The CA Top Secret administrative hierarchy has seven levels. The first six levels represent ACIDs whose primary function is to control security administration.
Note: All control ACIDs, including the MSCA, go through CA Top Secret password checking, even in DORMANT mode.
Referred to as the Master Central Security Administrator. There can be only a single MSCA.
The MSCA's ACID is pre-defined; it exists as soon as the Security File is created through TSSMAINT. The MSCAs ACID cannot be deleted, although it can be renamed.
An MSCA has unlimited scope. Only an MSCA has implicit unlimited administrative authority. Only the MSCA can create SCAs.
The MSCA can log on or initiate with only password checking in force; no expiration, facility, source, or terminal checking is performed by CA Top Secret.
Referred to as the Central Security Administrator. An SCA is not associated with any specific zone division or department but has unlimited scope. Most sites define only a few SCAs. We recommend that you create one “secondary” central security administrator, as a backup to the MSCA. An SCA, with this authority, can do almost everything except define another SCA or change the administrative authority of an existing ACID.
An LSCA is not associated with any specific zone, division, or department. It has the same capabilities as an SCA but rules of scope checking apply.
Only a central security administrator can establish zonal administrators. Each ZCA is associated with a particular zone. A ZCA can perform the following activities: administrative tasks for the divisions, departments, users, and profiles linked to this zone. A zone may have several ZCAs, or under a centralized administrative system, no ZCAs. In the latter case, a central security administrator must perform the administrative requirements for this zone.
A central security administrator can establish divisional administrators. Each VCA is associated with a particular division. A VCA can perform administrative tasks for the departments, users, and profiles linked to this division.
A division may have several VCAs, or under a centralized administrative system, no VCAs. In the latter case, central security administrator or ZCA must perform the administrative requirements for this division.
Departmental administrators can be established by a central security administrator or a VCA for a department that is linked to that VCA's division. The responsibilities that can be performed by a DCA include administrative tasks for the users and profiles that belong to this department.
A department may have several DCAs or no DCAs. In the latter case the administrative requirements for this department have to be performed by either a central security administrator or the appropriate ZCA or VCA.
Any administrator with ACID(CREATE) administrative authority can establish users. While you can assign a user most types of administrative authority, the user's scope is always limited to itself. In general, we advise you to allow a user minimal administrative authority, leaving administrative functions with control ACIDs.
While you can give users administrative authority (limited to themselves), their primary function is to perform work. Control ACIDs can perform work, but this function should be secondary.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|