Protecting Resources › Record Level Protection (RLP)

Record Level Protection (RLP)

RLP gives you detailed control over which users have access to what data by defining the records to protect the SDT reserved ACID record and then permitting access with the TSS PERMIT command.

Before implementing RLP, ensure that the SDT is initialized with the SDTBLOCKS parameter of TSSMAINT.

Using RLP, you can give users access to:

• A set of records within a file
• A set of fields within a record

The SDT record elements used to implement RLP are:

RECORD

Defines the record using its FCT name, and specifies the record's layout (field name, data type, field positions, length). The field(s) defined are then referenced in the SELECT record.

SELECT

Defines the logic, using Boolean expressions, that specifies who gets access to a record based on the contents of one or more fields.

MASKREC

(Optional) Defines which fields within a record cannot be access.

RLP Implementation

To help implement RLP smoothly:

• Determine which of your applications would benefit from RLP.
• Gather information about the application FCT name, field names, positions, data types, length of field, and selection criteria).
• Become familiar with the application.
• Plan the details needed to implement RLP for this application. For example, you may decide on selection criteria that limit the user to viewing only the records within their departmental scope.
• Determine who is the administrator for implementing RLP and give them MISC3(SDT) authority.

The process to enter the definitions is:

• Define the RECORD definitions to the SDT with information such as:
  • The name of the record (FCT name)
  • The fields of the record
  • The format of the data in the fields
  • The sizes are the fields

  For example:

  TSS ADDTO(SDT) RECORD(pfile)
                 RECDATA(dept,char,10,4)
  

  If you are protecting multiple fields within one record, do a separate ADDTO for each field you want to protect. You can protect up to ten fields in one record.

• Define the SELECT expressions to the SDT used on the PERMIT command.
• Define the layout of the record:
  • The field of the record you want CA Top Secret to validate
  • The type of comparison made
  • The field being compared to

  For example:

  TSS ADDTO(SDT) SELECT(dp1000)
                 SELDATA('If dept GE “1000” AND dept LE “1099”)
  

• Define any MASK records to the SDT. MASK records are optional, and identify which fields within a record cannot be accessed. For example:

  TSS ADDTO(SDT) MASKREC(MDEPT)
                 MASKDATA(pay,char,30,4,$$$$)
  

• Listing the SDT records you just created to check your work. For example:

  TSS LIST(SDT) RECORD(ALL)
  

• Use TSS REPLACE(SDT) to correct any errors.
• Refresh the SDT in‑core tables using:

  TSS MODIFY(SDTTABLE)
  

Permit Access to the Defined Records

To permit access to the defined records:

• Revoke any existing PERMITs that a user may have for the FCTs.
• Re‑PERMIT the FCTs using the SELECT and/or MASKREC clauses

Example: permit access

This example permits access to the defined record:

TSS PERMIT(jane) FCT(pfile)
                 ACCESS(READ)
                 SELECT(dp1000)
                 MASKREC(mdept)

Enable RLP Protection

Enable RLP for the facility for the definitions and permissions to take effect.

Example: enable RLP protection

This example enables RLP in the CICS region:

TSS MODIFY FACILITY(cicsprod=RLP=YES)