Rules Facility Guide › Introduction › Features of the CA VM:Secure Rules Facility

Features of the CA VM:Secure Rules Facility

The CA VM:Secure Rules Facility is a database of site‑defined rules that controls user access to various system resources. The Rules Facility performs the following functions:

• Intercepts the following CP commands and either accepts or rejects them based on an applicable rule found in the rules database:
  • ATTACH
  • AUTOLOG
  • COUPLE
  • DIAL
  • FOR
  • LINK
  • LOGON
  • LOGON BY
  • SPOOL
  • STORE HOST
  • TAG
  • TRANSFER
  • TRSOURCE
  • XAUTOLOG
• Intercepts the following CP Directory statements and either accepts or rejects them based on an applicable rule found in the rules database:
  • DEDICATE
  • NICDEF
• Intercepts the following CA product commands and functions and either accepts or rejects them based on an applicable rule found in the rules database:
  • CA VM:Secure
    • GROUP
    • Password validation via Diagnose X’A0’ Subfunction X’04’
    • Password validation via Diagnose X’88’ Subfunction X’08’
  • CA VM:Schedule
    • CANCEL
    • QUERY
    • SCHEDULE
  • CA VM:Tape
    • CATALOG
    • LIST
    • MOUNT
• Authorizes the use of the following CP functions:
  • APPC/VM Connect with Password function
  • DIAGNOSE X’D4’
  • DIAGNOSE X’88’
  • DIAGNOSE X’A0’ Password change subcodes X’60’ and X’214’
• Implements CP DIAGNOSE X’A0’ to allow you return the ACIGROUP for a user ID, validate a user’s logon password, determine whether a user can perform a LOGONBY of another user, determine whether an external security manager is installed, and allow programs on different virtual machines to change a user’s password and its status
• Creates rules dynamically when invalid passwords for the LOGONBY Facility and the AUTOLOG, DIAL, LOGON, LOGON BY, LINK, and XAUTOLOG CP commands and password validation diagnose calls reach the maximum your site has defined
• Allows your site to determine how to handle excessive invalid logon attempts
• Maintains rules at six levels: system override, security group, user, group default, system default, and NORULE default
• Displays a message at logon time that provides information about when a user was last logged on
• Displays a message when a user logs on about the number of invalid logon attempts since last logon
• Provides historical information for each virtual machine about past attempts to access that virtual machine or its minidisks
• Allows you to specify time of day and dates when users can access virtual machines and minidisks
• Coordinates directory maintenance and rules modifications by removing rules for user IDs that you delete from the directory and changing rule references when you change a user ID
• Audits all controlled functions and provides reports for this audit data