z/OS NFS enables remote access to z/OS data sets and USS HFS files and directories. NFS provides the ability to protect file systems on MVS through four protection schemes. This setting is defined within the NFS ‘Site Attributes’ attribute ‘Security’.
Possible settings include:
Do restrict access. No MVS user ID required.
Restrict access by client IP address. No SAF check.
Use SAF to control access to data sets. SAF check executed.
Use SAF and EXPORTS to control access. SAF check (most secure).
Both SAF and SAFEXP require the user to use the ‘mvslogin’ process to validate access through a SAF call. CA recommends a minimum of security (SAF). Users who attempt to access HFS data must have a valid OMVS segment assigned to their MVS ACID. Access to HFS files is done by validating the client’s UID and group against the file UNIX permission bits. Under normal circumstances access to MVS data sets requires both the z/OS NFS server and client user to pass a security check for the resource. The exception to this is when ‘DataCaching’ is enabled. DataCaching causes data to be stored on the z/OS NFS client system.
The first user attempting to access an MVS data set must pass a SAF security check. This SAF call is issued by the z/OS NFS Server. Once passed, the data set is stored in the z/OS NFS Client server. Subsequent requests allow all users access to the cached data without further restrictions. Data caching by default is enabled. CA recommends ‘DataCaching’ be disabled. With DataCaching(N) no client data caching takes place, therefore each user must pass the z/OS NFS Security server check prior to being granted access to data. z/OS NFS Server ‘Site Attribute’ ‘checklist’ lists the files and or directories for which SAF security is bypassed even when SAF or SAFEXP is specified. For this reason proper care must be taken to secure this data set. The checklist data set is defined by the CHKLIST DD in the MVSNFS procedure.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|