File‑related functions can be secured to various levels of granularity by determining a user’s highest level of access to an IBMFAC resource. The ACCESS keyword of the IBMFAC resource authorization is used for this purpose. The following actions are taken based upon the ACCESS value:
The user is allowed to perform the function against all files.
The user is not allowed to perform the function against any files.
(Or any access containing READ such as CONTROL or UPDATE.)
The user is allowed to perform the function if the user also has ACCESS(CONTROL) access to the HFS file.
The access level of CONTROL is not used in normal file access. It is utilized here to provide additional controls for file functions.
READ may also allow the function if the HFS file exists in the user's 'user path directory'. That is, if the file exists in the users directory matching the userid making the request. Normally the directory is chained off the /u directory but this can be altered by the user exit.
Because the absence of the ACCESS keyword in a permission implies READ access, specify ACCESS in all of the file function IBMFAC permissions so that you do not inadvertently allow greater access to functions than you intended.
HFS file permission settings and UID/GID ownership are not used for validation purposes when CA SAF HFS security is active.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|