Selected virtual machines can be protected from unauthorized DIAL access. For example:
TSS ADDTO(SECDEPT) VMDIAL(MVS)
This command makes SECDEPT the owner of dial capability to the the MVS machine. That is, any user who tries to DIAL the MVS virtual machine is challenged. The user, in order to DIAL MVS, must supply his correct ACID and password to do so.
Before the user can DIAL MVS, the user must first have been PERMITted to DIAL the MVS virtual machine:
TSS PERMIT(USER01) VMDIAL(MVS)
Additionally, you may specify to which line in the virtual machine the user may dial. This is done by appending the line number to the end of the VMDIAL operand. For example, the following forces the user to dial into the MVS machine’s virtual GRAF devices 0020 through 002F. An attempt to dial into any other line fails.
TSS PER(USER01) VMDIAL(MVS.002(G))
Note: The Security Validation Algorithm treats VMDIAL resources differently depending on whether or not the user includes a specific line on the dial command. If the user does specify a line ('D MVS 0200'), CA Top Secret interprets the resource requested to be VMDIAL(MVS 0020). To be allowed accesss to this resource, a user should be permitted to it either explicitly or by a generic permit, as in the following examples:
TSS PERMIT(USER02) VMDIAL(MVS.0020) TSS PERMIT(USER02) VMDIAL(MVS.002(G)) TSS PERMIT(USER02) VMDIAL(MVS(G))
Note that because VMDIAL is a NONGENERIC resource, a permit to VMDIAL(MVS) will not allow access to VMDIAL(MVS.0020). By contrast, if the user does not include a line number in the dial command ('D MVS'), then the requested resource would grant access to this resource.
Administrators should exercise great care in defining permissions to a VMDIAL resource because of the different ways in which a user can issue a dial command.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|