Authorization
Note: Session and token objects require the same SAF authority.
| Action | Source object (Copy only) | Token / Object being created | PKCS #11 role Authority required |
|---|---|---|---|
| Create or recreate token | N/A | Token | SO (UPDATE) |
| Create object | N/A | Public object, except a CA certificate | USER (UPDATE) or SO (READ) |
| Create object | N/A | Private object, except a CA certificate | USER (UPDATE) or SO (CONTROL) |
| Create object | N/A | Public CA certificate object | USER (CONTROL) or SO (READ) |
| Create object | N/A | Private CA certificate object | USER (CONTROL) or SO (CONTROL) |
| Copy object | Public object, except a CA certificate | Public object, except a CA certificate | USER (UPDATE) or SO (READ) |
| Copy object | Public object or private object, except a CA certificate | Private object, except a CA certificate | USER (UPDATE) or SO (CONTROL) |
| Copy object | Private object, except a CA certificate | Public object, except a CA certificate | USER (UPDATE) |
| Copy object | Public object, where source or target or both are CA certificate objects | Public object, where source or target or both are CA certificate objects | USER (CONTROL) or SO (READ) |
| Copy object | Public object or private object, where source or target or both are CA certificate objects | Private object, where source or target or both are CA certificate objects | USER (CONTROL) or SO (CONTROL) or both USER (UPDATE) and SO (READ) |
| Copy object | Private object, where source or target or both are CA certificate objects | Public object, where source or target or both are CA certificate objects | USER (CONTROL) or both USER (UPDATE) and SO (READ) |
Note:
- Session and token objects require the same authority.
- See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for more information on the SO and User PKCS #11 roles and on how ICSF determines that a certificate is a CA certificate.