The first two ADDSD commands in this example ensure that universal access to all objects is denied. The remaining ADDSD commands define the generic profiles needed for controlling access to the data set, volume, storage group, data set group, and construct objects.
Add the logon IDs of users who are to have access to all objects to the first example PERMIT command.
If there are users with the OPERATIONS attribute who should not have access to CA Vantage SRM objects, you can specifically deny them access by placing their logon IDs in the second example PERMIT command. For users who are granted access only to specific objects, but not all of them, put their logon IDs in PERMIT commands as shown in the third through seventh entries below.
ADDSD 'SYSSSM' OWNER(SYSSSM) UACC(NONE) ADDSD 'SYSSSM.FUNC' OWNER(SYSSSM) UACC(NONE) ADDSD 'SYSSSM.FUNC.D' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.V' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.P' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.G' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.S' GENERIC OWNER(SYSSSM)
PERMIT 'SYSSSM.FUNC.**'ID(logon IDs) ACCESS(ALTER) PERMIT 'SYSSSM.FUNC.**'ID(users with OPERATIONS attribute ) ACCESS(NONE) PERMIT 'SYSSSM.FUNC.D' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.V' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.P' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.G' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.S' ID(logon IDs) ACCESS(READ)
Example: How to define and permit the resource SYSSSM in RACF
This defines the Facility class entries:
RDEF FACILITY SYSSSM.FUNC UACC(NONE)
This defines the permission for the resource to the user that requires it:
PERMIT SYSSSM.FUNC CLASS(FACILITY) ID(Vantage stc user) ACCESS(UPDATE) PERMIT SYSSSM.FUNC CLASS(FACILITY) ID(user) ACCESS(READ)
This entry limit objects tree function “n” access:
PERMIT SYSSSM.FUNC.n CLASS(FACILITY) ID(user) ACCESS(READ)
This command rebuild memory Facility table:
SETROPTS RACLIST(FACILITY) REFRESH
|
Copyright © 2014 CA.
All rights reserved.
|
|