Protecting Resources › SDSF Resource Protection

SDSF Resource Protection

The Spool Display and Search Facility (SDSF) interfaces with the z/OS spool to analyze and control the operation of a z/OS JES2 based system. SDSF provides:

• Online display of the z/OS system log
• Formatted information display about jobs, started tasks, printers, initiators, and TSO users
• Online display of any SYSOUT data set prior to printout
• Online display of SYSIN data sets of jobs executing or waiting to execute
• Ability to issue z/OS and JES2 system commands from any terminal

SDSF in FAIL Mode

If the system is in FAIL mode and the CA Top Secret address space is down, access to resources is denied.

To allow access to the SDSF resource, enter the commands:

TSS ADDTO(deptacid) SDSF(ISFCMD.,ISFATTR.,ISFINIT.)

TSS PERMIT(ALL) SDSF(ISFCMD.,ISFATTR.,ISFINIT.) 
                ACCESS(ALL) 
                ACTION(PASSWORD)

SDSF SAF‑based security uses the SDSF resource to determine if a user can view JES2 objects, JOBS, SYSIN, SYSOUT, and output GROUPS. Use the REVOKE and PERMIT commands on these resources . The PERMIT function must contain ACTION(PASSWORD).

For example:

TSS REVOKE(ALL) JESJOBS(SUBMIT.,CANCEL.)

TSS REVOKE(ALL) JESSPOOL(nodename)

TSS REVOKE(ALL) OPERCMDS(MVS.,JES2.,JES3.)

TSS REVOKE(ALL) SDSF(ISFCMD.,ISFATTR.,ISFINIT.)

TSS PERMIT(ALL) JESJOBS(SUBMIT.,CANCEL.) 
                ACCESS(ALL) 
                ACTION(PASSWORD)

TSS PERMIT(ALL) JESPOOL(nodename) 
                ACCESS(ALL)
                ACTION(PASSWORD)

TSS PERMIT(ALL) OPERCMDS(MVS.,JES2.,JES3.)
                ACCESS(ALL)
                ACTION(PASSWORD)

TSS PERMIT(ALL) SDSF(ISFCMD.,ISFATTR.,ISFINIT.)
                ACCESS(ALL)
                ACTION(PASSWORD)

The PERMIT forces a return code of 4, which is returned to SDSF when access to SYSOUT is checked, making SDSF honor ISFPARMS or the SDSF user exit. This enforces SDSF security checking.

SDSF Object Protection Through SAF

You can use CA Top Secret to protect SDSF objects through the SAF interface. You can protect the following SDSF objects:

• SDSF panels and commands
• z/OS and JES2 commands
• Fields that can be over typed
• ACTION characters
• Initiators
• Destinations
• Printers

SDSF Resource Class Protection

This resource class protects SDSF commands, panels, fields that can be over typed, and ACTION characters.

To protect commands, enter the command:

TSS ADDTO(deptacid) SDSF(ISFOPER.SYSTEM)

To limit the SDSF panel options that an ACID can use by assign ownership of them with the ADDTO function and the SDSF keyword.

This example protects the options and SDSF panel:

• LOG ‑ Display the system log
• DA ‑ Display active users of the system
• I ‑ Display jobs in the JES2 input queue
• O ‑ Display jobs in the JES 2 output queue
• H ‑ Display jobs in the JES2 held output queue
• ST ‑ Display status of jobs in the JES2 queues
• PR ‑ Display JES2 printers on this system
• INIT ‑ Display JES2 initiators on this system

Use these ADDTO functions to protect the options on the panel:

For LOG

TSS ADDTO(deptacid) SDSF(ISFCMD.ODSP.SYSLOG.JES2)

For DA

TSS ADDTO(deptacid) SDSF(ISFCMD.DSP.ACTIVE.JES2)

For I

TSS ADDTO(deptacid) SDSF(ISFCMD.DSP.INPUT.JES2)

For O

TSS ADDTO(deptacid) SDSF(ISFCMD.DSP.OUTPUT.JES2)

For H

TSS ADDTO(deptacid) SDSF(ISFCMD.DSP.HELD.JES2)

For ST

TSS ADDTO(deptacid) SDSF(ISFCMD.DSP.STATUS.JES2)

For PR

TSS ADDTO(deptacid) SDSF(ISFCMD.ODSP.PRINTER.JES2)

For INIT

TSS ADDTO(deptacid) SDSF(ISFCMD.ODSP.INITIATOR.JES2)

When the options are owned use PERMIT to authorize their use.

JESJOBS Resource Class Protection

This resource class secures the submission and cancellation of jobs.

Examples: protect JESJOBS

This example controls job submission:

TSS ADDTO(acid) JESJOBS(SUBMIT.nodename.jobname.userid)

This example controls job cancellation:

TSS ADDTO(acid) JESJOBS(CANCEL.nodename.userid.jobname)

JESSPOOL Resource Class Protection

This resource class secures JES objects.

You can also specify one of the following access levels for JESSPOOL:

• NONE
• READ
• UPDATE
• CONTROL
• ALL

To specify this resource class, enter the command:

TSS ADDTO(acid) JESSPOOL(localnodeid.userid.jobname.jobid.dsnumber.name)

Localnodeid

The name of the node where the object resides.

Userid

The userid associated with the object.

Jobname

The name field of the JOB command function.

Dsnumber

The JES‑assigned spool data set number.

Name

The name from the DSN= parameter.

Use JES tokens in addition to the SDSF resource to secure spool data sets.

Example: secure JES objects

This example secures output belonging to USER01 that USER02 needs to view:

TSS ADDTO(deptacid) JESSPOOL(nodename.USER01)

TSS PERMIT(USER02) JESSPOOL(nodename.USER01.jobid)

OPERCMDS Resource Class Protection

The OPERCMDS resource class protects JES and operator commands.

To protect JES and operator commands, enter the commands:

$C TSS ADDTO(acid) OPERCMDS(jesx.CANCEL)

$P TSS ADDTO(acid) OPERCMDS(jesx.STOP)

$D TSS ADDTO(acid) OPERCMDS(jesx.DISPLAY)

$T TSS ADDTO(acid) OPERCMDS(jesx.MODIFY)

S TSS ADDTO(acid) OPERCMDS(MVS.START)

D TSS ADDTO(acid) OPERCMDS(MVS.DISPLAY)

WRITER Resource Class Protection

This resource class protects output devices.

Examples: protect devices:

This example protects local devices:

TSS ADDTO(acid) WRITER(jesname.LOCAL.devicename)

This example protects RJE devices:

TSS ADDTO(acid) WRITER(jesname.RJE.devicename)

This example protects NJE Nodes:

TSS ADDTO(acid) WRITER(jesname.NJE.nodename)

SDSF Resource Protection

To implement resource classes to protecting SDSF resources use the following process:

• Create a department ACID called SDSFDEPT.
• Assign ownership of all of the SDSF resources (SDSF, JESJOBS, JESSPOOL, WRITER, and OPERCMDS) to the SDSFDEPT ACID.
• Determine who uses SDSF and how they use it.
• Create profiles based on the information gathered. Have profiles representing three types of user groups: systems programmers, operators, and end‑users.
• Attach the profiles to the appropriate users.

SDSF Masking

Masking can be used to group SDSF objects whose names share similar characteristics. These shared patterns can then be used as the operands in TSS ADDTO and PERMIT command functions.

Masking is not available for the WRITER resource class.

$SDSF Resource Class Definition

To protect SDSF resources define $SDSF to the RDT as a new resource. For example:

TSS ADDTO(RDT) RESCLASS($SDSF)
               RESCODE(XX)
               ACLST(VIEW(0800),CANCEL(0400),REQUEUE(0200),PRTCTL(8000))

Use $SDSF only if you are using the CA Top Secret exit.

These levels allow the user to perform SDSF functions and are required to define the SDSF resource:

VIEW

Displays the output from hold or output queues.

CANCEL

Stops jobs currently running or building output, and scratches any input/output jobs waiting in the queue.

REQUEUE

Modifies output classes and destinations.

PRTCTL

Controls all action characters and operator commands which can be entered through $SDSF and that are not covered by the above access levels.

Assign ownership of the $SDSF resource (usually to a department or division ACID).

For example:

TSS ADDTO(PRODDEPT) $SDSF(acid)

acid

The ACID in the USER= parameter on the job card, the started task ACID, or the TSO userid.

Authorize permissions with TSS PERMIT.

For example:

TSS PERMIT(acid) $SDSF(acid) 
                 ACCESS(access level)

$SDSF Default Protection

In FAIL mode, once the $SDSF resource is defined to the CA Top Secret RDT it is protected by default and its use must be authorized with a PERMIT function.

In WARN and IMPLEMENT modes protection is not automatic.

To protect the $SDSF resource, attach the DEFPROT:

TSS REPLACE(RDT) RESCLASS($SDSF)
                 ATTR(DEFPROT)