DFSMSdfp controls storage on DASD and tape volumes for the system. DFSMSdfp communicates information between the processor and the storage devices to provide data, device, program, and storage management activities.
The following is supported when MLS is active on an CA Top Secret system:
The following restrictions apply when MLS is active on an CA Top Secret system:
Do not activate the DASDVOL class. Users with DASDVOL authority to a volume can access its data sets without being restricted by DAC rules.
DASDVOL authority is necessary when using the AMASPZAP service aid to modify a Volume Table of Contents (VTOC) on a disk pack. This operation takes the system out of an MLS configuration, and should be done only under controlled conditions, and with only trusted users on the system.
Do not use CVOLs or VSAM catalogs. Only Integrated Catalog Facility (ICF) catalogs should be used in an MLS system. The following steps prevent the use of CVOLs and VSAM catalogs:
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
|
Requirement |
Complete |
|---|---|
|
Control access to data on DASD |
□ |
|
Control access to data on tape |
□ |
|
Control access to temporary data sets |
□ |
|
Protect ICF catalogs |
□ |
|
Assign security label to catalogs |
□ |
|
Write access rules to control access |
□ |
|
Activate name-hiding (optional) |
□ |
|
Protect the DFSMS subsystem |
□ |
In an MLS system, data stored on DASD devices is secured by protection provided by MLS resource records.
In an MLS system, data stored on tape is secured by protection provided by MLS resource records.
In an MLS system, access restrictions apply to temporary data sets. A temporary data set is a special data set created and deleted in the same job. Unlike an ordinary (non-temporary) data set, it is not cataloged and has a system-generated name. Only the job that creates a temporary data set can access it for read, write or scratch purposes. In an MLS system, temporary data sets must be protected from unauthorized access and disclosure. The security administrator must do the following:
A job can always access its own temporary data sets, and in general, other jobs cannot. When a job ends, its temporary data sets are automatically deleted by the system. However, there are some cases where data sets may not be deleted:
If access to temporary data sets were restricted to just the creating job, these leftover data sets would never be deleted, and would stay around forever, taking up valuable space. To prevent this, it is necessary to allow selected authorized users access to these data sets, so they can be deleted. For this reason, users with the NODSNCHK attribute in their acids can access temporary data sets that they did not create. A logging record is created for each access.
In an MLS system, a site should protect its ICF catalogs using MAC and DAC mechanisms.
When write-down is protected on an MLS system, a security administrator should assign security label, SYSNONE, to all ICF catalogs. This enables a user logged on with any security label to access the catalog based on the DAC access rules.
A security administrator must write access rules to control access to the catalogs. The security administrator must write access rules for the master catalog and the user catalogs. All system users should be given read access to the master catalog and only a limited number of users should be allowed to write to the master catalog. Below is a sample command:
TSS PER(ALL) DSN(CATALOG.MASTER)
ACCESS(READ)
TSS PER(SYSADM) DSN(CATALOG.MASTER)
ACCESS(UPDATE)
The first and second-level qualifiers of the data set name of the master catalog
A user authorized to update the master catalog
This rule permits all users to update user catalogs named CATALOG.-.
The MLNAME control option activates name‑hiding on an CA Top Secret system.
Specifies whether the names of data sets, files, and directories are protected from disclosure to users who do not have at least READ access to the data. Rule validation, and, if MLS is active, security label checking, will be performed to allow or prevent the user from viewing the names of data sets in a catalog or on a VTOC, and files and directories in listing the contents of a UNIX directory. However, if a user requests to view the name of a specific data set, file, or directory, the names will appear but the user may not be able to access the data. Name hiding can be used on a system where MLS is not active. However, MLS must be active to support name hiding for UNIX files and directories. The default is MLAME(NO), do not hide the names of data sets, files and directories from users.
When name-hiding is active, users are prevented from seeing the names of data sets to which they do not have at least READ access in a catalog, unless the exact name of the data set is specified.
Note: When a user issues an =3.4 in ISPF to access data sets, and does not specify a volume serial number, catalog processing is performed.
When name-hiding is active, users are prevented from seeing the names of data sets to which they do not have at least READ access on a VTOC when directly reading the VTOC or VTOC index or using CCHHR for CVAF reading of a VTOC.
Name hiding for Data Sets:
Name hiding for UNIX Files and Directories:
Important! Name hiding is not available in an HFS file system; only in a zFS file system.
Note: Name hiding degrades the performance of a system. When name hiding is active in an MLS environment, system performance is further degraded. Do not activate name hiding if any system sharing the CA Top Secret database does not meet the minimum software requirements for MLS support. Use of the name hiding option should not cause problems on these systems, but it does not provide full protection on these systems. You must be operating at z/OS R1V5 or above to activate name hiding in an CA Top Secret system.
DFSMSdfp is the storage management system for z/OS MVS. It enables a site to centralize the management of external storage. The storage administrator uses the Interactive Storage Management Facility (ISMF) to implement a site's storage management policy. Through a combination of automatic class selection (ACS) routines and resource rules to protect the STORCLAS, MGMTCLAS, and PROGRAM classes, DFSMSdfp and CA Top Secret provide protection for DFSMSdfp functions.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|