Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Protecting administrative functions z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
||||||||||
PKI Services administrators must have SAF user IDs on the host system. When PKI Services is called for administrative functions, the unit of work is tagged with the identity of the authenticated administrator. At a minimum, all PKI Services administrators require
READ or UPDATE access to the profile IRR.RPKISERV.PKIADMIN[.ca_domain]
in the FACILITY class. Table 1 shows
how the level of access to this profile controls authorization to
general administrative functions.
In addition, you can use profiles in the PKISERV class to restrict PKI Services administrator access to specific operations. For information, see Using the PKISERV class to control access to administrative functions. By default this additional capability is not enabled. The AdminGranularControl keyword in the pkiserv.conf configuration file controls whether it is enabled. Example: To grant user ID ADMID authority
to administer the PKI Services CUSTOMER domain, and to grant that
same user the ability to query information on PKI Services certificates
issued using the '1-Year PKI SSL Browser Certificate' template, issue
the following RACF® TSO commands:
|
Copyright IBM Corporation 1990, 2014
|