The Protect List is used to override generic resource prefixes defined in the Bypass List. If a resource is matched in both the Bypass List and the Protect List, the match in the Protect List controls processing, regardless of the length of the match.
The following CICS resources can be used with the BYPADD, BYPREM, PROTADD, and PROTREM suboptions.
Note: This list is intended for a limited number of resources and should not be used as an alternative for the ALL Record.
Examples: Bypass and Protect lists
This example avoids security checking for transactions beginning with XY:
TSS MODIFY FACILITY(CICSTEST=BYPADD(TRANID=XY)
You can still check for security on transaction XYZ by entering:
TSS MODIFY FACILITY(CICSTEST=PROTADD(TRANID=XYZ)
In this example, the PROTADD(TRANID=XYZ) command overrides the BYPADD(TRANID=XY) command.
Use the CEMT=action parameter to bypass the “action” on both the CEMT Extended Master Terminal Command and on the EXEC CICS “action” for which you want to bypass security checking.
Valid actions are:
TSS MODIFY FACILITY(cicsfac=BYPADD(CEMT=INQUIRE))
Note: To bypass SET you also need to add INQUIRE to the Bypass List because CEMT SET redisplays the items altered in the CEMT SET.
If CEMT=SET is specified, SPOOLWRITE JOB SUBMIT security under CA Top Secret will not work.
To bypass all EXEC CICS INQUIRE commands, except SYSTEM, enter:
TSS MODIFY FACILITY(CICSTEST=BYPADD(SPI=INQUIRE))
To bypass EXEC CICS INQUIRE SYSTEM also enter:
TSS MODIFY FACILITY(CICSTEST=BYPADD(CEMT=INQUIRE))
Note: The above command will not bypass the OTRAN or LCF security checks for transaction CEMT, only the SPI security check is bypassed.
To bypass transaction security, add an entry to the TRANID or TRAN parameter of the Bypass List. TRAN and TRANS are identical. The TRANID parameter contains transaction name entries that will bypass all security checking for the transaction. The default entries are:
TSS9550I FACILITY DISPLAY FOR CICSPROD TSS9570I BYPASS TABLE DISPLAY FOR FACILITY CICSPROD TSS9571I RESOURCE=LOCKTIME BYPASS NAMES: TSS TSS9571I RESOURCE=TRANID BYPASS NAMES: CAQP CATA CATD CATP TSS9572I CATR CAUT CCIN CCMF CDBD CDBN CDBO CDBT TSS9572I CDTS CECS CEGN CEHP CEHS CESC CESF CESN TSS9572I CFTS CGRP CITS CLQ2 CLR1 CLR2 CLS3 CLS4 TSS9572I CMPX CMTS CNPX COVR CPLT CPMI CQPI CQPO TSS9572I CQRY CRDR CRMD CRSQ CRSR CRSY CRTE CRTR TSS9572I CSAC CSCY CSFU CSGM CSGX CSHR CSIR CSJC TSS9572I CSKP CSLG CSMI CSM1 CSM2 CSM3 CSM4 CSM5 TSS9572I CSNC CSNE CSPG CSPK CSRK CSPP CSPQ CSPS TSS9572I CSRS CSSC CSSF CSSN CSSX CSSY CSTA CSTB TSS9572I CSTE CSTP CSTT CSXM CSXX CSZI CVMI CVST TSS9572I CWTR CXCU CXRE CXRT TS 8888 9999 .... TSS9572I .... .... .... .... .... CFTL CFSL CKTI TSS9572I CKAM CFCL CIOD CIOF CIOR CIRR CJTR CSHA TSS9572I CSHQ CSOL CTSD CWBG CWXN CDBF CEX2 CFQR TSS9572I CFQS CSFR CSQC CDBQ CRMF CLSG CFOR CJMJ TSS9572I CLS1 CLS2 CPIH CPIL CPIQ CRTP CWXU CPIR TSS9572I CPIS CISC CISD CISE CISR CISS CIST CJGC TSS9572I CJPI CISB CEPD CEPM CISQ CISU CISX CIS4 TSS9572I CRLR CISM CEPF CPSS CJSR CESL CISP CIS1 TSS9572I CJSL CRST CPCT CFCR CJLR TSS9571I RESOURCE=TRANID PROTECT NAMES: CEDF TSEU TSS0300I MODIFY FUNCTION SUCCESSFUL
To specify multiple transactions (up to four) on one line for the bypass list, enter the following command:
F TSS,FACILITY(cicsfac=BYPADD(TRANID=(trn1,trn2,trn3,trn4)
The difference between the Bypass List parameters TRAN and TRANID is that the entries for the TRAN list contain transaction names that will bypass resource OTRAN or LCF security checking only. Entries in the TRANID Bypass List contain transaction names that will bypass all types of security checking (OTRAN, LCF, FCT, or any type of resource check, including LOCKTIME, and job submit processing for transient data and spoolwrite).
Important! For CEDF processing, to ensure security checking of transactions and resources being emulated, never place CEDF in the TRANID Bypass List. Consider placing CEDF in the TRAN Bypass List instead.
If an EXEC CICS START TRANSACTION(tran) is issued from a transaction with RESSEC=YES in the PCT and you want to use the bypass list to avoid checks in the started transaction, you must add the started transaction to the PCT and TRANID bypass lists. The PCT bypass allows the start of the transaction, and the TRANID bypass allows access to any resource that the transaction might reference.
The TCT Bypass List contains terminal entries that will bypass CA Top Secret security checking where:
For example, to bypass security checking for terminal K06L3544, enter:
TSS MODIFY FACILITY(cicsfac=BYPADD(TCT=K06L3544))
This command allows any transaction to be run on this terminal without signon entry validation or any resource checking.
The LOCKTIME Bypass List contains terminal entries or transaction IDs that are not checked for lock time by CA Top Secret. When added to the Bypass List, these entries override the LOCKTIME control option settings for that terminal or transaction. You can bypass terminal lock time restrictions where:
For example, to bypass LOCKTIME security for terminal K06L3544, enter:
TSS MODIFY FACILITY(CICSTEST=BYPADD(LOCKTIME=K06L3544))
To bypass LOCKTIME security for transaction PUBL, enter:
TSS MODIFY FACILITY(CICSTEST=BYPADD(LOCKTIME=PUBL))
You can selectively bypass security checks for specific resources. The following Bypass Lists contain entries that are not checked by CA Top Secret:
Contains transient data entries.
Contains file control entries (DDNAMES) for data sets. The DSNCHECK= suboption must be set to YES.
Contains File Control Table entries (DDNAMES). The DSNCHECK= suboption must be set to NO.
Contains Journal Control Table entries (journal names).
Contains interval control started transaction identifiers.
Contains program entries.
Contains PSB entries.
Contains transaction identifiers.
Contains Temporary Storage entries (queue names).
Contains document templates entries.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|