Installation defined resources do not usually trigger the z/OS Standard Security Interface to issue a security call. Typical installation‑defined resources include:
A resource can be ownable or unownable. If:
Installation defined resources must be owned before being authorized. Use a TSS CREATE/ADDTO statement to establish ownership then use a TSS PERMIT statement to specify authorizations.
FIELDs are not automatically protected by CA Top Secret after they are owned. An application program must perform the security check by calling CA Top Secret using FRACHECK or the application high‑level language interface.
Example: assign ownership to a resource
This example assigns ownership of an ABSTRACT, FIELD, and UR2 resource:
TSS ADDTO(CORPORAT) ABSTRACT(AC1)
TSS ADDTO(DEPTC) FIELD(A100,A200,A300)
TSS ADDTO(CORPORAT) UR2(ACCT7889,ACCT4567)
The reserved parameters in the RDT used to see installation‑defined resources are:
Used with additional site‑written code to extend security to other “system” type resources, such as job execution classes.
Used to define database fields and to validate access to these fields by user program or transactions.
Used to designate owned, non‑system, site‑defined resources, such as particular account codes. They are implemented and function in the same manner as ABSTRACT and FIELD.
Used to designate unowned types of resources.
Ownership for any installation‑defined resource can be designated using generic prefixes. Once a prefix is owned, any installation‑defined resource beginning with that prefix is protected and must be permitted to other ACIDs.
Example: assign ownership with generic prefixing
This example gives ownership of fields beginning with the prefix A100 to the ACID DEPTC:
TSS ADDTO(DEPTC) FIELD(A100)
Use the TSS PERMIT command function to allow designated users to access the indicated installation‑defined resources in an unlimited or a restricted manner.
Example: authorize access
This example authorizes access.
TSS ADDTO(TECHPROF) ABSTRACT(AC1)
DAYS(FRIDAY)
TSS PERMIT(PRFCLRK) FIELD(A1006,A3002)
TIMES(08,17)
DAYS(WEEKENDS)
PRIVPGM(ISPTASK1)
ACCESS(UPDATE)
TSS PERMIT(CLKPROF)) UR2(ACCT7889,ACCT4567)
ACCESS(ALL)
Access levels can only be specified for FIELD, UR1, and UR2.
Access levels are assigned using the ACCESS parameter. Access levels are defined but must be checked by the exit or application program. This parameter restricts how FIELDs, UR1, and UR2 resources are accessed. The access levels that can be specified are:
Resource can be accessed in any way.
Resource can be updated; READ and WRITE access are implied.
(Default). Resource can be read.
Data can only be written into the resource.
Resource cannot be used in any way.
Example: assign access levels
This example authorizes any user in the CLKPROF profile to update the UR2 resources ACCT7889 and ACCT4567.
TSS PERMIT(CLKPROF) UR2(ACCT7889,ACCT4567)
ACCESS(UPDATE)
If you are using program pathing and a user accesses a resource through an owned privileged program, grant access to the owned program.
Examples: assign a program path
This example permits the program IMSPZAP.
TSS PERMIT(PRFCLRK) PROGRAM(IMSPZAP)
This example allows any user attached to the PRFCLRK profile to update the specified fields from 8:00 a.m. until 5:59 p.m. on Monday through Friday, but only through the program ISPTASK1.
TSS PERMIT(PRFCLRK) FIELD(A1006,A3002)
TIMES(08,17)
DAYS(WEEKENDS)
PRIVPGM(IMSPZAP)
ACCESS(UPDATE)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|