CA Top Secret employs the following optional system entry restrictions:
CA Top Secret protects access to system facilities—such as, VM, CICS, TSO, and BATCH—by requiring that the user be authorized to use the facility. Only the MSCA can access any facility by default. All other users must be explicitly authorized to use a facility or any number of facilities through a TSS CREATE or ADDTO function. You can also prevent an ACID from performing multiple simultaneous signons.
CA Top Secret can control system entry by restricting access to terminals, readers, and CPUs. You can define and restrict the following device types to CA Top Secret:
The specific resource class name—such as VMRDR, TERMINAL or CPU—is the keyword to determine access authorizations and restrictions. The actual resource can be indicated by its full identifier or a Generic Prefix. For example, in the “Introduction” chapter, you learned that adding TERM(PD01,PD02) to the TSS PERMIT or TSS ADD statement restricts an ACID to using only those terminals whose prefix is PD01 or PD02.
A batch job must be associated with an ACID so that CA Top Secret can determine which facilities and resources it can access and how they can be accessed. To CA Top Secret, a batch job's ACID is simply another ACID with an associated Security Record and a set of specific access authorizations. All the system entry restriction options can be specified for a User ACID, including facility, source of origin, and CPU restrictions.
For jobs submitted through the following entities:
CA Top Secret provides an additional layer of security control beyond the basic batch job validation. The focus of this security layer is whether the submitter has the authority to submit the job. That is, CA Top Secret checks whether the ACID of the submitter is authorized to submit using the ACID associated with this job. If they are not authorized, the job is flushed at submission time before the job is initiated. For more information on the VM Batch environment, see your CA Jobwatch documentation.
By default, defined users are only allowed to submit jobs for execution under their own ACID. Explicit authority is required to allow a user to execute jobs using other ACIDs.
The terminal locking option protects unattended terminals against unauthorized access. Terminal locking prevents use of the terminal until it is logged off or unlocked. Terminal locking can be triggered automatically by CA Top Secret or through a user-initiated command.
CA Top Secret automatically locks a terminal that has been inactive for a pre-established duration. Automatic locking thresholds can be established at both the user and facility level. Locking is available for most online facilities including VM, TSO, CICS, IMS, and CA Roscoe.
In VM, you can optionally set the facility to disconnect or log off the user instead of locking the terminal.
CA Top Secret provides several protection options designed to prevent operators or other personnel from executing sensitive started tasks or changing security control options without proper identification and password authentication. The options you choose to implement depend upon your particular environment and the degree of security exposure involved.
There is no need to secure all started tasks, and, by default, CA Top Secret allows STCs to bypass security. When deciding on your approach to STC security, consider the impact on your systems and operations staff. Among the options CA Top Secret provides to protect started tasks are:
CA Top Secret supports certain types of special authentication devices as supplements to standard security processing.
CA Top Secret supports the physical identification of users through Operator Identification Cards. You can use this feature to supplement password security. It is available for VM, TSO, and CICS through IBM 3270-compatible terminals.
CA Top Secret can support security devices that require user voice or image identification. This feature requires CA Top Secret customization to be implemented.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|