ADDTO Function—Add Resource Ownership and Attributes

Command Functions › ADDTO Function—Add Resource Ownership and Attributes

ADDTO Function—Add Resource Ownership and Attributes

Valid on z/OS, z/VSE, and z/VM.

Use the ADDTO command function to perform the following activities:

Assign resource ownership or special attributes to a defined ACID.
Define started tasks to CA Top Secret.
Add to the Audit Record a resource that CA Top Secret will audit.
Authorize an ACID to use specific facilities.
Connect profiles to users.
Grant access to non‑ownable installation‑defined resources.
Prohibit an ACID from using a specific set of commands or transactions (or confine an ACID to a specific set of commands or transactions).
Add new resource classes to the Resource Descriptor Table (RDT).
Add new fields to the Field Descriptor Table (FDT).
Assign PassTickets, Node, NETUAF and volume records to the Node Descriptor Table (NDT).
Identify which LUs can participate in APPC conversations by adding them to the APPCLU Record.

Issuing the ADDTO command function to suspend a signed-on ACID or add a profile to a signed-on ACID automatically triggers a type 71 RACF Event Notifications (ENF) signal, which provides notification about the change to the ACID's security record. Applications that receive the signal can take action (for example, immediately refresh the ACID's security record in a CICS remote region).

Administrators must have:

Appropriate RESOURCE(OWN) authority to add ownership of resources from ACIDs within their scope
MISC1, MISC2, or MISC9 authority to assign many of the security attributes to ACIDs within their scope

ACID authorities determine the levels at which administrators can manage ACIDs within their scope.

This command function has the following format:

TSS ADDTO(acid) keyword[(operand)]

acid: Specifies the ACID to which the resource or attribute is assigned.
keyword: Specifies a keyword that indicates the type of resource or attribute being assigned.
operand: Specifies the specific prefix, name, or value of resource or attribute being assigned. An operand might be required, depending on the specific keyword.

More information:

ADDTO Applicable Keywords

Resource Ownership

Resource ownership means that the user, profile, or control ACID has an access level of ALL. To avoid granting unlimited access to individual users or profiles:

Use the ADDTO command function to assign resource ownership to department or division ACIDs
Use the PERMIT command function to authorize full or restricted resource access for other ACIDs (non‑owners)

If the resource is:

New (undefined), the ADDTO command function defines the resource by assigning ownership to the ACID specified in the command function
Owned by another ACID, the ADDTO command function transfers ownership to the ACID specified in the command function and permits the old owner full access to the resource

To permit access to all owned resources within a NOMASK resource class use the special resource name:

*ALL*

To permit resource classes with the MASK attribute use the resource name:

????

For classes with the MASK attribute:

The minimum length of a resource that can be owned is two characters
Ownership of a masking character cannot be defined unless the first character is a masking character

Examples: resource ownership

This example defines the resource by assigning ownership to the ACID:

TSS ADDTO(ACID1) DSNAME(USER)

This example transfers ownership of data set USER01 from ACID1 to ACID2:

TSS ADDTO(ACID2) DSNAME(USER01)
                 UNDERCUT

This example prevents automatic permission with the NOPERMIT keyword:

TSS ADDTO(ACID2) DSNAME(USER)
                 UNDERCUT
                 NOPERMIT

Assign Attributes

Adding an attribute to a user or profile ACID assigns special authorities or restrictions to that ACID.

Example: assigning an attribute

This example gives a user the ability to modify control options by adding the CONSOLE attribute:

TSS ADDTO(USER2) CONSOLE

ADDTO Applicable Keywords

This command function uses the keywords:

ACTION, ACTIVE, AFTER|BEFORE, ASSIZE, ASUSPEND, AUDIT, CALENDAR, CERTMAP, COMMAND, CONSOLE, CONVSEC, CNFAPP, CNFUVAR, CRITERIA, CRITMAP, DAYS, DAYS (For Calendars), DCDSN, DEFAULT, DEFNODES, DEFTKTLF, DFLTGRP, DIGICERT, DUFUPD, DUFXTR, EIMDOMAIN, EIMLOCREG, EIMOPTION, EIMPROF, EXPIRE, FACILITY, FIRST, FOR, GAP, GID, GROUP, HOME, ICSF, IDNFILTR, IESFL1, IESFL2, IESINIT, IESSYNM, IESTYPE, IESVCAT, IMSMSC, INSTDATA, INTERVAL, JOBNAME, KERBLINK, KERBNAME, KERBPASS, KERBUSER, KERBVIO, KEYRING, LABLCERT, LABLCMAP, LABLRING, LANGUAGE, LDAPDEST, LDS, LINKID, LINKNAME, LINUXNAM, LTIME, MASTFAC, MATCHLIM, MAXTKTLF, MCSALTG, MCSAUTH, MCSAUTO, MCSCMDS, MCSDOM, MCSKEY, MCSLEVL, MCSHC, MCSMFRM, MCSMGID, MCSMON, MCSROUT, MCSSTOR, MCSUD, MEMLIMIT, MINIKTLF, MMAPAREA, MODE, MRO, MULTIPW, NOADSP, NOATS, NODES, NODSNCHK, NOLCFCHK, NOPERMIT, NOPWCHG, NOREFRESH, NORESCHK, NOSUBCHK, NOSUSPEND, NOVMDCHK, NOVOLCHK, OECPUTM, OEFILEP, OIDCARD, OMVSPGM, OPCLASS, OPIDENT, OPPRTY, PASSWORD, PHYSKEY, PROCNAME, PROCUSER, PROFILE, PRXBINDDN, PRXBINDPW, PRXLDAPHST, PRXKRBREG, PRX509KRB, PSTKAPPL, PSUSPEND, REALMNAME, RESOWNER, RETAIN, RINGDATA, SCTYKEY, SDNFILTR, SESSKEY, SESSLOCK, SIGNMULTI, SHMEMMAX, SITRAN, SMSAPPL, SMSDATA, SMSMGMT, SMSSTOR, SNAME, SOURCE, START, STCACT, SUSPEND, SYSID, TARGET, THREADS, TIMEREC, TIME, TRACE, TRANSACTIONS, TRUST, TSOCOMMAND, TSODEFPRFG, TSODEST, TSOHCLASS, TSOJCLASS, TSOLACCT, TSOLPROC, TSOLSIZE, TSOMCLASS, TSOMPW, TSOMSIZE, TSOOPT, TSOSCLASS, TSOUDATA, TSOUNIT, TZONE, UID, UNAME, UNDERCUT, UNTIL, USAGE, USER, VSECATBT, VSEMCON, VSERDD, VSESYSAD, VSUSPEND, WAACCNT, WAADDR1, WAADDR2, WAADDR3, WAADDR4, WABLDG, WADEPT, WAIT, WAROOM, WANAME, XCOMMAND, XSUSPEND, and XTRANSACTIONS.