Previous Topic: Source of Origin Access RestrictionNext Topic: Globally Accessible Resources

Controlling AccessAccess Restriction with the ACTION Keyword

Access Restriction with the ACTION Keyword

Not all resource classes can be restricted by access level or path. CA Top Secret provides another layer of security using the ACTION keyword. The operand specified with the ACTION keyword tells CA Top Secret how to respond to an access request.

ACTION operands include:

ADMIN

Allows a security administrator to administer resources that are not owned within his scope of authority. If an access level is not specified, CA Top Secret permits the default access level for that resource class.

AUDIT

Creates an audit trail when the resource is accessed, regardless of the mode or logging options of the user.

DENY

Denies the ACID access to the specified resource. The mode that applies to the user is still honored.

ACTION(DENY)

Does not apply to resources where access levels are specified; instead, use ACCESS(NONE).

EXIT

Invokes the CA Top Secret Installation Exit for all accesses to the specified resource granted by this permission.

FAIL

Treats any access attempt as if the user were in FAIL mode. In other words, CA Top Secret fails any unauthorized access attempt regardless of the security mode the facility or user is in.

NODSN

Tells CA Top Secret to only check volume authorizations for access requests to data sets on this particular volume.

NOTIFY

Issues a TSS7299W message to the security console on any access to the specified resource granted by this permission.

PASSWORD

Adds additional password protection before granting access to a data set. Specifically, returns control to z/OS program checking for all DASD data sets after CA Top Secret verification has authorized access to this data set.

Note: Any data set checks that occur as a result of allocating an SMS‑managed data set is not prompted for a data set password.

REVERIFY

For OTRAN resources, initiates password reverification.

VMPRIV

Grants the accessor the privileged form of CP commands and DIAGNOSE instructions.

Example: restrict access

This example tells CA Top Secret to notify the security console when USER03 accesses the PD000001 terminal:

TSS PERMIT(USER03) TERMINAL(PD000001)
                   ACTION(NOTIFY)