How do I define the CA-Examine resource class of CA EXAMIN to my external security manager RACF? What would a sample rule look like?

Document ID : KB000025202
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

 

How do I define the CA-Examine resource class of CA EXAMIN to my external security manager RACF? What would a sample rule look like?

Answer:  

CA Examine makes SAF calls with a resource CLASS=CAEXAMIN, and one of the following entity names:

ENTITY=EXAMMON.BPXEKDA For z/OS cross-memory services to communicate with the EXAMMON address space.
ENTITY=TRAPAUTH.TEST   For test traps generated through the use of DEBUG flag 16.
ENTITY=TRAPAUTH.BATCH  For other traps issued in batch jobs.
ENTITY=TRAPAUTH.TSO    For other traps issued from a TSO session.

The resource class can be defined to RACF using the following RACF RDEF CDT sample:

SETR CLASSACT(CDT) AUDIT(CDT) RACLIST(CDT)
RDEF CDT CAEXAMIN UACC(NONE) CDTINFO(MAXLENGTH(39) FIRST(ALPHA)
  OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) RACLIST(ALLOWED) DEFAULTUACC(NONE) GENLIST(DISALLOWED)
  POSIT(303))
SETR RACLIST(CDT) REFRESH

Sample PERMIT(rule):

PERMIT EXAMMON.BPXEKDA CLASS(CAEXAMIN) ACCESS(READ) ID(USER2)

Additional Information:

See the z/OS Security Server RACF Command Language Reference and RACF Security Administrator's Guide for additional details on the SETR, RDEF and PERMIT commands.