In addition to the different layers of security that have already been discussed, CA Top Secret also provides a layer of OS/390/APPC security that is specifically designed to limit individual user access to APPC communication paths and TPs. This allows the administrator to:
APPC runs the TP under the security environment built from the security information associated with the ACID provided on the inbound request. This means that the TP will only have access to those data sets and other resources that the user would normally have access to in a batch or TSO address space initiated on the target system.
When a TP on one LU allocates a conversation request with a TP on another LU, two questions are asked by the target LU. They are:
Access to the target LU can be restricted by identifying the application name of the target LU. This is done through the APPLICATION resource. For example, if you want to restrict SMITH01 so that he can only target LU02 from his local port of LU01, you would issue:
TSS PERMIT(SMITH01) APPLICATION(LU02)
If the APPLICATION resource class is used to designate which users can issue a request to a particular LU, the APPCPORT is used to restrict which LU that request can be issued from. For example, if you wanted to restrict JONES01 so that he could only allocate a conversation request from LU01, you would issue:
TSS PERMIT(JONES01) APPCPORT(LU01)
The remote LUs that LU01 can establish a session with are still restricted according to the definitions listed in the APPCLU record.
Authorization to execute a particular TP is provided by the APPCTP resource class. To secure a TP you must first secure the TP profile that defines it. Once the TP profile is secured, users must be granted READ access to run the TP. For example, the following command allows USER01 to run the TPA transaction program:
TSS PERMIT(USER01) APPCTP(PAYROLL.SYS1.TPA)
ACCESS(READ)
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|