You can restrict an ACID's access to:
An ACID can be up to eight alphanumeric characters long, which normally corresponds with the user's system user ID. You can use the same ACID for all facilities or use a different ACID for each facility (such as TSO, CICS, and z/VM).
CA Top Secret recognizes several different types of ACIDs, ranging from a user to an entire zone. These types comprise the basic hierarchical structure of your CA Top Secret database. Each ACID type is then associated with a set of resource access authorizations.
Functional ACIDs let you perform specific tasks and “report to” organizational ACIDs. The functional ACIDs available are:
The user is a person. Individuals are associated with user ACIDs or control ACIDs. A user ACID designates a specific employee in a department but can refer to any ACID type (functional or organizational).
Every user ACID must be associated with a single department ACID.
When a group of users needs to use a set of identical resources in the same way (the users perform similar or related job functions), define this set of access authorizations once and then associate the entire set with each of the users in the group. In CA Top Secret, this set of common resource access characteristics is termed a profile. Every profile is assigned a unique profile ACID.
Once you define a profile, you can associate it with any number of users (at the same or different levels in the hierarchy), thereby eliminating the need to define each resource access authorization separately for every user.
Every profile ACID must be associated with, and defined to, a single department ACID.
CA Top Secret supports the concept of groups in the IBM Open environment. A group is similar to a profile in that it is a collection of users who can share access authorities for protected resources. IBM USS recognizes groups but not profiles.
Organizational ACIDs let you construct the upper levels of your security hierarchy. Organizational ACIDs report to other organizational ACIDs. Organizational ACIDs never report to functional ACIDs. The organizational ACIDs available are:
Users typically work for a particular department. CA Top Secret recognizes this logical separation by requiring each user ACID to be associated with one department ACID. Every department is assigned a unique Department ACID. You can assign resources to a department, which is the location that we recommend.
A Department ACID cannot be directly attached to a Zone ACID. You must attach this ACID to a Division ACID that is attached to a Zone ACID.
CA Top Secret lets you define multiple divisions within your corporate security structure. Each division is composed of one or more departments. Every division is assigned a unique division ACID. You can assign resources to a division.
A division can have one or more VCA administrative ACIDs assigned to administer various authorities for other ACIDs assigned to the division.
Use a zone to group two or more divisions. Every zone is assigned a unique zone ACID. Resources can be assigned to a zone. A Department ACID cannot be directly attached to a Zone, but it can be attached to a Division ACID attached to a Zone ACID. A zone can have one or more ZCA administrative ACIDs assigned to administer various authorities for other ACIDs assigned to the zone.
You can assign resources to zones, but we do not recommended it.
Control ACIDs define security administrators that are associated with various structural levels within the CA Top Secret database. A control ACID can be a regular user of system facilities. A control ACID can issue subsystem commands and perform other functions-such as access data sets and submit jobs.
Initially, CA Top Secret knows of only one control ACID—the MSCA ACID—for the security administrator. You define this ACID to CA Top Secret during installation. You create other control ACIDs later. Each type of control ACID performs administrative tasks for the structural level it is associated with. To enable the control ACID to perform these tasks, each one is assigned a scope of authority and administrative authorities within that scope.
CA Top Secret validates ACIDs in different ways to protect against unauthorized use. First, CA Top Secret checks the security file to determine whether a designated ACID is defined by seeing if a security record exists for it. Second, if the ACID is undefined, CA Top Secret responds based on the initial control option settings for the security mode and various system options.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|