Restricted Administrative Authorities

Creating Security Administrators › Restricted Administrative Authorities

Restricted Administrative Authorities

The CASECAUT resource class enables users with no administrative authorities to change certain password-related fields and issue digital certificate, keyring, and token commands for users within their scope.

CASECAUT authorities supplement existing administrative authorities, with the following exceptions:

When setting a NOPW value using CREATE, ADDTO, or REPLACE, administrators must have UPDATE access to entity TSSCMD.USER.cmd.NOPW in the CASECAUT resource class (where cmd is the command being issued). This authority is required even if the administrator already has ACID(CREATE) or ACID(MAINTAIN) authority.
To set a new password for the MSCA (using ADDTO or REPLACE), an SCA must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, where cmd is the command being issued. This authority is required even if the administrator already has ACID(MAINTAIN) or MISC8(PWMAINT) authority.
When the PWADMIN(NO) control option is set, an administrative user with ACID(MAINTAIN) and MISC8(PASSWORD) is not subject to NEWPW restrictions on password assignment and may assign any value to a user expiration interval in a command PASSWORD specification.
When the PWADMIN(YES) control option is set, an administrative password change command is subject to NEWPW control option restrictions (including password history checking for identical passwords) and password interval change restrictions. The restrictions apply to all users except the MSCA. To allow an administrator to bypass NEWPW and expiration interval restrictions that are enforced by PWADMIN(YES), you can permit CASECAUT resource permissions to the administrator as follows:
- TSSCMD.USER.cmd.PWADMIN.NO bypasses all NEWPW restrictions, bypasses password history checking, and allows password interval changes.
  If a password does not conform to NEWPW rules or a password interval change occurs, the exception is logged to the Audit/Tracking file. The log record is formatted with class ‘O’ (TSS command) and identifies the user with the nonconforming password. To generate an AUDIT record with other PWADMIN resources, specify ACTION(AUDIT) on the permit.
- TSSCMD.USER.cmd.PWADMIN.EXP bypasses NEWPW restrictions and password history checking only when EXP is specified in the PASSWORD field. Password interval change restrictions still apply.
- TSSCMD.USER.cmd.PWADMIN.HISTBYP bypasses checking for an exact password history match only when EXP is specified in the PASSWORD field. All other NEWPW restrictions still apply, and password interval changes are restricted.
- TSSCMD.USER.cmd.PWADMIN.TS bypasses the NEWPW(TS) option that prevents the new password from being too similar to the current password.
- TSSCMD.USER.cmd.PWADMIN.INT allows a new password interval when the user’s current interval and the new interval are not 0.
- TSSCMD.USER.cmd.PWADMIN.ZEROINT allows a new password interval regardless of value.

RACROUTE checks for authorization in the CASECAUT class are issued in addition to (not instead of) the existing ADMIN authority checking. The appropriate CASECAUT RACROUTE access check is issued only when the existing ADMIN authority check fails. The NORESCHK attribute is not honored for the CASECAUT resource class.

Required CASECAUT Authorizations for Changing Password Fields

If given proper access to the entity TSSCMD.USER.cmd field in the CASECAUT resource class, users with no administrative authorities can change certain password-related fields for users within their scope. Access to this entity is granted by an administrator (using a PERMIT command).

The following table shows the authorizations that are needed to change password-related fields.

Note: An access level of UPDATE is required. Always replace cmd with the full command name or * (to apply to all commands)

Field Name	CASECAUT Entity Name	Applicable Commands for cmd Qualifier
ASUSPEND	TSSCMD.USER.cmd.ASUSPEND	REMOVE
KERBVIO	TSSCMD.USER.cmd.KERBVIO	REMOVE
NOPW	TSSCMD.USER.cmd.NOPW	CREATE, ADDTO, or REMOVE
NOPWCHG	TSSCMD.USER.cmd.NOPWCHG	CREATE, ADDTO, or REMOVE
PASSWORD	TSSCMD.USER.cmd.PASSWORD	CREATE, ADDTO, or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.NO	CREATE, ADDTO, or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.EXP	CREATE, ADDTO, or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.INT	CREATE, ADDTO, or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.ZEROINT	CREATE, ADDTO, or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.HISTBYP	ADDTO or REPLACE
PASSWORD(newpw)	TSSCMD.USER.cmd.PWADMIN.TS	ADDTO or REPLACE
PHRASE	TSSCMD.USER.cmd.PHRASE	CREATE, ADDTO, or REPLACE
PSUSPEND	TSSCMD.USER.cmd.PSUSPEND	ADDTO or REMOVE
SUSPEND	TSSCMD.USER.cmd.SUSPEND	CREATE, ADDTO, or REMOVE
VSUSPEND	TSSCMD.USER.cmd.VSUSPEND	ADDTO or REMOVE
XSUSPEND	TSSCMD.USER.cmd.XSUSPEND	ADDTO or REMOVE

Example: Allow a User to Change the PASSWORD field for Any User within Scope

This example allows user DCA01 to change the PASSWORD field for any user within scope:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.USER.REPLACE.PASSWORD) ACCESS(UPDATE)

Example: Allow a User to Change All Password-Related Fields for Any User within Scope

This example allows user DCA01 to change all password-related fields for any user within scope:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.USER.REPLACE.*) ACCESS(UPDATE)

Example: Allow a User to Change the PASSWORD Field for Any User within Scope

This example allows user DCA01 to change the PASSWORD field, for any user within scope, to NOPW:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.USER.REPLACE.NOPW) ACCESS(UPDATE)

Example: Allow an SCA User to Change the PASSWORD Field for the MSCA

This example allows SCA user SCA01 to change the PASSWORD field for the MSCA:

TSS PERMIT(SCA01) CASECAUT(TSSCMD.USER.REPLACE.MSCAPW) ACCESS(UPDATE)

Required CASECAUT Authorizations for Issuing Digital Certificate and Keyring Commands

If given proper access to the entity TSSCMD.CERTUSER.function in the CASECAUT resource class, users with no administrative authorities can issue certain digital certificate keyring and token commands for users within their scope. Access to this entity is granted by an administrator (using a PERMIT command).

The following table shows the authorizations that are needed to issue digital certificate and keyring-related commands.

Note: An access level of UPDATE is required. If the command applies to a CERTAUTH ACID, replace the second qualifier, CERTUSER, with CERTAUTH. If the command applies to a CERTSITE ACID, replace CERTUSER with CERTSITE.

Command	CASECAUT Entity Name
ADD	TSSCMD.CERTUSER.ADDTO
CHKCERT	TSSCMD.CERTUSER.CHKCERT
EXPORT	TSSCMD.CERTUSER.EXPORT
GENCERT	TSSCMD.CERTUSER.GENCERT
GENREQ	TSSCMD.CERTUSER.GENREQ
P11TOKEN	TSSCMD.DIGTCRT.P11TOKEN.tokencmd
REKEY	TSSCMD.CERTUSER.REKEY
REMOVE	TSSCMD.CERTUSER.REMOVE
ROLLOVER	TSSCMD.CERTUSER.ROLLOVER

Example: Allow a User to Add a Digital Certificate to Any User within Scope

This example allows user DCA01 to add a digital certificate to any user within scope:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.CERTUSER.ADDTO) ACCESS(UPDATE)

Example: Allow a User to Add a Digital Certificate to the CERTSITE ACID

This example allows user DCA01 to add a digital certificate to the CERTSITE ACID:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.CERTSITE.ADDTO) ACCESS(UPDATE)

Example: Allow a User to Generate a Digital Certificate for Any User within Scope

This example allows user DCA01 to generate a digital certificate for any user within scope:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.CERTUSER.GENCERT) ACCESS(UPDATE)

Example: Allow a User to Add a P11TOKEN

This example allows user DCA01 to add a P11TOKEN:

TSS PERMIT(DCA01) CASECAUT(TSSCMD.DIGTCERT.P11TOKEN.ADDTO) ACCESS(UPDATE)