Any owned program is protected. Undefined programs are not protected unless the DEFPROT attribute is added to the PROG resource class in the RDT. TSO commands are protected with the PROG keyword if the command is defined in terms of the program it causes to be executed.
Programs must be owned before being authorized.
Example: protect programs
This example protects the program IEHINITT by assigning ownership of it to DEPT01:
TSS ADDTO(DEPT01) PROGRAM(IEHINITT)
CA Top Secret will not remove ownership unless all permissions are revoked.
To remove ownership of a program
TSS REVOKE(USER01) PROGRAM(IEHINITT)
TSS REMOVE(DEPT01P) PROGRAM(IEHINITT)
Default protection gives security protection to programs not defined to CA Top Secret. A security violation occurs if a request is made to access an unowned program.
To give default protection to programs, attach the DEFPROT attribute to the PROGRAM resource class.
Example: assign default protection
This example assigns default protection:
TSS REPLACE(RDT) RESCLASS(PROGRAM)
ATTR(DEFPROT)
Program ownership can be designated with generic prefixes. Any program beginning with a prefix is protected and must be permitted to other ACIDs. A generic prefix must be from one to eight characters in length.
Example: generic prefixing
This example assigns ownership of all sensitive IBM utilities to the Systems Department:
TSS ADDTO(SYSDEPT) PROGRAM(IEH)
Use the TSS PERMIT command function to allow designated users to access the indicated programs in an unlimited or a restricted manner.
Examples: authorize access
This example allows USER01 to use the IEHINITT utility from 7:00 a.m. to noon:
TSS PERMIT(USER01) PROGRAM(IEHINITT)
TIMES(07,12)
This example gives everyone the ability to use IEHINITT in the morning:
TSS PERMIT(ALL) PROGRAM(IEHINITT)
TIMES(07,12)
Program pathing users who access a resource through a privileged program must be given authorization through a TSS PERMIT PROG entry before the PRIVPGM attribute can be used. For example:
TSS PERMIT(USER01) PROGRAM(APUPDATE)
Program pathing is then implemented with the PRIVPGM parameter.
Example: assign a program path
This example authorizes USER01 to read data sets whose highest level qualifiers are SALPAY.MASTER, but only through program APUPDATE when running in the Batch facility:
TSS PERMIT(USER01) DSNAME(SALPAY.MASTER)
PRIVPGM(APUPDATE)
FACILITY(BATCH)
To allow users access to all programs, assign ownership to the MSCA then use the resource identifier *ALL*.
Example: access all programs
This example allows USER01 to use any protected program:
TSS ADDTO(MSCA) PROGRAM(*ALL*)
TSS PERMIT(USER01) PROGRAM(*ALL*)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|