Previous Topic: Defining Product-level Security Using CA Top SecretNext Topic: OPC/ESA


Define Command-level Security Using CA Top Secret

To implement command‑level security:

  1. Create a facility entry for OMEGAMON with the following facility options: MULTIUSER, PGM=KOB.
  2. Add the OMEGAMON facility to users, as shown below.
    TSS ADDTO(acid) FACILITY(OMEGAMON)
    

    Acid is the user's ACID.

  3. Define a resource class to the RDT for Omegamon as shown below.
    TSS ADDTO(RDT) RESCLASS(KOMCANDL) RESCODE(nn)
    

    nn is any hexadecimal code between 01 and 3F that is not currently being used for another user‑defined resource.

    Note: The resource class name does not have to be KOMCANDL. However, the name chosen must be consistent with the resource in the command for steps 4 through 7 which follow.

  4. Give ownership of the resource class using INITIAL as a prefix.
    TSS ADDTO(acid) KOMCANDL(INITIAL)
    

    acid is the department ACID.

    Omegamon issues resource checks using four different levels of authority: INITIAL0, INITIAL1, INITIAL2, and INITIAL3. These levels are associated with Omegamon commands in the Command Table (see Step 8).

  5. PERMIT an Omegamon command level to users as shown below.
    TSS PERMIT(acid) KOMCANDL(INITIAL0)    For issuing level 0 commands
    TSS PERMIT(acid) KOMCANDL(INITIAL1)    For issuing level 1 commands
    TSS PERMIT(acid) KOMCANDL(INITIAL2)    For issuing level 2 commands
    TSS PERMIT(acid) KOMCANDL(INITIAL3)    For issuing level 3 commands
    TSS PERMIT(acid) KOMCANDL('INITIAL')   To change security levels acid is the user's ACID.
    

    The first four authorizations lock the user into one command level and disables the /PWD command (even if the user knows the password). The last PERMIT allows a user to change security levels using the /PWD password if the password is known; the trailing blank is required.

    The commands that a user can issue are the ones defined, through an Omegamon table, to be in his command level. Immediately after the RACINIT, a RACHECK is called to assign the user a command level. This is validated internally by Omegamon.

  6. Set up rules for each command to be protected by CA Top Secret:
    TSS ADDTO(dept) KOMCANDL(PEEK)
    TSS PERMIT(acid) KOMCANDL(PEEK)
    

    Each command you protect requires that EXTERNAL=YES be specified in the Omegamon Security Table (see Step 8).

    Note: If you are securing a command that begins with a slash (/) or a period (.), you must change the command to begin with a dollar sign ($) instead of a slash (/) and an at sign (@) instead of a period (.).

  7. Change the Omegamon RACF exit source as described below.
  8. Set up the Omegamon Security Table by modifying the control statements in member KOMSUPDI in hlq.ROMDATA as follows:

    Note: The LEVEL associated with the COMMAND control statement corresponds to the suffix associated with the INITIAL resource PERMITted to users.

    The default for EXTERNAL is NO.