Previous Topic: Define CA 7 Command and Panel Security to RACFNext Topic: Secure the /MVS Command

Implementing Security with IBM RACFDefine the CA WA CA 7 Edition Agent Job Submission/Command Security

Define the CA WA CA 7 Edition Agent Job Submission/Command Security

If agent job submissions and command executions are being validated, authorizations are performed to verify that the mainframe user (MFUser) is authorized to submit agent jobs to the specific agent name using the agent user ID. Authorizations are also performed to verify that the signed-on user is authorized to perform any agent command executions. The AGCLASS keyword on the SECURITY statement determines the resource class used for these authorizations.

The following are examples of CA WA CA 7 Edition agent job submission and agent command execution rules:

This example illustrates defining ownership and then giving job submission authority using a specific agent user ID and specific agent name:

RDEFINE AGENT (CA71.AGENTUSR) DATA('CA 7 agent job submission') OWNER(CA7USERS) UACC(NONE)
RDEFINE

Identifies the RACF command used to define general resources.

AGENT

Identifies the resource class type for agent job submissions. See the SECURITY statement AGCLASS keyword.

(CA71.AGENTUSR)

Identifies the resource name for CA WA CA 7 Edition agent job submission.

OWNER(CA7USERS)

Identifies a predefined RACF user or group profile that owns this resource.

UACC(NONE)

Identifies the universal access level for this resource. In this case, NONE.

PERMIT CA71.AGENTUSR.AGTUSER1.UNIXAGT  CLASS(AGENT) ID(xxxxxxx) ACCESS(READ)
PERMIT

Identifies the RACF command used to grant access to a resource.

CA71.AGENTUSR.AGTUSER1.UNIXAGT

Identifies the resource name in the following format:

ca7-instance-id.AGENTUSR.agent-userid.agent-name
CLASS(AGENT)

Identifies the resource class type.

ID(xxxxxxx)

Identifies the USERID being granted access to the resource.

ACCESS(READ)

Identifies the access level needed for agent job submission.

This example illustrates defining ownership and giving agent command execution authority for a specific agent name:

RDEFINE AGENT (CA71.AGENTMSG) DATA('CA 7 agent command execution') OWNER(CA7USERS) UACC(NONE)
RDEFINE

Identifies the RACF command used to define general resources.

AGENT

Identifies the resource class type for agent job submissions. See the SECURITY statement AGCLASS keyword.

(CA71.AGENTMSG)

Identifies the resource name for CA WA CA 7 Edition agent command execution.

OWNER(CA7USERS)

Identifies a predefined RACF user or group profile that owns this resource.

UACC(NONE)

Identifies the universal access level for this resource. In this case, NONE.

PERMIT CA71.AGENTMSG.CONTROLSHUTDOWN.UNIXAGT  CLASS(AGENT) ID(xxxxxxx) ACCESS(READ)
PERMIT

Identifies the RACF command used to grant access to a resource.

CA71.AGENTMSG.CONTROLSHUTDOWN.UNIXAGT

Identifies the resource name in the following format:

ca7-instance-id.AGENTMSG.verbsubverb.agent-name
CLASS(AGENT)

Identifies the resource class type.

ID(xxxxxxx)

Identifies the USERID being granted access to the resource.

ACCESS(READ)

Identifies the access level needed for agent command execution.