CA Top Secret uses the following security modes:
Use this mode to introduce yourself and your organization to CA Top Secret implement DORMANT mode first. Although CA Top Secret is installed, it is not actively validating access.
Use WARN mode to:
You can set WARN mode by facility, profile, user, resource, or event.
Some applications make RACROUTE calls with the LOG=NOFAIL parameter. In WARN mode, these types of calls are written to the audit file if the check fails, but no message displays. This procedure is normal.
In WARN mode, define all users to CA Top Secret or CA Top Secret generates and records signon violations. WARN mode does not prevent an undefined user from signing on or gaining access to a protected resource.
WARN mode does not prevent a defined user from signing on with an incorrect password, but this action generates a password violation.
To force a defined user to supply a correct password in WARN mode, set the WARNPW sub-option of the FACILITY control option.
CA Top Secret administrators must always supply a correct password, even in DORMANT mode.
If you give default protection to specific resource classes by attaching the DEFPROT attribute, WARN mode generates violations for all defined resources.
Use Global WARN mode to test segments of the implementation, or to back off from FAIL mode when an implemented segment of the organization is in trouble. Your organization could choose an implementation strategy that includes installation-wide use of WARN mode.
IMPLEMENT (IMPL) mode treats defined users in FAIL mode and undefined users in DORMANT mode. This mode lets you combine DORMANT and FAIL modes easily in your implementation strategy. All resources defined to CA Top Secret are protected and cannot be accessed by undefined users unless permissions have been defined to the ALL record. Unauthorized access attempts by defined or undefined users are failed. Resources not defined to CA Top Secret are generally not protected.
Many organizations use a global IMPLEMENT mode strategy during implementation and override that mode where appropriate by facility, profile, user, resource, or event.
CA Top Secret is in full control of access requests. All users must be defined and resources protected by being owned or by DEFPROT protection. Unauthorized access requests fail. Using a phased approach, your implementation strategy may include a gradual migration by segment to FAIL mode. Your implementation goal should be to have your entire installation operating in FAIL mode.
In a typical security environment, the entire installation gradually moves from DORMANT to FAIL mode. This phased implementation allows you to:
Security modes can be assigned to a site, facility, profile, user, resource, or event.
Security modes can be assigned with:
When the security mode is set through a control option, that mode applies to the entire installation or, in the case of the FACILITY/MODE sub-option, to a specific facility (for example, TSO).
Examples: security modes
In this example, the MODE control option places the entire installation in WARN mode:
TSS MODIFY MODE(WARN)
In this example the TSO facility is in IMPL mode:
TSS MODIFY FACILITY(TSO=MODE=IMPL)
In this example, USER01 is put in WARN mode regardless of what mode the rest of the site is in:
TSS PERMIT(USER01) MODE(WARN)
To migrate to FAIL mode:
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|