Ed Jaffe recommended against creating a SAF class. I'll respectfully suggest that it's not that hard.
First, if you do, IBM told us, "Start the class name with a dollar sign-we'll never use those". Of course you could collide with another vendor, but that's unlikely. We've had customers doing so for 13 years or so. Besides some folks who didn't understand how to use their own ESM, we've had no problems. ACF2 and TSS were easy, too. Now, I admit that our usage is pretty simple: we have named data protection entities called Cryptids, and you can use them to protect (encrypt/tokenize/hash) or access (decrypt/detokenize) data. So if you have a Cryptid named BANANA, a user needs READ or greater authority to PROTECT.BANANA or ACCESS.BANANA, as appropriate to use BANANA to protect or access. For something like EJES, with possibly dozens of subtleties, it would surely be harder. The complexity of SAF related to certificates comes to mind, though I suspect some of that is due to some historical mistakes. Still, once you've defined a scheme, it's just PERMITs, right? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
