Use generic prefixing to reduce the task of assigning ownership for each resource, masking, and profile ACID.
Resources can be defined to CA Top Secret by their full name or through a generic prefix. A generic prefix is a high‑order sub-string of the full resource name. If your site has implemented and enforced sound resource naming conventions, you can use generic prefixing extensively to specify resources. Generic prefixing allows a group of resources with similar names in the same resource class to be defined to CA Top Secret simultaneously.
Generic prefixing can be used with any resource class. CA Top Secret allows identical generic prefixes if they are used with different resource types. For example, PROGRAM(PAYROLL) and APPLICATION(PAYROLL) do not conflict.
The minimum generic prefix length is one character—except data sets and volumes which are two characters. The maximum length is eight characters—except data sets which is 26.
Example: generic prefixing
In this example, the IEHPROGM, IEHINIT, and IEHLIST programs in the PROGRAM resource class are grouped under the generic prefix IEH.
Instead of entering:
TSS ADDTO(SYSDEPT) PROGRAM(IEHPROGM)
TSS ADDTO(SYSDEPT) PROGRAM(IEHINIT)
TSS ADDTO(SYSDEPT) PROGRAM(IEHLIST)
Enter:
TSS ADDTO(SYSDEPT) PROGRAM(IEH)
You can then permit access to all of the resources starting with IEH by entering:
TSS PERMIT(USER02) PROGRAM(IEH)
USER02 is now permitted to access programs IEHPROGM, IEHINIT, IEHLIST.
Examples: specify a generic prefix
This example assigns ownership of any program that begins with the prefix IEH to the ACID DEPT01.
TSS ADDTO(DEPT01) PROGRAM(IEH)
This example prefixes all data sets used by the Publications Department to TECHPUBS.
TSS ADDTO(PUBDEPT) DSNAME(TECHPUBS)
This example permits a user to access any data set prefixed by TECHPUBS:
TSS PERMIT(USER01) DSNAME(TECHPUBS) ACCESS(ALL)
This method eliminates the need for separate PERMIT commands to access the data sets: ‘TECHPUBS.PROD.SCEDS’ and ‘TECHPUBS.GRAPHICS.SCEDS’.
For further refinement, a prefix can span several data set name index levels. For example, to reduce the number of data sets a user can access, instead of specifying DSNAME(TECHPUBS), specify DSNAME(TECHPUBS.PR).
Undercutting is establishing ownership with a generic prefix generically higher (more inclusive) than an existing prefix. For example, the prefix IMS is more inclusive than the prefix IMSTEST. If the undercut is valid, CA Top Secret automatically transfers ownership of the specified resources to the new owner.
When using undercutting:
Undercutting restrictions do not apply when the subsequent prefix is used to specify resource authorization rather than resource ownership.
Example: undercutting
This example shows two valid entries:
TSS ADDTO(DEPT01) DSNAME(IMS)
TSS PERMIT(USER02) DSNAME(IMSTEST)
The following attributes control whether a resource class supports generic prefixing:
Activates prefixing.
Deactivates prefixing and treats a general resource as a fully qualified name. The NONGENERIC attribute supports long and short resource classes.
Note: For a list of resources that cannot be used with the NONGENERIC attribute, see the “Prefixed Resources” appendix.
The NONGENERIC attribute applies to the following resources by default:
Important! These attributes affect only permissions. The attributes do not affect the way resource ownership is designated or how the CICS Bypass List is processed.
To change the GENERIC attribute, you must use the TSS REPLACE(RDT) command.
To add the NONGENERIC attribute to a resource class, enter the following command:
TSS REPLACE(RDT) RESCLASS(class)
ATTR(NONGENERIC)
Example: Override the GENERIC Attribute
In this example, the TSOPROC resource class in the RDT has the GENERIC attribute. This example permits access only to a single TSOPROC named PROC397:
TSS ADD(DEPT01) TSOPROC(PROC397)
TSS ADD(USER01) TSOPROC(‘PROC397 ‘)
The non-generic TSOPROC resource is enclosed in apostrophes with a trailing space. Resources that are permitted as non-generic must be revoked the same way:
TSS REV(USER01) TSOPROC(‘PROC397 ‘)
Example: Override the NONGENERIC Attribute
In this example, the PROGRAM resource class in the RDT has the NONGENERIC attribute. To permit programs IEHPROGM, IEHINIT, and IEHLIST to one ACID, enter the following commands:
TSS ADDTO(USER01) PROGRAM(IEH)
TSS PERMIT(USER01) PROGRAM(IEH(G))
The G indicates that IEH is a generic prefix and not a fully qualified resource name.
When you change the resource class between GENERIC to NONGENERIC, the previous security permissions are retained for all existing definitions. Previous permissions list differently to reflect that they contain the GENERIC or NONGENERIC attribute.
To change existing permits to the new GENERIC/NONGENERIC organization:
To remove the GENERIC attribute from an RDT RESCLASS, the RDT NONGENERIC attribute must replace the current GENERIC attribute.
After altering the RDT, existing permissions retain the GENERIC/NONGENERIC attribute under which they were initially permitted. To change existing permits to the new GENERIC/NONGENERIC organization:
To remove the GENERIC attribute, enter the command:
TSS REPLACE(RDT) RESCLASS(TSOPROC)
ATTR(NONGENERIC)
To remove the NONGENERIC attribute, use the REPLACE(RDT) command function.
If you replace the GENERIC/NOGENERIC attribute for RESCLASS, existing permissions retain the GENERIC/NOGENERIC attribute. Only future permissions are affected by the RDT update.
Example: remove the NONGENERIC attribute
This example removes the NONGENERIC attribute by replacing it with the GENERIC attribute.
TSS REPLACE(RDT) RESCLASS(PROGRAM)
ATTR(GENERIC)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|