Security

CA Vantage maintains a secure operating environment.
cvsrmv-14-0
CA Vantage™ Storage Resource Manager
maintains a secure operating environment.
3
2
For information about the initial security configuration requirements, see Post SMP/E Installation Requirements.
(Optional) Activate PassTicket Support
PassTicket for CA Vantage SRM logon is supported. This is an alternative to using a password for logon to CA Vantage SRM. By using PassTicket, the sending of a password over the network is avoided. When using PassTicket, CA Vantage SRM identifies itself to the security systems CA Top Secret, CA ACF2, and IBM RACF with the application ID specified by VKGPARMS system parameter SECURAPP when default value Y is used for the SECURPTK system parameter.
To activate PassTicket, use the following example procedures. The secret key is "0123456789ABCDEF", the value of the SECURAPP parameter is VANTAGE, and the user name is uuuuuuuu.
To Activate PassTicket for CA Top Secret on the host
  1. Update the RDT to define the PTKTDATA class, as follows:
    TSS ADD(RDT) RESCLASS(PTKTDATA) ACLST(ALL,READ,UPDATE) MAXLEN(37)
  2. Update the NDT to set the application and Session Key, as follows:
    TSS ADD(NDT) PSTKAPPL(VANTAGE) SESSKEY(0123456789ABCDEF) SIGNMULTI
    List the RDT to verify the PTKTDATA is created:
    TSS LIST(RDT)
    To authorize clients to generate PassTickets on the host with CA Top Secret
    1. Issue the following command to update a Division/Department Accessor ID (ACID):
      TSS ADD(tssdept) PTKTDATA(IRRPTAUT)
      All PTKTDATA class resources starting with prefix IRRPTAUT are owned by ACID which can also be an owner of CA Vantage SRM STC.
    2. Set permissions to enable user access to the IRRPTAUTH.VANTAGE.uuuuuuuu resource using the following command:
      TSS PER PTKTDATA(IRRPTAUTH.VANTAGE.uuuuuuuu) ACCESS(READ,UPDATE)
To Activate PassTicket for CA ACF2
  1. Run the following commands:
    SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT VANTAGE.uuuuuuuu SSKEY(0123456789ABCDEF) F ACF2,REBUILD(PTK),CLASS(P) F ACF2,REBUILD(ALU),CLASS(P)
    To authorize clients to generate PassTickets on the host with CA ACF2
    1. Enable UPDATE and READ access to the following resource for a client to generate PassTickets:
      IRRPTAUTH.VANTAGE.uuuuuuuu
      Where
      uuuuuuuu
      specifies the target user ID resource.
    2. Issue the following command:
      T RESOURCE(PTK) COMPILE .$KEY(IRRPTAUTH) TYPE(PTK) VANTAGE.uuuuuuuu UID(*) SERVICE(UPDATE,READ) ALLOW STORE
To activate PassTicket for IBM's RACF
  1. Activate the PassTicket class:
    SETROPTS CLASSACT(PTKTDATA) SETROPTS RACLIST(PTKTDATA)
  2. Define a profile for the application and user ID:
    RDEFINE PTKTDATA VANTAGE.uuuuuuuu SSIGNON(KEYMASKED(0123456789ABCDEF))
  3. Refresh the class:
    SETROPTS REFRESH RACLIST(PTKTDATA)
    To authorize clients to generate PassTickets on the host with IBM's RACF
    1. Enable UPDATE and READ access to the following resource for a client to generate PassTickets:
      IRRPTAUTH.VANTAGE.uuuuuuuu
      Where
      uuuuuuuu
      specifies the target user ID resource.
    2. Issue the following command:
      PERMIT IRRPTAUTH.VANTAGE.uuuuuuuu ID(uuuuuuuu) ACCESS(UPDATE) CLASS(PTKTDATA)
(Optional) Activate Password Phrase (Passphrase)
PassWord Phrase for CA Vantage SRM logon is supported. This is an alternative to using a password for logon to CA Vantage SRM.
To Activate PassWord Phrase for a user on a CA Top Secret host, enter the following commands:
TSS MODIFY PSWDPHRASE(ON) tss addto(
userID
)('This is a PassWord Phrase')
To Activate PassWord Phrase for a user on IBM's RACF host, enter the following command:
ALTUSER
userID
PHRASE('This is a PassWord Phrase')
Give Script Processing Authority to All Objects
In order for automation services (script processing) to access objects, and take actions upon them, the product's started task (STC) itself must have the following:
  1. Full access to all
    objects
    as specified in the Resource Names (or Pseudo-Data Sets) Associated with Objects list in the section
    Methodology for Defining Access Rules to Objects
    .
  2. Full access to all
    data sets
    , both disk and tape.
  3. Authority to perform actions against tape and non-tape related objects.
For item 1, ensure that the logon ID associated with the started task has ALTER access to the generic SYSSSM.FUNC name.
For Item 2, full access to all data sets, ensure that the logon ID associated with the started task itself has ALTER access to all data sets. This is normally done during initial installation as instructed in Post SMP/E Installation Requirements
.
(Actions such as Backup, Compress, and Release actually require only READ or UPDATE authority. However, in general, automation services need ALTER authority to perform other actions such as Archive, Migrate, Move, or Delete.)
If SECURRES (Y) is used (the default), the operations attribute grants access to data sets but will have no affect on gaining access to the objects, because that requires a Resource Facility check. Therefore, you must still ensure that the logon ID associated with the started task itself has ALTER access to the
SYSSSM.FUNC
Resource Facility name.
If SECURRES (N) is used, you can satisfy both 1 and 2 by giving the started task and logon ID the RACF OPERATIONS attribute (or its equivalent in CA ACF2 and CA Top Secret). This works because your security system checks pseudo-data set names for object access, and real dsnames for data set access. Since security sees both objects and data sets as data sets, the RACF OPERATIONS attribute will permit full access to both.
For item 3, give the started task (logon ID) STGADMIN and TAPADMIN authority.
For DFSMSrmm customers, ensure that the CA Vantage SRM task (logon ID) has authority to issue SEARCHVOLUME and SEARCHDATASET commands. For details, see the section Authorizing DFSMSrmm Users and Ensuring Security in IBM's
DFSMSrmm Guide and Reference Manual
.
For CA TLMS customers, ensure that the CA Vantage SRM task (logon ID) has authority to update the Volume Master File (VMF) data set.
Grant Users Access to Objects
When you activate the security support, CA Vantage SRM can control who logs on, what objects they can access, and allow them to perform actions upon the objects while maintaining a secure environment. It does this by using the IBM SAF interface, upon which nearly all security systems are built, including CA ACF2, RACF, and CA Top Secret. If you do not activate the security support, anyone can logon, compromising security, but CA Vantage SRM automatically limits the product to its viewing functions only, in such cases users cannot perform any actions on what they view.
When security support is activated, CA Vantage SRM requires all users to provide their logon IDs and passwords at logon time, and immediately passes them to your security system. As usual, unknown users or invalid passwords cause your security system to reject the logon request.
In addition to this logon check, CA Vantage SRM allows you to define user access rules to the CA Vantage SRM objects themselves. CA Vantage SRM uses SAF to check for object access rules every time an end user selects an object from one of the client interfaces, rejecting access whenever appropriate.
Do not activate support for security checking until you have defined the object access rules as described in the following section.
Methodology for Defining Access Rules to Objects
CA Vantage SRM associates each of its objects with a name that your security system can interpret either as a pseudo-data set name or as a resource name (you choose which). To check whether a user can access a selected object, CA Vantage SRM calls the SAF interface to verify that the user has READ access to the object's associated name. If the name is to be treated like a data set name, CA Vantage SRM must make the call using a RACROUTE with class="DATASET". If the name is a resource name, CA Vantage SRM must use a RACROUTE with class="FACILITY". You tell CA Vantage SRM which CLASS to use on the SAF check using system parameter SECURRES in member VKGPARMS of PARMLIB. SECURRES (Y), the default, instructs CA Vantage SRM to use resource facility names. For pseudo-data set names, specify SECURRES (N).
If you decide to have CA Vantage SRM do its checking against pseudo-data set names, real data sets with these names need not exist. Only your security system needs to recognize them as data set names.
If you decide to have CA Vantage SRM do its checking against resource facility names, be aware that in CA Top Secret this is called IBMFAC and should not be confused with FACILITY (FAC). CA Top Secret converts all resource checks for class FACILITY to a class name of IBMFAC.
The process of controlling access to objects consists of identifying CA Vantage SRM resource names (or pseudo-data set names) to your security system, and then granting users READ access to the appropriate names.
All the names have a common
resource_prefix
. CA Vantage SRM appends the .FUNC.
n
portion to your prefix to build the complete names in the form
resource_prefix
.FUNC.n. If the default prefix of SYSSSM is not acceptable, specify your desired prefix in system parameter SECURPFX in member VKGPARMS in PARMLIB.
To make it easy to grant some users access to all objects, one of the names (
resource_prefix.
FUNC) is reserved for this purpose. Any logon ID with ALTER access to this name has access to all objects.
The following is a complete list of CA Vantage SRM Objects and shows the resource names (or pseudo-data sets) associated with the objects and the CA Vantage SRM access rule associated with the objects:
  • All_objects
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC
    CA Vantage SRM Access Rule: Any logon ID with ALTER authority to this name has access to all objects.
  • Data Base Option
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.U
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Automation Option
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.I
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • CA Allocate
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.O
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • CA ASTEX
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.Q
    CA Vantage SRM Access Rule: Access OK if logon ID has READ authority.
  • CA Disk Autorestores
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.A
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • CA Disk and Unix Sub-Files
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.L
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Commands
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.C
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Constructs
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.S
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Data Sets
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.D
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Data Set Groups
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.G
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • EMC Symmetrix
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.X
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • DFSMShsm Objects
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.E
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Distributed Objects
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.F
    CA Vantage SRM Access Rule: Access OK if logon ID has READ authority.
  • Hardware Monitor
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.B
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • IBM ESS
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.N
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Iceberg
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.J
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Misc_objects
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.M
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
    Misc_objects are as follows:
    • EXTFILT - External Filter List
    • SUBMITSC - Schedule Job Submit Ad Hoc
    • SUBSTITU - Substitute Model JCL
    • TAPEUNIT - Tape Units Display
    • JCLMLIST - JCL Model List
  • Storage Groups
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.P
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Raid CIM
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.N
    CA Vantage SRM Access Rule: Access OK if logon ID has READ authority.
  • Ramac
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.N
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • z/OS System Resources
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.R
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Tape Resource Option (Including CA 1 Objects)
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.K
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Schedules
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.H
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Unix
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.T
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • Volumes
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.V
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
  • GMI Products
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.W
    CA Vantage SRM Access Rule: CA GMI objects.
    Various GMI candidate products, such as CA Disk objects, CA VTape, CA TLMS, etc.
  • CA SYSVIEW (All Objects)
    Resource Name or Pseudo-Data Set Names: SYSSSM.FUNC.WFU
    CA Vantage SRM Access Rule: Access okay if logon ID has READ authority.
    The CA SYSVIEW Performance Management LMP code is
    FU
    . LMP codes for CA SYSVIEW product options include
    FV
    ,
    JD
    ,
    JE
    , etc.
Defining Object Access Rules to your Security System
The methods for defining resource (or pseudo-data set) names to your security system vary for the different security systems.
  1. Make sure that no one has general access based solely upon the common prefix. (For example, assuming that the default prefix of SYSSSM is being used in a RACF shop, you must specify UACC=NONE for the SYSSSM.** generic profile.)
  2. Grant ALTER access to SYSSSM.FUNC for any user allowed access to all the objects.
  3. Grant READ access to the appropriate names for users who are not granted access to all objects.
RACF Example - Creating Generic Profiles That Control Access to Objects
The first two ADDSD commands in this example ensure that universal access to all objects is denied. The remaining ADDSD commands define the generic profiles needed for controlling access to the data set, volume, storage group, data set group, and construct objects.
Add the logon IDs of users who are to have access to all objects to the first example PERMIT command.
If there are users with the OPERATIONS attribute who should not have access to CA Vantage SRM objects, you can specifically deny them access by placing their logon IDs in the second example PERMIT command. For users who are granted access only to specific objects, but not all of them, put their logon IDs in PERMIT commands as shown in the third through seventh entries below.
ADDSD 'SYSSSM' OWNER(SYSSSM) UACC(NONE) ADDSD 'SYSSSM.FUNC' OWNER(SYSSSM) UACC(NONE) ADDSD 'SYSSSM.FUNC.D' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.V' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.P' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.G' GENERIC OWNER(SYSSSM) ADDSD 'SYSSSM.FUNC.S' GENERIC OWNER(SYSSSM) PERMIT 'SYSSSM.FUNC.**'ID(logon IDs) ACCESS(ALTER) PERMIT 'SYSSSM.FUNC.**'ID(users with OPERATIONS attribute ) ACCESS(NONE) PERMIT 'SYSSSM.FUNC.D' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.V' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.P' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.G' ID(logon IDs) ACCESS(READ) PERMIT 'SYSSSM.FUNC.S' ID(logon IDs) ACCESS(READ)
Example: How to define and permit the resource SYSSSM in RACF
This defines the Facility class entries:
RDEF FACILITY SYSSSM.FUNC UACC(NONE)
This defines the permission for the resource to the user that requires it:
PERMIT SYSSSM.FUNC CLASS(FACILITY) ID(Vantage stc user) ACCESS(UPDATE) PERMIT SYSSSM.FUNC CLASS(FACILITY) ID(user) ACCESS(READ)
This entry limit objects tree function “n” access:
PERMIT SYSSSM.FUNC.n CLASS(FACILITY) ID(user) ACCESS(READ)
This command rebuild memory Facility table:
SETROPTS RACLIST(FACILITY) REFRESH
CA Top Secret Example - Creating Rules That Control Access to Objects
For the pseudo-data set name prefix SYSSSM.FUNC to be protected under CA Top Secret, either a user or a department must own it. In this example, department DEPT091 has been chosen as the owner. The following command assigns the ownership:
TSS ADD(DEPT091) DSN(SYSSSM.FUNC)
All data sets with this prefix are now protected. Users can then be permitted to access either the prefix (for all objects) or a full data set name (for a specific object). Permission can be granted by either user levels or profile levels. This example demonstrates the use of two profiles:
  • PROFNAM1
  • PROFNAM2
The following command permits the users connected to the first profile to have access to all the objects:
TSS PERMIT(PROFNAM1) DSN(SYSSSM.FUNC) ACCESS(ALL)
The following commands permit the users in the second profile to access only the objects associated with the pseudo-data set names:
TSS PERMIT(PROFNAM2) DSN(SYSSSM.FUNC.D) ACCESS(READ) TSS PERMIT(PROFNAM2) DSN(SYSSSM.FUNC.V) ACCESS(READ) TSS PERMIT(PROFNAM2) DSN(SYSSSM.FUNC.P) ACCESS(READ) TSS PERMIT(PROFNAM2) DSN(SYSSSM.FUNC.G) ACCESS(READ) TSS PERMIT(PROFNAM2) DSN(SYSSSM.FUNC.S) ACCESS(READ)
Make sure that users are connected to their proper profiles. The following commands connect users 1, 3, 4, and 5 to the second profile. User 2 is the only one connected to the first profile.
TSS ADD(USER1) PROFILE(PROFNAM2) TSS ADD(USER2) PROFILE(PROFNAM1) TSS ADD(USER3) PROFILE(PROFNAM2) TSS ADD(USER4) PROFILE(PROFNAM2) TSS ADD(USER5) PROFILE(PROFNAM2)
To logon to CA Vantage SRM, each logon IDs must also be connected to FAC(SAMSFAC) through the command TSS ADD(userid) FAC(SAMSFAC). When users logon, the commands given above restrict the objects to which they have access.
Profiles are often used because the command TSS LIST(profname) DATA(ALL) provides a convenient display of both the resources and the users that are controlled by the profile.
Example: How to define and permit the resource SYSSSM in CA Top Secret
This establishes ownership of the IBMFAC(SYSSSM) resource:
TSS ADDTO(deptacid) IBMFAC(SYSSSM)
This defines the permission for the resource to the user that requires it:
TSS PERMIT(Vantage stc user) IBMFAC(SYSSSM.FUNC) ACCESS(UPDATE) TSS PERMIT(user) IBMFAC(SYSSSM.FUNC) ACCESS(READ)
This entry limit object tree function
n
access:
TSS PERMIT(user) IBMFAC(SYSSSM.FUNC.n) ACCESS(READ)
CA ACF2 Example - Creating Rules That Control Access to Objects
One way to create CA ACF2 security rules for accessing data sets is to write and edit all the various rule statements that are needed and save them in a PDS member. You can then specify this member as the input when you issue the CA ACF2 command to compile the rules into the CA ACF2 database.
In the following example, the @@KEY(SYSSSM) statement establishes SYSSSM as the common prefix for the pseudo-data set names. @@MODE(ABORT) specifies the action CA ACF2 is to take when access is denied based on the associated rules. The -UID(MBK******) rule statement establishes universal access rights of none (no access parameters are specified and the dash indicates that this rule applies to all data sets with the prefix). Access is then granted only when a more specific rule, one of the FUNC or FUNC.x rules, matches the request.
In CA ACF2, ALLOC access is sufficient to satisfy the SAF RACROUTE request for ALTER access.
Therefore, the first three FUNC statements listed below grant logon IDs AAAAAA, BBBBBB, and CCCCCC access to all objects. The two FUNC.O statements grant users DDDDDD and EEEEEE access to the messages object. User EEEEEE is also given access to the storage group objects by the FUNC.P statement. (For more information on the UID string, consult your local CA ACF2 support personnel.)
@@KEY(SYSSSM) @@MODE(ABORT) - UID(MBK******) FUNC UID(MBK*************AAAAAA) ALLOC(A) FUNC UID(MBK*************BBBBBB) ALLOC(A) FUNC UID(MBK*************CCCCCC) ALLOC(A) FUNC.O UID(MBK*************DDDDDD) READ(A) FUNC.O UID(MBK*************EEEEEE) READ(A) FUNC.P UID(MBK*************EEEEEE) READ(A)
Update and save these rule statements in a data set, then compile them into the CA ACF2 database by issuing the CA ACF2 compile command:
COMPILE your_data_set_name ALL
After all the updates to the CA ACF2 database have been made, the global system options (GSO records) must be refreshed, but doing so is not required. To perform a refresh to use the following command:
F ACF2,REFRESH(ALL)
If the refresh command is used, it must be answered on the console with a logon ID (LID) and password that has the REFRESH privilege.
Example: How to define and permit the resource SYSSSM in CA ACF2
To set up a Facility Class with the resource name SYSSSM:
Define resource name by placing the following in a Partition Data Set (PDS):
$KEY(SYSSSM) TYPE(FAC) FUNC.- UID(Vantage stc user) SERVICE(READ,ADD,DELETE,UPDATE) ALLOW FUNC.- UID(user) SERVICE(READ) ALLOW
This entry limits objects tree function “n” access:
$KEY(SYSSSM) TYPE(FAC) FUNC.n UID(user) SERVICE(READ) ALLOW
If the FAC type code is part of a directory, made resident in ECSA, the following command needs to be issued:
F ACF2,REBUILD(FAC)
Allow Users to Perform Actions on Objects
When security support is active, CA Vantage SRM allows users to request one or more actions against any selected object (for example, compress a data set or scratch a tape). CA Vantage SRM uses the SAF interface to check each user's authority to perform the requested actions, denying the actions as appropriate. If the security support is not activated (SECURITY (N) is specified), CA Vantage SRM denies all action requests (only viewing is permitted).
CA Vantage SRM divides actions into the following categories:
  • Tape Related Objects
  • Non-Tape Related Objects (other than CA Datacom/DB)
    Actions against data sets fall into both the above categories.
  • CA Datacom/DB Objects
  • Jobs on the JES Queues
Actions Against Tape Related Objects
For tape related objects, CA Vantage SRM can check to see if the user has
tape administrator authority
, or if dealing with a data set,
proper data set access authority
. Permission to perform the action is granted if the user has either of these authorities. The checks are made in the following sequence:
  1. Tape Administrator Authority
    For this authority-check to be active, you must provide the name of the resource that represents
    tape administrator authority
    at your installation. You do this by specifying system parameter TAPADMIN (
    name
    ). This system parameter has no default value. To use this capability you must provide the system parameter with the correct value.
    Resource Facility checking is always used to check this authority, even if SECURRES (N) is specified, which calls for pseudo data set name checking for objects.
    If the user has READ access to this name, the action is permitted. If not, the next level is checked (if it is a data set action).
    Examples of how to define and permit the resource in your security system:
    CA Top Secret:
    This establishes ownership of the IBMFAC(tapeauth) resource:
    TSS ADDTO(deptacid) IBMFAC(tapeauth)
    This defines the permission for the resource to the user that requires it:
    TSS PERMIT(user) IBMFAC(tapeauth) ACCESS(READ)
    CA ACF2:
    Place the following in a Partition Data Set (PDS):
    $key(tapeauth) TYPE(FAC) UID(user) SERVICE(READ) ALLOW
    If the FAC type code is part of a directory, made resident in ECSA, the following command needs to be issued:
    F ACF2,REBUILD(FAC)
    RACF:
    RDEF FACILITY tapeauth UACC(NONE) PERMIT tapeauth CLASS(FACILITY) ID(tapeauth) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
    The above examples also apply to STGADMIN, DBADMIN, and SPOADMIN, see below.
  2. Data Set Access Authority
    By default, a tape data set action is permitted if the user has ALTER access to the data set on the selected tape. If you do not want to make access authority-checks against tape data sets, you must specify system parameter TMCDSNCK (N). This stops all tape data set access checks accept one - a recall by the CA Vtape system. To prevent this check you must specify system parameter VTPDSNCK (N).
Observe the following:
  • Only users with tape administrator authority can do the following:
    • Use the Eject tape command
    • Use all the Tape Resource Option commands regarding tape management systems
  • For CA 1 TMS customers, CA Vantage SRM users must have authority to update the Tape Management Catalog (TMC) data set.
  • For CA TLMS customers, CA Vantage SRM users must have authority to update the Volume Master File (VMF) data set.
  • For DFSMSrmm customers, CA Vantage SRM users must have authority to update the Control Data Set (CDS). They also need to be able to issue SEARCHVOLUME and SEARCHDATASET commands. For details, see the section Authorizing DFSMSrmm Users and Ensuring Security in IBM's
    DFSMSrmm Guide and Reference Manual
    .
Actions Against Non-Tape Related Objects
For non-tape related objects (other than CA Datacom/DB Objects), CA Vantage SRM can check to see if the user has
storage administrator
authority, or if dealing with a data set,
proper data set access authority
. Permission to perform an action is granted if the user has any of these authorities. The checks are made in the following sequence:
  1. Storage Administrator Authority
    For this authority-check to be active, you must provide the name of the resource that represents
    storage administrator authority
    at your installation. You do this by specifying system parameter STGADMIN (
    name
    ). This system parameter has no default resource name. To use this capability you must provide the system parameter with the correct value.
    Resource Facility checking is always used to check this authority, even if SECURRES (N) is specified, which calls for pseudo data set name checking for objects.
    If the user has READ access to the named resource, the action is permitted.
    For examples of how to define and permit the resource, see the description of the STGADMIN system parameter in System Parameters.
  2. Data Set Access Authority
    By default, CA Vantage SRM asks the security system if the user has ALTER access to a data set before it permits the action to take place. The following actions require lower access levels as indicated:
    • Compress PDS - UPDATE access needed
    • Backup - READ access needed
    • Release idle space - UPDATE access needed
Only users with
storage administrator authority
can do the following:
  • Delete mail sent or broadcast to all users
  • Change the status of an HSM function
  • Cancel requests from the HSM request queue
  • Recycle an HSM OCDS tape volume
  • Cancel logged on users
  • Perform Volume Actions:
    • Initialize volumes
    • Vary volumes offline or online
    • Build Index
    • Reformat VTOC
    • Initialize or modify FDR ABR processing options
  • Shutdown a DFSMhsm task
  • Start a DFSMShsm task
  • FIXCDS action for DFSMShsm Audit of MCDS, BCDS, or OCDS
  • PATCH DFSMShsm MCVT control block
  • Cancel an active DFSMShsm task
Actions Against CA Datacom/DB Objects
There are three categories of CA Datacom/DB Actions:
  • Actions related to the DATACOM script (for example; View script, Run script, Cancel script, or Configure script)
  • Actions satisfied by executing the CA Datacom/DB COMM STATS or COMM STATUS commands
  • Other CA Datacom/DB commands (for example; ACCESS OFF and End MUF commands)
The first 2 categories of Actions are not secured. For the latter category, CA Vantage SRM can check to see if the user has CA Datacom/DB DBA authority. Permission to perform the action is granted if the user has Alter access to this DBA authority. For this authority-check to be active, you must provide the name of the resource that represents DBA authority at your installation. You do this by specifying system parameter DBADMIN (
name
).
This system parameter has no default value. To use this capability you must provide the system parameter with the correct value.
Resource Facility checking is always used to check this authority, even if SECURRES (N) is specified, which calls for pseudo data set name checking in most places. If the user has READ access to this name, the action is permitted.
Observe the following:
  • The CA Datacom/DB COMM STATS and COMM STATUS commands are not secured and may, therefore, be entered by anyone.
  • The Actions of the CA Datacom/DB Areas, Tables, and Data Sets objects are not secured because they consist solely of DATACOM script actions and CA Datacom/DB COMM STATS actions, which are not secured.
For examples of how to define and permit the resource, see the description of the DBADMIN system parameter in System Parameters.
Actions Against Jobs on the JES Queues
For this authority-check to be active, you must provide the name of the resource that represents spool administrator authority at your installation. You do this by specifying system parameter SPOADMIN (
name
). This system parameter has no default value. To use this capability you must provide the system parameter with the correct value.
Resource Facility checking is always used to check this authority, even if SECURRES (N) is specified, which calls for pseudo data set name checking for objects.
If the user has ALTER access to this name, the action is permitted. Otherwise actions are permitted only for the owner of the job/stc/tsu.
For examples of how to define and permit the resource, see the description of the SPOADMIN system parameter in System Parameters.
Maintain When Users Submit Jobs
Maintain When Automation Submits Jobs
Maintain When Users Edit Data Sets
In the Windows, Config, and View/3270 Clients, you can download data from the host, modify the data, and upload the data back to the host. This data can be JCL or utility command templates, various types of scripts, filter statements, or system parameters.
Use the following client features and host data sets:
  • Windows, Web and View 3270 Clients
    Feature: Edit Member, then Substitute and Generate Jobs
    Data Sets: %%DSNPFX%%.JCLLIB or any host PDS
  • Windows Client
    Feature: Script Wizards
    Data Sets:
    • %%DSNPFX%%.AUTOSCR
    • %%DSNPFX%%.LOGSCR
    • %%DSNPFX%%.SYSTSCR
  • Windows Client and Host Configuration Client
    Feature: Import/Export External Filters
    Data Sets: %%DSNPFX%%.EXTFLTDS
  • Host Configuration Client
    Feature: Edit DS Groups
    Data Sets: %%DSNPFX%%.PARMLIB
  • Host Configuration Client
    Feature: Edit System Parameters
    Data Sets: %%DSNPFX%%.PARMLIB
Limit the number of users that have update authority.
To use these services, active product security checking is required. CA Vantage SRM communicates with the SAF interface to verify if the user has UPDATE authority for the data set.
Scripts
The security for Scripts is based on the SECURSCR (Y/N) parameter. If SECURSCR(N) is specified, all script activity is checked against the CA Vantage SRM STC authority, the same way as it was prior to the introduction of the SECURSCR parameter.
If SECURSCR(Y) is used, all actions taken by the script are checked against the userID of the last person to create or modify the script. The one exception to this rule is the submission of batch jobs by the script. If a userID and password is not provided on the job card, then the CA Vantage SRM STC userID and password will be used, which is the same way as it was prior to the introduction of the SECURSCR parameter.
Any Partitioned Data Sets containing automation scripts or skeleton JCL used by automation scripts, should be protected, and only allowing write access to authorized users and the CA Vantage SRM STC.
VANCONSL Utility
The VANCONSL utility program enables you to submit console commands from a batch job. You can control various CA Vantage functions, for example, firing a script or refreshing VKGPARMS, in batch.
To enable VANCONSL to issue commands in batch, update your CA ACF2, RACF, or CA Top Secret security system. Before the VANCONSL program issues the requested commands, it temporarily activates an extended MCS (EMCS) console named 'VVANCONS'. After the commands are processed, the EMCS console is inactivated. Using the console, you can restrict the use of VANCONSL to the CA Vantage task and selected users.
To permit CA Vantage or specific users to execute VANCONSL, update the appropriate user or STC profile to permit READ access of the following resource in the OPERCMDS class:
MVS.MCSOPER.VVANCONS
For CA Vantage scripts that cause a job to be submitted, if a userID and password is not provided on the job card of the submitted job, the CA Vantage STC userID and password is used.
License (LMP) Keys
If you start the system without a valid LMP license key for either the CA Vantage SRM base product or CA GMI, a CAS operator message will be given every few minutes stating that the Base component is running without a valid license.
If LMP keys for other components are missing or expired, those components and their related objects are marked as not available. However, access is still allowed but a CAS Operator message will be given every few minutes stating that the identified option is running without a license. For a user working online from the Windows Client or Web Client, an attempt to access an unlicensed object is detected, and the user must confirm the desire to continue. Only then will the CAS operator message be issued.
For more information, see System Requirements.
Security VKG System Parameters
For full customization and flexibility, review the following system parameters: SECURSCR, SECURHSM, SECURPFX, SPOADMIN, STGADMIN, TAPADMIN, TMCDSNCK, VTPDSNCK, and DBADMIN.