Controlling Access to specific CSF Line Commands
Article ID: 257294
Updated On:
Products
Issue/Introduction
We are looking for a solution where an operator completed the application mistakenly and caused impact in cycles.
Need to restrict access on force completing an application for particular users. We are looking for a possibility on application force completion alone and not with Job force completion
Environment
All Release ESP Workload Automation
Cause
Operator completed an application mistakenly and caused impact in cycles.
Resolution
Control Access to Specific CSF Line Commands
Security Profiles: CSF.CHECK.CMDS, CSF.LC
If you want to limit access to specific CSF line commands, use the CSF.CHECK.CMDS profile in combination with the CSF.LC.cmd profile.
The CSF.CHECK.CMDS profile specifies the users for which CSF line command checking is done. The CSF.LC.cmd profile specifies the users that have access to the CSF line command specified by cmd.
If you do not set up a profile for a specific line command, then all users are authorized to issue that CSF line command.
Even if you can access a CSF line command, you still need access to the event group, application, or job the command is issued against.
CSF line commands generate an underlying ESP command. The CSF.LC profile protects only the CSF command, not the underlying command.
To turn on CSF line command security checking:
Create a security profile named prefix.CSF.CHECK.CMDS.
Grant UACC(READ).
To restrict access to specific CSF line commands.
Confirm that CSF line command security checking is turned on with the prefix.CSF.CHECK.CMDS profile.
Create a security profile named prefix.CSF.LC.CA
Grant UACC(NONE) access to the users you do not want using CSF line command CA.
EXAMPLE:
You do not want Frank to be able to complete applications using CSF line command CA. Assume that Frank has access to the job and the CSF.CHECK.CMDS profile. Frank should have UACC(NONE) access to the ESP.CSF.LC.CA profile
Additional Information
Feedback
