Step 5. Implement CMEM Security (Optional)

Perform the following steps to implement CMEM security.

Step 5.1 Grant Access Permissions

Collect the data you need to define the INCONTROL entities and user authorizations in the security product.

RACF Security

1. Add the following commands to define the $$CTOEDM entity to RACF, and authorize users to this entity.
2. To define the entity $$CTOEDM.qname, use the following command:

   RDEFINE FACILITY $$CTOEDM.qname UACC(NONE)

3. To authorize USERA to Extended Definition mode, use the following command:

   PERMIT $$CTOEDM.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

   Basic Definition mode is set if the user does not have access to this entity. If the user does have access to this entity, Extended Definition mode is set.

TopSecret Security

1. Define Control‑O entities and user authorizations to TopSecret

   For information about how to define Control‑O entities and user authorizations to TopSecret, see CMEM Basic Definition Security Calls, and CMEM Extended Definition Security Calls.

   Modify the following command to establish ownership of the resources in TopSecret to the appropriate owner:

   TSS ADD(sec-administrator-dept) IBMFAC($$CTO)

   All entity names for each Control‑O protected element appear in CMEM Basic Definition Security Calls for Basic Definition mode and CMEM Extended Definition Security Calls for Extended Definition mode.

2. Associate users with definition modes
   1. Customize the following TopSecret command to establish Extended Definition mode for the Control‑O installer.

      TSS PERMIT(USERA) IBMFAC($$CTOEDM.qname) ACC(NONE)

   2. Modify USERA to the UID of Control‑O installer.

      If the user does not have access to this entity, the user is set to work in Basic Definition mode. Otherwise, the user is set to work in Extended Definition mode.

3. Authorize the Control‑O installer to use Control‑O facilities
   1. Customize the following command to authorize USERA access to Control‑O:

      TSS ADD(USERA) IBMFAC($$CTO)

   2. Modify USERA to the user ID of the Control‑O installer.
   3. Customize the following command to authorize the Control‑O installer to use Control‑O facilities:

      TSS PERMIT(USERA) IBMFAC($$CTO) ACC(READ)

ACF2/SAF Security

To associate users with Extended Definition Mode, define and authorize the entity $$CTOEDM.qname to ACF2 using the following command:

SET RESOURCE(CMF)

COMP

$KEY($$CTOEDM.qname)

UID(USERA) ALLOW

Step 5.2 Customize Security Parameters

Table 36 Security Definition Modes

Step 5.3 Save Security Parameters into the Product

This step saves all the security parameters specified for CMEM. When this step is completed, the Status column is automatically updated to COMPLETE.