Using the TSSSIM Utility › Perform a Simulated Resource Check

Perform a Simulated Resource Check

Simulated resource commands allow the administrator to choose the type (or class) of resource check. Resource checks for the specific resource are passed to CA Top Secret on behalf of the simulated ACID. Invoking simulation resource commands allows the administrator to test permissions on the security file without affecting the production environment.

Follow these steps:

1. Log on to TSSSIM.
2. (Optional) View the resource classes (and commands) that are available for simulation:
   • (non-SPF) Enter HELP on the TSSSIM command line.
   • (SPF) View the resource class list on the Resource Selection List panel.
   • (Batch) Include HELP in the JCL, then view the output after execution.
   • (CA Roscoe) Enter HELP at the appropriate input source for the environment (terminal or AWS).

   The SPF environment includes predefined classes ($ prefix) and user-defined classes (@ prefix) in the list of available classes; however, the output for most other environments does not include user-defined classes.

   Note: If you have authority to list the contents of the RDT, you can issue the TSS LIST(RDT) command to see output that shows predefined and user-defined resource classes.

3. (Optional) Access details for a resource class:
   • (non-SPF) Enter HELP resource_class_name on the TSSSIM command line.
   • (SPF) Select the resource class on the Resource Selection List panel, then enter HELP on the command line of the Resource Simulation Panel for the resource.
   • (Batch) Include HELP resource_class_name in the JCL, then view the output after execution.
   • (CA Roscoe) Enter HELP resource_class_name at the appropriate input source for the environment (terminal or AWS).

   The details include the qualifying parameters that are available for the resource class name.

4. (Optional) Determine which access levels and maximum name length are permitted for a resource:
   1. Issue the following command:

      TSS LIST(RDT) RESCLASS(resource_class_name)
      

   2. Review the MAXPERMIT field (for maximum name length) and ACCESS field (for access level permissions).
5. Perform a resource check through one of the following actions:
   • (Predefined resource class) Issue the following command (including applicable qualifying parameters if necessary):

     $resource_class_name(resource_entity_name) [qualifying_parameter_list]
     

   • (User-defined resource class) Issue the following command (including applicable qualifying parameters if necessary):

     @resource_class_name(resource_entity_name) [qualifying_parameter_list]
     

   Qualifying parameters are as follows.

   Note: To see the qualifying parameters that are applicable for a resource class, access the detailed help for the resource.

   ACCESS

   Specifies the name of the access level for the resource check.

   LIBRARY

   Specifies the library in which a privileged program must reside.

   NEWDSN

   Simulates a DADSM RENAME function for data sets.

   Important! To use this parameter, you must have SVC set to RENAME.

   Any rename involves authorization checks for the “old” data set ($DSN) and the “new” data set (NEWDSN). The old data set must have ACCESS(READ,SCRATCH); the new data set must have ACCESS(WRITE,CREATE).

   OWN

   Specifies that CA Top Secret should assume the resource is owned and not check the Global Resource Table to see if the resource entity (or prefix) is defined.

   Note: If the resource is not owned, access is denied (regardless of whether OWN is specified).

   Default: NOOWN

   PRIVPGM

   Specifies the program that is in control when the resource check occurs.

   SVC

   Specifies the SVC that is in control when the resource check occurs. Values are as follows:

   • ALLOCATE
   • CATALOG
   • CREATE
   • FEOV
   • OPEN
   • RENAME
   • SCRATCH

   Default: OPEN

   TRACE

   Specifies to enable the trace feature to locate the exact permission that is causing the resource access or denial.

   Default: NOTRACE

   VOLUME

   Specifies the volume on which the data set resides.

   Note: A $DSN simulation with no VOLUME operand can produce unpredictable results.

   XACCESS

   Specifies a two-byte hexadecimal code equating to a specific access level or levels. This specification overrides the default access value that is used with the specified SVC name. Using XACCESS is convenient if you need to check a combination of access levels. For example, in an SPF environment, you cannot enter more than one access level with the ACCESS keyword.

Example: (Non-SPF Environment) Perform a Simulated Resource Check

This example shows how to perform a simulated resource check in a non-SPF environment:

After you log on to TSSSIM, enter HELP on the TSSSIM command line to produce a list of available commands, such as the commands shown in the following sample excerpt:

COMMAND	DESCRIPTION                        

--------- ------------------------------------

$ABS         	RES CHECK - ABSTRACT RESOURCES
$ABSTRACT    	RES CHECK - ABSTRACT RESOURCES
$ACID        	RES CHECK - ACID JOB SUBMISSION
$ALT-ACID    	RES CHECK - ACID JOB SUBMISSION
$APPCLU      	RES CHECK - APPC LOGICAL UNITS
$APPCPORT    	RES CHECK - APPC PORT OF ENTRY
$APPCSI      	RES CHECK - APPC SIDE INFORMATION

Enter HELP $DSN at the TSSSIM command line to produce the following detailed help for the $DSN resource class:

COMMAND NAME   =  $DSN
DESCRIPTION    =  RES CHECK - OS DATASETS
COMMAND CLASS  =  DATASET     (00C4)
RESCLASS-INDEX =  PIE,SIMULATIVE  (RV#=04)
ATTRIBUTES     =  LOGON-REQUIRED
PARAMETERS     =  ACCESS,NEWDSN
PARAMETERS     =  PRIVPGM,LIBRARY,SVC,TRACE,VOLUME,XACCESS

You can then perform a resource check on a data set named ACCTPAY.MASTER with UPDATE access:

$DSN('ACCTPAY.MASTER') VOLUME(ACCTP1) ACCESS(UPDATE)

Example: Use NEWDSN to Simulate a DADSM RENAME Function for a Data Set Name

This example uses NEWDSN to simulate a DADSM RENAME function for a z/OS data set name (with SVC set to RENAME):

$DSN('ACCTPAY.MASTER') NEWDSN('UPAY.MASTER') VOLUME(ACCTP1) SVC(RENAME) 

The rename involves authorization checks for the “old” data set ($DSN) and the “new” data set (NEWDSN). The ACCTPAY.MASTER data set has the required access level of ACCESS(READ,SCRATCH); the UPAY.MASTER data set has the required access level of ACCESS(WRITE,CREATE).

Note: For other $DSN accesses, the ACCESS level is specified without reference to a specific SVC.

Example: Use OWN to Issue a Security Check for an IUCV Communication Target

(Valid on z/VM only) This example checks on an IUCV connection to virtual machine APP17 and specifies the OWN parameter so that CA Top Secret assumes the resource is owned:

$IUCV(APP17) OWN

IUCV communication targets control the ability of users to issue IUCV connection to the virtual machine designated by the resource name.

Example: Use PRIVPGM to Issue a Security Check for a CICS Destination Control Table (DCT)

This example issues a security check on DCT PRT6 through the privileged program ACDCT5 that resides in program library PRIVPROG.LIB:

$DCT(PRT6) PRIVPGM(ACDCT5) LIBRARY(PRIVPROG.LIB)

Example: Use TRACE to Perform a Security Check on an IMS Application

This example performs a security check on an IMS application named TEMPAY and activates the TRACE facility to locate the exact permission:

$APPL(TEMPAY) TRACE

Example: Use XACCESS to Issue a Security Check for an IMS Database Descriptor (DBD) Name

This example checks on an IMS DBD (TSTPDA) and issues an XACCESS of 88, which simulates access levels of UPDATE and DELETE:

$DBD(TSTPDA) XACCESS(88)