Implementing Security for TSO › TSO Security › TSO Resource Use Restriction

TSO Resource Use Restriction

By default, users defined to the TSO facility will have access to all TSO commands and programs until restrictions are placed on an individual or group of users.

CA Top Secret provides three methods for protecting TSO commands or command subsets:

• Use FACILITY(TSO=XDEF) to protect all TSO commands,
• Use the Limited Command Facility (LCF) to restrict use of special TSO commands, or
• Protect TSO commands as PROGRAMS.

Certain TSO commands remain unconditionally accessible to all ACIDs. Restrictions cannot be placed on the TSO commands listed below:

• END
• HELP
• LOGOFF
• LOGON
• PROFILE
• TERMINAL
• WHEN

The TSO CALL command cannot be restricted. To protect a program that is CALLed, place the name of the program in the LCF list.

FACILITY(TSO=XDEF)

All TSO commands can be restricted through the FACILITY control option operand XDEF. If your installation specifies FACILITY(TSO=XDEF), all TSO commands must be defined to a user or profile through an LCF CMD list before they can be used.

By default, TSO commands are authorized to all users via the FACILITY control option operand, NOXDEF. If your installation prefers to restrict TSO commands, you must change the FACILITY(TSO=NOXDEF) parameter to FACILITY(TSO=XDEF).

Limited Command Facility (LCF)

The Limited Command Facility (LCF) consists of the CA Top Secret keywords:

COMMAND

An inclusive LCF list.

XCOMMAND

An exclusive LCF list.

Due to the CA Top Secret algorithm for settling command authorization discrepancies, you should select either COMMAND or XCOMMAND to restrict TSO commands. Otherwise, if an ACID's Security Record lists both a COMMAND and an XCOMMAND restriction for the same TSO command, COMMAND overrides XCOMMAND. In that situation, CA Top Secret ignores the XCOMMAND restriction and allows access.

LCF is also the vehicle for replacing the command limiting functions of the PCF program product. Use either inclusive (the COMMAND keyword) or exclusive (XCOMMAND keyword) command lists to limit usage.

Protect TSO Commands as PROGRAMS

TSO commands execute specific programs. To eliminate LCF lists (which protect the TSO commands), you can protect the programs executed by the commands. An advantage of using program protection for IBM programs, is the insurance that an ACID does not gain access to a TSO command due to an LCF list restriction discrepancy.

Ownership provides protection. Adding a program to an ACID provides ownership. Programs must be owned on a divisional or departmental level. As a result, users must be authorized before they can access the program.

To protect a program, enter:

TSS tssfunc(acid) PROGRAM(ppp,ppp,...,ppp)

tssfunc

A TSS function, that is, ADD, CREATE.

acid

A particular ACID.

ppp

Program name or prefix.

Example: protecting a program

In this example all programs prefixed by IEH are protected:

TSS ADDTO(CORPDV) PROGRAM(IEH)

Access to Owned Data Sets

TSO users do not automatically have access to data sets starting with their TSO userid (ACID). Two common methods used to allow access are:

• Establish ownership by ADDing the DSNAME prefix to the user's ACID:

  TSS ADDTO(acid) DSNAME(acid.)
                  ACCESS(ALL)
  

• Use:

  TSS PERMIT(ALL) DSNAME(%.)
                  ACCESS(ALL)
                  FACILITY(TSO)
  

The prefix “%.” is a masking character allowing the use of data sets beginning with a user's ACID. Note that, if masking characters are used, the prefix, (%.), must be owned by the MSCA acid before any PERMITs can be issued.