Terminal Protection

Protecting Resources › Terminal Protection

Terminal Protection

The following terminal and reader device types can be defined to CA Top Secret:

Online terminals (TCAM, VTAM, and BTAM)
Remote (RJE) and local JES readers
Internal readers
NJE nodes

You can:

Protect against unauthorized use of a protected terminal. This is useful with readers and RJE stations that do not require signons where password security may not be feasible. Access to this device can be controlled. This includes restricting which jobs are valid for execution from this device through TSS ADDTO ACID entries.
Force user initiation only from an authorized source terminal. This protection can channel sensitive activities through authorized pathways.

Terminals must be owned before being authorized. To establish ownership, use a TSS CREATE/ADDTO TERMINAL entry then a TSS PERMIT TERMINAL entry to specify authorizations.

Example: protect terminals

This example protects all terminals whose names begin with K18L by assigning ownership of them to DEPT01:

TSS ADDTO(DEPT01) TERMINAL(K18L)

Remove Ownership

CA Top Secret will not remove ownership unless all permissions are revoked.

To remove ownership of a terminal

Revoke all permissions for the resource. For example:
```
TSS REVOKE(USER01) TERMINAL(K18L1125)
```
Remove the ownership of the terminal. For example:
```
TSS REMOVE(DEPT01P) TERMINAL(K18L1125)
```

Generic Prefixing

Generic prefixing makes terminal definition easier. The prefix must be from one to eight characters in length.

Example: generic prefixing

This example assigns ownership of JES remote 19, reader 3 to the Accounting Department:

TSS ADDTO(ACTDEPT) TERMINAL(R19.RD3)

Generic Prefixing for z/VM

Terminal definitions for z/VM are:

Type	Prefix	Example
Locally attached	GRAF plus four‑character local address	TSS ADDTO(BUDDEPT) TERMINAL(GRAF02BA)
Remotely attached VM‑controlled network terminals	NETW plus four‑character resource id	TSS ADDTO(CORP) TERMINAL(NETW0301)
Logical devices	LDEV plus four‑character address of logical device which is arbitrarily defined.	TSS ADDTO(CORPNET) TERMINAL(LDEV1234)
VTAM/SNA	8‑character LU name	TSS ADDTO(FINDEPT) TERMINAL(xxxxxxxx)

The four‑character address for logical devices is arbitrarily assigned by CP when a product such as VM/PASSTHRU or CA‑VTERM requests such a device. LDEV is the only practical prefix when specifying a logical device with TSS ADDTO or PERMIT.

Generic Prefixing for z/OS

Terminal definitions for z/OS are:

Type	Prefix	Example
JES Readers:	Use names known to JES	TSS ADDTO(CORPNET) TERMINAL(INTRDR)
RJE	REMOTE #@ READER# Rnn.RDnn	TSS ADDTO(BUDDEPT) TERMINAL(R12.RD1) Assigns remote 12, reader 1 to the Budget Department
NJE	Symbolic Name Node # @ Remote # Nnn.Rnn	TSS ADDTO(CORPNET) TERMINAL(PHILA) TSS ADDTO(CORPNET) TERMINAL(N2.R4)
Local	READER1	TSS ADDTO(CORPNET) TERMINAL(READER1)
Terminals	Use the name known to TCAM or VTAM via TP monitor definitions.	To protect VTAM terminals (cluster name TSONxxx), enter: TSS ADDTO(CORP) TERMINAL(TSON)

Access Authorization

Use the PERMIT command function to let designated users access the specified terminals in an unlimited or restricted manner.

Terminal security is bypassed when the NORESCHK attribute is specified.

Terminals cannot be restricted using access levels or the program pathing option.

Examples: authorize access

This example allows USER01 to access terminal K18L1125 from Monday through Friday.

TSS PERMIT(USER01) TERMINAL(K18L1125)
                   DAYS(WEEKDAYS)

This example allows a user to access all protected terminals by assigning ownership to the MSCA and using the *ALL* indicator:

TSS ADDTO(MSCA) TERMINAL(*ALL*)

TSS PERMIT(USER01) TERMINAL(*ALL*)