Access Restriction by Access Level

Controlling Access › Access Restriction by Access Level

Access Restriction by Access Level

Use the ACCESS keyword to control the types and level of access to many resource classes such as:

Data sets
Volumes
CICS, CA‑IDMS, and IMS resources
User‑defined resources (UR1 and UR2)

Common access levels are:

READ (the default for data sets)
WRITE
UPDATE
CREATE
NOCREATE
SCRATCH
ALL
NONE

Ownership automatically confers total access to the resource to the owner unless Record Level Protection (RLP) is implemented.

Example: restrict access by access level

This example authorizes USER01 to update all data sets with AP as their highest‑level qualifier:

TSS PERMIT(USER01) DSNAME(AP.)
                   ACCESS(UPDATE)

Additional Access Levels

For resources such as CICS and IMS databases, CA Top Secret recognizes access level keywords that correspond to the actual system terminology (such as BROWSE, REPLACE, PURGE, and FEOV):

CONTROL

For VSAM data sets, CONTROL allows control‑interval processing.

For VOLUME resources, when CONTROL and CREATE are both present, the combination allows the creation of data sets regardless of the applicable data set authorizations.

FETCH

Enables access to a program library (load library) for the purposes of executing programs.

The FETCH‑only access level option enables the owner of a program library to allow others access to it for the execution of programs while preventing any other type of access. Thus, FETCH‑only protection prevents the authorized user from reading the data set or copying a program for his own use (and, perhaps, modifying it to bypass special checking). Programs from FETCH‑protected libraries can only be executed, called from TSO, or invoked through other standard system invocations. All FETCH requests in z/OS are translated as READ requests.

BLP

Allows a user to access a tape, bypassing the information kept in the label of that physical tape. BLP access is generally granted together with READ or UPDATE so that you are able to bypass label checking as well as read or write records to the tape.

To see the access levels of a resource, list the RDT entry for the resource.

Access Control at the Record and Field Level

Use the RLP to control which records within a data set and which fields within a record a user has access to.

To implement RLP:

Define the records and fields to protect to the SDT
Control access with the TSS PERMIT command with the appropriate access level specified

Unique Access Levels for Dynamically Defined Resources

CA Top Secret‑defined default values for access levels are not the same as those passed by the ATTR= keyword of RACHECK.

The following table shows the ATTR= values for RACHECK or FRACHECK and their associated values for the TSS command:

(F)RACHECK ATTR=	Hex Value	CA Top Secret Default Access Level name	Hex Value
ALTER	80	ALL	FFFF
CONTROL	08	CONTROL	0400
UPDATE	04	UPDATE	8000
READ	02	READ	4000

Using the default values shown above, CONTROL access does not include UPDATE or READ. To make the RACHECK value function hierarchically (for CONTROL access to also include UPDATE and READ and for UPDATE to include READ), the following values must be explicitly defined in the resource class in the RDT:

Access Level	Hex Value
ALTER	FFFF
CONTROL	C400
UPDATE	C000
READ	4000

Example: implementing access levels

This example implements the access levels in the preceding table:

TSS ADDTO(RDT) RESCLASS(SAMPLE)
               RESCODE(07)
               ACLST(ALTER(FFFF),CONTROL(C400),UPDATE(C000),READ(4000))

Access Level Placement

When assigning multiple levels, place the higher access levels first because of the way CA Top Secret displays them. For example:

ACLST (ALL,CONTROL,UPDATE,READ)

Combining User Defined and Standard Levels

You can combine user defined and access level access levels.

Examples: combine access levels

This example combines user‑defined and standard access levels:

ACLST (ALTER(FFFF),ALL,CONTROL,EDIT(8000),UPDATE,
       VIEW(4000),READ,MOVE(0004)

This example assigns unique access levels in which the list is non‑exclusive. The DEFINE access level in this example allows all access levels that follow it—VIEW, EDIT, and MOVE. MOVE does not imply DEFINE, VIEW, or EDIT.

TSS ADDTO(RDT) RESCLASS(MENU)
               RESCODE(05)
               ACLST(DEFINE(FFFF),EDIT(8000),VIEW(4000),MOVE(0400))

This example has an assigned unique access levels to a main menu in the installation‑written menu definition facility and you want to define new resource classes and access levels that are meaningful to your site.

The following table shows the site‑written access levels used to equal access levels passed by the ATTR= keyword of RACHECK.

Site Written Access Levels	ATTR=
VIEW	READ
EDIT	UPDATE
DEFINE CREATE/DELETE	ALL or ALTER
MOVE	CONTROL