Implementing External Security with CA Top Secret › Create Access Permissions with CA Top Secret

Create Access Permissions with CA Top Secret

Connecting or permitting site-defined user names authorizes them to the groups or profiles that either you or DEFSAF defined. Execute the REXX DEFSAF utility to define the resource names and groups. Execute DEFSAF again to add user names to those groups.

Use CA Top Secret to create access permissions. You can perform these steps in any order.

Note: The DEFSAF commands provided in the following steps default the BATCH option to YES. The YES value generates member PERTSS in opqhlq.OPSx.DEFSAF. Send this member to your security administrator to run the CA Top Secret commands in the member from an authorized user ID. If you specify BATCH(N) on DEFSAF, the commands are issued directly. In this mode, the running user ID requires the CA Top Secret authorities to execute successfully.

Follow these steps:

1. Execute the following command to provide the OPSUSER with READ access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI ALL ACT(PERMIT) SAFRO(OPSUSER)
   

   or

   !OX 'opshql.REXX(DEFSAF)' ALL ACT(PERMIT) SAFRO(OPSUSER)
   

2. Execute the following command to provide the OPSOPER with UPDATE access to all CA OPS/MVS protected resources:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

   or

   !OX 'opshlq.CCLXEXEC(DEFSAF)' OPSAOF ACT(PERMIT) SAFRW(OPSOPER)
   

3. Execute the following command to provide OPSSQL1 with READ access to all SQL commands:

   ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
   !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   or

   !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1)
   

   Note: The BATCH(Y) option generates the member in opqhlq.OPSx.DEFSAF named PERTSS. Send this member to your security administrator to run the CA Top Secret commands in the member from an authorized user ID. If the user ID where you run the DEFSAF command has sufficient authority, specify BATCH(N) and then issue the commands directly from DEFSAF.

4. Execute OPSSQL1 either with or without GROUPS as follows:
   • Execute OPSSQL1 with GROUPS(Y) and with UPDATE access to all aspects of SQL commands:

     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     

     !OI OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRW(OPSSQL1) GROUPS(Y)
     

   • Execute OPSSQL1 with GROUPS(N) to permit the same access without using groups:

     TSO OX 'opshlq.CCLXEXEC(DEFSAF)' OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

     ISPF EDIT on member DEFSAF in opshlq.CCLXEXEC
     !OI OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

     or

     !OX ‘opshlq.CCLXEXEC(DEFSAF)’ OPSSQL ACT(PERMIT) SAFRO(OPSSQL1) GROUPS(N)
     

5. If you did not use DEFSAF, provide OPSSQL1 with READ access to all SQL commands by issuing the following sample CA Top Secret PERMIT command:

   TSS PERMIT(OPSSQL1) FAC(OP$MVS.SQL.) ACCESS(READ)
   

You have created your access permissions with CA Top Secret.