Protection Profiles

Sample Scenario to Globally Restrict All Operator Commands

This sample scenario could be used for a production CA Tape Encryption subsystem. All of the system commands implicitly protected. If access needs to be granted to an individual command either a LOCAL override specifying BESn.COMMANDS.PERMIT statement needs to be specified or the individual command should be defined and permitted.

The first RDEF statement globally protects all CA Tape Encryption subsystem commands. The second statement grants universal access for all BES subsystems to process the DISPLAY command. The third RDEF statement and the PE statement specify that the PASSPHRASE command can be entered but only on BES8 and by user SECADMIN and group SYSADM01.

RDEF CA@BES BES.COMMANDS.PROTECT                                    
     OWNER(SECADMIN)                                                 
     DATA('CA Tape Encryption GLOBAL COMMAND PROTECTION OPTION' )
RDEF OPERCMDS BES2.DISPLAY                                           
     UACC(READ) 
     OWNER(SECADMIN)   
RDEF OPERCMDS BES8.PASSPHRASE 
     OWNER(SECADMIN)
PE   OPERCMDS BES8.PASSPHRASE ACCESS(READ) ID(SECADMIN,SECASM01)

If you wanted to allow any users to run commands on any other subsystems, you would have to use an RDEF statement for each subsystem and each command to indicate that you wanted to control the command. You would then need a PE statement for each subsystem to define each permitted command and to specify the authorized users for each command.