OPS/MVS

 View Only

  • 1.  CA-OPS Ruleset Security

    Posted Oct 05, 2016 01:18 PM

    Is there a way to give a user OP$MVS.OPSAOF UPDATE access for one Rule Set but not another?

     

    In other words, I want to grant the user the ability to use the read only commands for AOF
    in RULESETA but not the update only commands. Then on RULESETB, I want the same user to have
    update access. Basically I want the user to have authority to ENABLE/DISABLE/RESETAUTO rules
    in RULESETB but not have that authority in RULESETA or any other RULESET.

     

    Caveat: I would like to do this with RACF only. No security rules involved.

     

    RULESETA
    RULESETB
    RULESETC



  • 2.  Re: CA-OPS Ruleset Security
    Best Answer

    Posted Oct 05, 2016 04:15 PM

    Hello Travis,

     

    To secure your rule sets libraries based on the read/update levels you want to implement, please consider using the standard Dataset Resource Class your security product provides. Calls using the SAF Resource Name OP$MVS.OPSAOF does not provide with what you are looking for. Read level provides access to subcommands (INDEX, LISTINST, LIST, LISTSRC, LISTCOMP) and update allows the use of (SETAUTO, DISABLE, ENABLE, COMPILE, DELCOMP, RESETAUTO) subcommands as documented in this URL link:

     

    https://docops.ca.com/ca-opsmvs-123-EN/implementing-external-security/resource-tables-and-predefined-resources/saf-resource-names-table

     

    Hope this helps Travis.

    Regards, Cesar



  • 3.  Re: CA-OPS Ruleset Security

    Posted Oct 05, 2016 05:29 PM

    I agree, the resource OPSAOF does not have the granularity that I need. I do have the user set up with the appropriate access levels in the Dataset profile for each of the rule sets. It does restrict the user from saving any changes to the rule but it does not prevent them from using the UPDATE commands for the OPSAOF resource because the commands don't rely on the data set profile, they are bound to the OP$MVS.OPSAOF.

     

    I was able to set up PLAN B which was to code up a security rule which handled the extra level of security I needed but I would really prefer a method that was centered on RACF instead of relying on Security Rules. I originally set it up to use a separate resource but as I pondered your response, Cesar, I realized I could just use the data set access to do the same thing so that is what I did. So right now I have a security rule monitoring AOF events and checking the data set access based on the command issued.



  • 4.  Re: CA-OPS Ruleset Security

    Posted Oct 05, 2016 05:34 PM

    Sounds good Travis

    Thanks for participating in this forum.

    We appreciate your support.

    Regards, Cesar