To obtain the security features in the following sections, you must ensure that the transaction CEMT has the PCT/RDO parameter RESSEC=NO. It is not necessary to separately secure the CEMT transaction through LCF or OTRAN resource checks. Instead, CEMT is secured in CA Top Secret mainly through a special SPI (Set, Perform, Inquire) resource class. Individual SPI resources are constructed from CEMT “keywords” to control the “action” in a CEMT command.
The table, SPI Access Levels for CEMT, shows the CA Top Secret ACCESS level required to execute “action” verbs in the CEMT syntax shown below.
CEMT action.keyword [(resource‑name)] [keyword‑operand value]
The table, SPI Resource Keywords, shows the correspondence between CEMT keywords and CA Top Secret SPI resource names. Because some actions in CEMT generate displays of individual resources, and allow the alteration of those resources displayed on the screen, CA Top Secret performs individual resource checks for certain resources, which are summarized in the table, CEMT Secondary Resource Checks.
The following table lists valid SPI access levels for CEMT commands:
|
CEMT Action |
SPI Access Level |
|
INQUIRE |
INQUIRE |
|
PERFORM |
PERFORM |
|
SET |
SET |
|
DISCARD |
DISCARD |
CEMT commands have keywords relating to a specific set of actions. The next section describes how CA Top Secret secures each keyword and their associated action.
The following table lists the CEMT command keywords and their associated SPI resource names:
|
Command Keyword |
SPI Keyword |
|---|---|
|
'Blanks' (default) |
SPI(SYSTEM) |
|
ATOMSERVICE |
SPI(ATOMSERV) |
|
AUTINSTMODEL |
SPI(AUTINSTM) |
|
AUTOINSTALL |
SPI(AUTOINST) |
|
AUXTRACE |
SPI(TRACEDES) |
|
BEAN |
SPI(BEAN) |
|
BRFACILITY |
SPI(BRFACILI) |
|
BUNDLE |
SPI(BUNDLE) |
|
CAPTURESPEC |
SPEC(CAPTURES) |
|
CFDTPOOL |
SPI(CFDTPOOL) |
|
CLASSCACHE |
SPI(CLASSCAC) |
|
CONNECTION |
SPI(CONNECTI) |
|
CORBASERVER |
SPI(CORBASER) |
|
DB2CONN |
SPI(DB2CONN) |
|
DB2ENTRY |
SPI(DB2ENTRY) |
|
DB2TRAN |
SPI(DB2TRAN) |
|
DELETSHIPPED |
SPI(DELETSHI) |
|
DELTSHIPPED |
SPI(DELTSHIP) |
|
DISPATCHER |
SPI(DISPATCH) |
|
DJAR |
SPI(DJAR) |
|
DLIDATABASE |
SPI(DLIDATAB) |
|
DOCTEMPLATE |
SPI(DOCTEMPL) |
|
DSA |
SPI(SYSTEM) |
|
DSNAME |
SPI(DSNAME) |
|
DUMP |
SPI(DUMP) |
|
DUMPDS |
SPI(DUMPDS) |
|
EPADAPTER |
SPI(EPADAPTE) |
|
ENQ |
SPI(UOWENQ) |
|
ENQMODEL |
SPI(ENQMODEL) |
|
EVENTBINDING |
SPI(EVENTBIN) |
|
EVENTPROCESS |
SPI(EVENTPRO) |
|
EXCI |
SPI(EXCI) |
|
FECONNECTION |
SPI(FEPIRESO) |
|
FENODE |
SPI(FEPIRESO) |
|
FEPOOL |
SPI(FEPIRESO) |
|
FEPROPSET |
SPI(FEPIRESO) |
|
FETARGET |
SPI(FEPIRESO) |
|
FILE |
SPI(FILE) |
|
GTFTRACE |
SPI(TRACEDES) |
|
HOST |
SPI(HOST) |
|
INTTRACE |
SPI(TRACEDES) |
|
IPCONN |
SPI(IPCONN) |
|
IRBATCH |
SPI(IRBATCH) |
|
IRC |
SPI(IRC) |
|
JMODEL |
SPI(JMODEL) |
|
JOURNALNAME/JOURNALNUM |
SPI(JOURNAL) |
|
JVM |
SPI(JVM) |
|
JVMPOOL |
SPI(JVMPOOL) |
|
JVMSERVER |
SPI(JVMSERVE) |
|
LIBRARY |
SPI(LIBRARY) |
|
LINE |
SPI(LINE) |
|
LSRPOOL |
SPI(LSRPOOL) |
|
MAPSET |
SPI(MAPSET) |
|
MODENAME |
SPI(MODENAME) |
|
MONITOR |
SPI(MONITOR) |
|
MQCONN |
SPI(MQCONN) |
|
MQINI |
SPI(MQINI) |
|
NETNAME |
SPI(TERMINAL) |
|
PARTNER |
SPI(PARTNER) |
|
PARTITIONSET |
SPI(PARTITIO) |
|
PIPELINE |
SPI(PIPELINE) |
|
PITRACE |
SPI(PITRACE) |
|
PROCESSTYPE |
SPI(PROCESST) |
|
PROFILE |
SPI(PROFILE) |
|
PROGRAM |
SPI(PROGRAM) |
|
REQUESTMODEL |
SPI(REQUESTM) |
|
RRMS |
SPI(RRMS) |
|
SESSIONS |
SPI(SESSIONS) |
|
STATISTICS |
SPI(STATISTI) |
|
STORAGE |
SPI(STORAGE) |
|
STREAMNAME |
SPI(STREAMNA) |
|
SUBPOOL |
SPI(SUBPOOL) |
|
SYSDUMPCODE |
SPI(SYSDUMPC) |
|
SYSTEM |
SPI(SYSTEM) |
|
TASK |
SPI(TASK) |
|
TCLASS |
SPI(TCLASS) |
|
TCPIP |
SPI(TCPIP) |
|
TCPIPSERVICE |
SPI(TCPIPSER) |
|
TDQUEUE |
SPI(TDQUEUE) |
|
TEMPSTORAGE |
SPI(TEMPSTOR) |
|
TERMINAL |
SPI(TERMINAL) |
|
TRANSACTION |
SPI(TRANSACT) |
|
TRDUMPCODE |
SPI(TRANDUMP) |
|
TSPOOL |
SPI(TSPOOL) |
|
TSQNAME |
SPI(TSQNAME) |
|
TSQUEUE |
SPI(TSQUEUE) |
|
TYPETERM |
SPI(TYPETERM) |
|
UOW |
SPI(UOW) |
|
UOWDSNFAIL |
SPI(UOWDSNFA) |
|
UOWENQ |
SPI(UOWENQ) |
|
UOWLINK |
SPI(UOWLINK) |
|
URIMAP |
SPI(URIMAP) |
|
VOLUME |
SPI(VOLUME) |
|
VTAM |
SPI(VTAM) |
|
WEB |
SPI(WEB) |
|
WEBSERVICE |
SPI(WEBSERVI) |
|
WORKREQUEST |
SPI(WORKREQU) |
|
XMLTRANSFORM |
SPI(XMLTRANS) |
Examples: Securing CICS
In In this example, the user only has permission to execute the CEMT INQUIRE SYSTEM or CEMT INQUIRE commands, since SYSTEM is the default if no function is specified:
TSS ADDTO(deptacid) SPI(SYSTEM)
TSS PERMIT(acidname) SPI(SYSTEM)
ACCESS(INQUIRE)
In In this example, the user only has permission to execute CEMT INQUIRE DUMP commands:
TSS ADDTO(deptacid) SPI(DUMPDS)
TSS PERMIT(acidname) SPI(DUMPDS)
ACCESS(INQUIRE)
In In this example, the user only has permission to execute CEMT INQUIRE AUTOINSTALL commands:
TSS ADDTO(deptacid) SPI(AUTOINST)
TSS PERMIT(acidname) SPI(AUTOINST)
ACCESS(INQUIRE)
Note: Although authorization to SPI resources can be specified for up to 44 characters, ownership of the resource is limited to eight characters.
In In this example, the user only has permission to execute CEMT SET VTAM OPEN commands:
TSS ADDTO(deptacid) SPI(VTAM)
TSS PERMIT(acidname) SPI(VTAM) ACCESS(SET)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|