Defining Security Protection Profiles in IBM Security Server RACFCommand Protection ProfilesSample Command Protection Scenarios › Sample Scenario to Permit All Commands and Restrict a Specific Command

Previous Topic: Sample Command Protection Scenarios

Next Topic: Sample Scenario to Globally Restrict All Operator Commands

Sample Scenario to Permit All Commands and Restrict a Specific Command

This sample scenario shows how to create a command protection profile for IBM Security Server RACF to permit all users to run all commands except for the RELOAD=PASSPHRASE. This scenario would be of benefit to customers that want to give implicit access to a test BES subsystem but restrict a command that could potentially affect all BES subsystems.

The first RDEF (BES.COMMANDS.PERMIT) statement indicates that all users have implicit access to all CA Tape Encryption console commands that are not further restricted or defined. The second RDEF statement restricts the use of the PASSPRASE command on BES8. The third statement allows SECADMIN and SYSADM01 to enter the PASSPHRASE command on BES8.

RDEF CA@BES BES.COMMANDS.PERMIT                                     
     OWNER(SECADMIN)                                                
     DATA('CA Tape Encryption GLOBAL COMMAND PROTECTION OPTION'  )
RDEF OPERCMDS BES8.PASSPHRASE                                         
     OWNER(SECADMIN)                                                  
     DATA(CA Tape Encryption LOCAL RESTRICT RELOAD PASSPHRASE COMMAND')
PE   BES8.PASSPHRASE                                                 
     ACCESS(READ)                                                    
     GENERIC                                                          
     CLASS(OPERCMDS)                                                  
     ID(SECADMIN,SYSADM01)