For services that are passed a label, the key store policy will
not affect the SAF check, so only Granular Keylabel Access Controls
and CSNDSYX Access Controls will have an effect:
Table 33. Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions (label) | No CSNDSYX Access Controls for algorithm | CSNDSYX Access Controls for algorithm | No Granular Keylabel Access Controls | Granular Keylabel Access Controls |
---|
CSNDSYX: DATA key identifier | label SAF check is done against CSFKEYS | label SAF check is done against XCSFKEY | n/a | n/a | CSNDSYX: RSA key identifier and all other services
passed a label | n/a | n/a | label SAF check is done against CSFKEYS for
READ access | label SAF check is done against CSFKEYS for
appropriate access | For services that are passed a token:
Table 34. Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions (token) | No KSP | KSP |
---|
| | No CSNDSYX Access Controls for algorithm | CSNDSYX Access Controls for algorithm | No Granular Keylabel Access Controls | Granular Keylabel Access Controls |
---|
CSNDSYX: DATA key identifier | no SAF check is done | KSP SAF checks are done against CSFKEYS | KSP SAF checks are done against XCSFKEY | n/a | n/a | CSNDSYX: RSA key identifier and all other services
passed a label | no SAF check is done | n/a | n/a | KSP SAF checks are done against CSFKEYS | KSP SAF checks are done against CSFKEYS |
Note:
The levels used by Granular Keylabel Access
Controls will also be applied to KSP checks (that is, if the CKDS
labels matching a token were checked with UPDATE access, CSF-CKDS-DEFAULT
will also be checked with UPDATE access)
|