Technical Considerations › Access Control Software Considerations › CA Top Secret Requirements

CA Top Secret Requirements

CA Top Secret controls access to both disk and tape data sets. Security administrators (SCA, VCA, or DCA) grant access privileges by specifying the appropriate data set access capabilities in the accessor IDs (ACIDs) of the user, department, or division. Alternately, data set access authorities can be granted to a specific user or set of users using the cross‑system authorization TSS PERMIT provides. Each data set access falls into one of the following access categories:

Read access

Required to open a data set for input. You must have read access authority to look at information in a data set. CA Auditor users must have read access authority for all CA Auditor data sets, all system data sets identified in the table in the Access Control Software Considerations section, and all other data sets that CA Auditor analyzes or processes.

Installers must have read access authority to all data sets on the distribution tape. The data set names of the tape files have the format AUD.EXAMINE.dsname.

Update access

Required to open a data set for output. You must have update access authority to add or update the information in a data set. All CA Auditor users must have update access authority for the user profile database, prefix.EXAMINE.DBASE1 (prefix.CAIDBS1 for SMP/E installations). No other CA Auditor data sets are updated. CA Auditor never modifies z/OS system data sets.

All access

Required to initially allocate, rename, or scratch a disk‑resident data set. You must have all access authority to create, rename, or delete a data set. CA Auditor users do not need all access authority for any CA Auditor or system data sets for any system or CA Auditor data sets.

Installers must have all access authority for all CA Auditor data sets so the installation program can dynamically allocate the CA Auditor data sets on the selected disk volume.

Users do not create, rename, or scratch data sets using CA Auditor. They do not need all access authority.

Fetch access

Required to open a program library to load and execute a program. The security administrator can provide this type of protection for the CA Auditor program library, prefix.EXAMINE.LOAD (prefix.CAJ0LOAD for SMP/E installations).

The security administrator uses these access requirements to make the relevant CA Auditor and z/OS system data sets available to CA Auditor users as follows:

• The security administrator (SCA, VCA, or DCA) can create a group or departmental profile ACID that provides the necessary CA Auditor and z/OS system data set access capabilities. These ACIDs then must be connected to the appropriate CA Auditor user ACIDs.
• Alternately, the security administrator can assign ownership of the CA Auditor data sets and selected z/OS system data sets to a single user with CA Auditor users cross‑authorized to the owner’s ACID using the TSS PERMIT command.