Once ACIDs have been defined to CA Top Secret, users must pass at least two tests to enter the system:
As part of a flexible approach to security administration, CA Top Secret supports a wide variety of password security policies by using password protection controls and options. Some of these controls and options are:
In addition to these password controls, an ACID can also be restricted to:
ACIDs are the ACcessor IDs by which users are identified to CA Top Secret. An ACID can be up to eight alphanumeric characters long, which normally corresponds with the user’s system userid. With CA Top Secret, you have the option of using the same ACID for all facilities or using a different ACID for each facility (that is, TSO, CICS, VM, and so on).
CA Top Secret recognizes several different types of ACIDs, ranging from a user to an entire zone. Together, these types comprise the basic hierarchical structure of your CA Top Secret security database. Each of these ACID types is then associated with a set of resource access authorizations.
The simplest, and generally, the most useful way to build your security database is to create a security hierarchy that mirrors your actual corporate structure. However, CA Top Secret does not limit you to this approach. The basic function of the corporate structure defined to CA Top Secret is to serve as a coordinating framework for security administration at your installation. Therefore, its design should be fundamentally dictated by what will best facilitate security implementation and maintenance.
The CA Top Secret hierarchy is constructed from seven ACID types:
These ACID types fall into one of two categories:
Functional ACIDs see User, Profile, Group, and Control ACIDs, and are used to perform specific tasks. Organizational ACIDs are Department, Division, and Zone ACIDs, and are used to construct the upper levels of your security hierarchy.
Functional ACIDs report to organizational ACIDs, while organizational ACIDs report to other organizational ACIDs. Organizational ACIDs never report to functional ACIDs.
At times, the difference between a user and a User ACID can be confusing. Just remember that a user is a person. A User ACID designates a specific employee in a department—the lowest level of the CA Top Secret organizational hierarchy. Individuals are associated with User ACIDs or Control ACIDs.
Every User ACID must be associated with a single Department ACID.
When a group of users need to use a set of identical resources in the same way (the users perform similar or related job functions), it is convenient to define this set of access authorizations once and then associate the entire set with each of the users in the group. In CA Top Secret this set of common resource access characteristics is termed a Profile. Every profile is assigned a unique Profile ACID. Once a profile is defined it can be associated with any number of users (at the same or different levels in the hierarchy), thereby eliminating the need to define each resource access authorization separately for every user.
Every Profile ACID must be associated with and defined to a single Department ACID.
CA Top Secret supports the concept of Groups in the IBM OpenVM environment. A Group is similar to a Profile in that it is a collection of users who can share access authorities for protected resources; however, Groups are recognized by IBM OpenMVS while Profiles aren’t.
At any installation, users typically work for a particular department. CA Top Secret recognizes this logical separation by requiring each User ACID to be associated with one Department ACID.
CA Top Secret lets you optionally define multiple divisions within your corporate security structure. Each division can be composed of one or more departments. (A department does not have to be associated with a division). Every division is assigned a unique Division ACID, and resources can be assigned to a Division just as they can be assigned to a Department, Profile, or User.
A Zone ACID is another optional organizational level in your corporate security structure. A zone can be used to group two or more divisions. Every Zone is assigned a unique Zone ACID and—as with Users, Profiles, Departments, and Divisions—resources can be assigned to a zone as well.
Control ACIDs are used for administrative purposes and define security administrators that are associated with various structural levels within the CA Top Secret security database. A Control ACID, like an ordinary User ACID, can be a regular user of system facilities. A Control ACID can issue subsystem commands and perform other functions—such as access data sets and submit jobs.
Initially, CA Top Secret knows of only one Security Administrator—the MSCA ACID. This ACID is defined to CA Top Secret during the installation process; other Control ACIDs are created later.
Each type of Control ACID performs administrative tasks for the structural level it is associated with. To enable the Control ACID to perform these tasks, each one is assigned a scope of authority and administrative authorities within that scope.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|