Zone, division, department, profile, and user ACIDs can own resources. Only users and profiles can be granted access to resources.
For simpler and effective security administration, resources should typically:
Note: Allow users to own all files matching their unique high‑level qualifier.
By default, ownership of a resource automatically gives full (ALL) access of that resource to the owner. An exception is when a masked resource is owned at a user level. In this situation, the owner does not have access to the resource and cannot be permitted access to it. All masked resources should be owned at a department, or higher, level.
If ownership is granted to a user ACID, that user automatically has complete access to the resources.
Ownership of a resource by a department ACID:
If a department has ownership of many resources permitted many times (over 500), create several dummy departments and split up the ownership. This improves processing efficiency by balancing distribution on the security file.
Example: ACID resource ownership
In this example, USER01 has ownership of the PAYROLL.UPDTE data set and ALL access to the PAYROLL.UPDTE data set.
TSS ADDTO(USER01) DSNAME(PAYROLL.UPDTE)
This access cannot be overridden with the commands:
TSS PERMIT ..... ACTION(DENY)
TSS PERMIT ..... ACCESS(NONE)
Ownership by a profile implies total access to the resource for every user attached to that profile. It is recommended that profiles never own anything.
Example: department ownership
This example designates the Financial Department (FINDEPT) as the owner of the INVEST.RES data set. If USER02 belongs to that department he would still have to be authorized (via the TSS PERMIT command ) to access the INVEST.RES data set. Therefore, USER02 can be given UPDATE access or even be restricted to READ only access to this data set. The same concept applies to resource ownership by Division and Zone ACIDs.
TSS ADDTO(FINDEPT) DSNAME(INVEST.RES)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|