Setting up Resource Definitions and Ownership › Resource Ownership › Masking

Masking

Masking is used to group sets of resources whose names share similar characteristics. Masking is not restricted to prefixes. Similar characters can occur in the beginning, middle, or end of the resource name, with characters in between. Special characters are specified to represent variations between resource names.

A masked resource name is treated by CA Top Secret like a generic prefix. Any data set that begins with a pattern indicated by a mask is considered a match for it by the security validation algorithm, and the associated access authorizations are honored.

To determine if a resource supports masking

1. Enter the command:

   TSS LIST(RDT)
   

2. Check the RDT for the MASK or NOMASK attribute.

Floating Pattern Masks

A floating pattern mask uses the hyphen (-) to represent a variable number of characters (including no characters). Resource names containing hyphens cannot be owned. They must match the ownership of resources defined by other characters and masks.

The hyphen:

• Cannot be used in the same resource name with other masking characters
• Can only be used in the interior of a resource name
• Can only occur at position three or later

The following resource masks are invalid:

A floating character mask can represent resource names with multiple qualifiers or indexes (cross-node resource names). These examples show how the hyphen mask can be used to cross partial and complete nodes of resource qualification:

The explicit periods on either side of the mask in the second example prevent the collapse of the hyphen into a null-string, and prevents the inclusion of more than one initial qualifier.

Variable Character Substitution

Variable character substitution uses the asterisk (*) to represent a zero to eight character qualifier, optionally followed by a period(.). Resource masks containing asterisks can be owned.

If the first character of a mask is fixed, the second character cannot be an asterisk (for example, X*M100 is invalid, but ** is valid).

The following rules apply to masking:

• For resource classes that support masking, an ADD command must specify a minimum of two characters
• An ADD command that contains a masking character must start with a masking character
• A resource name that starts with a non-masking character cannot contain a masking character in the second position

The ownership of the masked resource consisting of multiple asterisks does not supply default protection to all resource names in the class. Protection is supplied by replacing the RDT entry for the resource class with ATTR(DEFPROT). For information, see the chapter “Maintaining Special Security Records”.

Ownership of resources is a pseudo ownership. This enables the administrator to permit global access to resources owned through other ownerships. Minimize the length of “total wild‑card” permissions so that the security algorithm will rank such maskings by “number of characters matched” as low as possible. For instance:

TSS PERMIT(user) DSN(%.)
                 ACC(ALL)

TSS PERMIT(user) DSN(*****)
                 ACC(READ)

The first permission ranks the data sets beginning with the user’s ACID as a higher match for the second permission (five characters) than the first (two characters)

Only READ access would be granted to such a data set.

Example: character substitution ranking

In this example, CA Top Secret ranks the first permission as taking precedence:

TSS PERMIT(user) DSN(%.) ACC(ALL)

TSS PERMIT(user) DSN(**) ACC(READ)

Examples: variable character substitution

Consider the following examples:

In the first mask, the asterisk matches the 4-character string .PAY with exact matches on the fixed characters in the mask. The non-matching suffix D.DATA does not match the mask’s fixed characters “M.DATA”.

In the second mask, the initial asterisk matches zero characters at the start of “LAB”. There are too many (10 + period) characters in “NEW.JERSEY.LAB” to be represented by a single asterisk.

Index Substitution

The index mask is an extension of the variable mask. You can specify where index levels appear in a resource name. Index substitution masking uses (*.) to tell CA Top Secret to ignore an index (node) level. The masking characters:

• Can be strung together to represent multiple index levels, for example, (*.*.)
• At the beginning of the resource name represent a one to eight character index

Each asterisk appearing within the name can represent from zero to eight characters.

Examples: index substitution

This example specifies that .BALL must be prefixed by one to eight characters:

*.BALL

Matches:

BASKET.BALL

Does not match:

BALL.GAME

This example specifies that two indexes must appear between CICS. and .F:

CICS.*.*.F

Matches:

CICS.RUM.TSS.FIL

Does not match:

CICS.FEATURES

This example specifies a zero to eight character mask between SAL and BKUP:

SAL.*.BKUP

Matches:

SAL.PAY.BKUP.ABC
SAL.XMPT.BKUP
SAL.US.REC.BKUP     

Does not match:

SAL.BKUP
SAL.BKUP.PAY
SAL.BKUPLIB.A.BKUP

Fixed Position Substitution

Fixed position masking uses the plus character (+) to represent single positions within a resource name.

Examples: fixed position substitution

This example uses a single (+):

A123+.TSO

Matches:

A1234.TSO

Does not match:

A123.TSO

This examples uses multiple (+)s:

SAL+++.BKUP

Matches:

SALPAY.BKUP
SALREC.BKUP  

Does not match:

SALRECV.BKUP
SALRE.BKUP

ACID Substitution

ACID substitution uses the percentage character (%) to represent all or part of the ACID. This gives users access to any data set whose prefix matches their ACID.

Example: ACID substitution

This example gives USER01 authorization to access data sets such as ACCT.USER01.LOAD and ACCT.USER01.LOAD.ABD, but not ACCT.USER02.LOAD:

TSS PERMIT(USER01) DSNAME(ACCT.%.LOAD)

Entire ACID Substitution

This process authorizes full access to resources prefixed by their ACIDs for all TSO users at an installation:

• Assign the MSCA ownership of the % character (ownership of % does not allow the MSCA access to a particular resource unless explicitly permitted). For example:

  TSS ADDTO(MSCA acid) DSNAME(%.)
  

• PERMIT all TSO users all access to any resource prefixed by their ACID. For example:

  TSS PERMIT(ALL) DSNAME(%.) 
                  FACILITY(TSO)
                  ACCESS(ALL)
  

Partial ACID Substitution

To specify a portion of the user ID to be used as a mask use the % character with values identifying the start and length of the user ID.

Example: partial ACID substitution

This example permits TUSER01 access to data set USER01:

TSS PERMIT(TUSER01) DSNAME(%26%)

Mask Combinations

Variable character, fixed position, index, and ACID substitution can be combined in any form. They cannot be combined with a floating mask.

Examples: combine masks

This example shows how masking characteristics can be combined:

MAR++.*.SUM

Matches:

MAR86.A.SUM
MAR85.PERS.SUMM
MAR++.*.SUM
MAR86.WELFARE.SUMMER

Does not match:

MARCH.SUM
MAR86.PERS.WELFARE.SUMM

To permit data sets masked with asterisks, plus signs, or percent signs in the initial position(s) of the data set, the MSCA must first be assigned ownership of the special prefix characters or their combinations:

TSS ADDTO(msca acid) DSNAME(++*.)

Then allow USER01 access to any data set with at least a two character prefix (and at least two qualifier levels).

TSS PERMIT(USER01) DSNAME(++*.)

The security validation algorithm only considers permissions that begin with one of the above special characters if it has not already encountered a data set match.

The *ALL* Resource Name

An administrator can PERMIT a user access to all protected resources within a class using a single command. For prefixed resources masking characters serve this function. For general resources, the special resource name *ALL* is used.

An administrator can PERMIT access to all owned resources within a NOMASK resource class by using the special resource name:

*ALL*

For resource classes with the MASK attribute, a similar PERMIT can be managed with the resource name:

*****

A permission using *ALL* only grants access to protected resources. Using ADD is a formality and has no effect on resources not already protected. PERMIT allows the administrator to allow access to all owned resources of a RESCLASS.

When DEFPROT is applied all resources are implicitly protected without the necessity of formal ownership. To grant access under DEFPROT the administrator must still own and permit the resources (which may include *ALL*).

Example: using *ALL*

This example gives USERA permission to all CICS transactions by assigning ownership of the special resource name *ALL* to the MSCA then issuing the PERMIT for USERA:

TSS ADDTO(MSCA) OTRAN(*ALL*)

TSS PERMIT(USERA) OTRAN(*ALL*)
                  FACILITY(CICSPROD)

This PERMIT allows USERA to access all transactions without having specific permissions for each one.

The ADDTO command does not protect all transactions; it only allows permission of the special name.