Maintaining Special Security Records › RDT Record › Define a Resource to the RDT

Define a Resource to the RDT

To define a new resource class to the RDT, enter the command:

TSS ADDTO(RDT) RESCLASS(resource‑class‑name) 
               RESCODE(hex‑code) 
               MAXLEN(maxpermit)
               [ATTR(attribute‑list)] 
               [ACLST(access‑level‑list)]
               [DEFACC(default‑access‑level)]

RESCLASS

Defines a resource‑class‑name. You can only specify one resource‑class‑name per command. The name can contain letters, numbers, or national characters (@, #, $). The TSS command, logging, and the security interface honor this name. The beginning characters of a new RESCLASS name cannot match the beginning characters of an existing RESCLASS name. For example, VOLUME is an existing predefined RESCLASS name; therefore, it is not possible to create a new RESCLASS name called VOL.

Range: Up to eight characters

Tip: To avoid any possibility of a user‑defined resource conflicting with any future CA Top Secret predefined resource class, it is recommended that the user‑defined resource class have a national character (@,#,$) or number (0‑9) in one of the first four characters of the name.

RESCODE

(Optional) Used internally by CA Top Secret to abbreviate the resource class in the user’s security record and audit information.

If you enter a RESCODE, select from the following hexadecimal values:

• 001 to 03F (RIE)
• 101 to 13F (PIE)

If not specified, RESCODE defaults to the first available unused user‑definable value, RIE or PIE.

To define a RIE or PIE resource specifically because of its MAXOWN value, you must specify an appropriate RESCODE value.

MAXLEN

Defines the maximum length name in a PERMIT command allowed for this RESCLASS; sets the attribute MAXPERMIT displayed by the LIST(RDT) command; inconsistent with ATTR(SHORT)/(LONG) .

Optional parameters that can be used when defining a resource to the RDT Record or when modifying an existing resource are.

Range: 1 to 255

ATTR

Defines one or more of the following operands:

• EXIT—Calls the installation exit for this resource class.
• NOEXIT—Deactivates the installation exit.
• DEFPROT—Protects this resource class by default.
• NODEFPROT—Deactivates default protection.
• GENERIC—Supports generic prefixing for this resource class.
• NONGENERIC—Deactivates generic prefixing and treats the resource names as fully qualified names.
• PRIVPGM—Supports privileged program for this resource class.
• NOPRIVPGM—Deactivates privileged program support.
• LIBRARY—PIE only. Supports LIBRARY with PRIVPGM for this resource class.
• NOLIB—PIE only. Deactivates support for a library with privileged program.
• LONG—Equivalent to MAXLEN(44): indicates that the maximum length resource name for PERMIT with this RESCLASS is 44.
• SHORT—(default) Equivalent to MAXLEN(8): indicates that the maximum length resource name for PERMIT with this RESCLASS is 8.
• MERGE—Overrides the AUTH control option and uses the MERGE algorithm to determine the processing record for security validation of this RESCLASS. For a description of the algorithm, see the chapter “The Resource Access Security Validation Algorithm.”
• NOMERGE—Removes the MERGE attribute from the resource.
• ALLMERGE—Overrides the AUTH control option and uses the MERGE algorithm to determine the processing record for security validation of this RESCLASS. For a description of the algorithm, see the chapter “The Resource Access Security Validation Algorithm.”
• NOALLMERGE—Removes the ALLMERGE attribute from the resource.
• VMUSER—Supports VMUSER for this resource class.
• NOVMUSER—Deactivates VMUSER support.
• MASK—RIE only. Supports masking for this resource class.
• NOMASK—RIE only. Deactivates masking for this resource class.

For PRIVPGM, LIBRARY, and VMUSER the security driver must also support these features. For a user‑defined resource, the software that generates the security calls must supply additional parameters in order to satisfy PRIVPGM, LIBRARY, and VMUSER restrictions.

ACLST

Adds up to 20 access levels for this resource class. If not specified, the resource class does not support access level checking. It is recommended that ALL, CONTROL, UPDATE, and READ be defined.

If the predefined access levels are used, you can simply specify the access level list shown below.

ACLST(READ,WRITE)

However, if you want your own unique access levels, you must specify the hexadecimal values associated with each access level as illustrated in the following example.

ACLST(XYZ=0600,ABC=0005)

You can also mix defined access levels with your own unique access levels shown below.

ACLST(XYZ=0600,READ)

The access level list is supported both by the TSS command during administration and access validation, and for logging and reporting. CA Top Secret predefined access levels are listed below with their hexadecimal values:

ALL=FFFF               MWRITE=2400
AUTOLOG=4000           MULTI=0400
BLP=8000               NOCREATE=0100
BROWSE=0200            NONE=0000
COLLECT=0002           NONSHR=2000
CONTROL=0400           PURGE=0100
CREATE=1000            READ=4000
DELETE=1000            REPL=0800
FEOV=0200              SCRTCH=0800
FETCH=8000             SHR=4000
FIND=1000              SUROGATE=2000
GRPLOGON=1000          UPDATE=8000
LOGON=8000             WRITE=2000
MREAD=4400

To remove an access level list, see Changing Values in the RDT.

DEFACC

Sets the default access level CA Top Secret assigns on a TSS PERMIT. If not specified, the default access is NONE. The predefined CA Top Secret access levels with their respective hexadecimal values are listed above.

The access level specified by DEFACC must match the applicable access levels indicated by the ACLST entries for that resource. If they do not match; if no ACLST was specified, you will receive a TSS0282E error message.

When creating a user‑defined resource class, remember the following rule: If the access level is not one that is known to CA Top Secret, you must specify the hexadecimal value in the DEFACC as well as the ACLST field shown below.

TSS ADDTO(RDT) RESCLASS($NEWRES) 
               RESCODE(04)
               ACLST(ALLOW=4000)  
               DEFACC(ALLOW=4000)

Examples: define resources to the RDT

This example adds a new resource class to the RDT Record with READ and WRITE access levels:

TSS ADDTO(RDT) RESCLASS($PAY)
               RESCODE(12)  
               ACLST(WRITE,READ)

This example gives administrative authority for ownership and grants users access to a new resource class $PAY:

TSS ADMIN(ADM01) $PAY(OWN,XAUTH)
                 ACCESS(READ,WRITE)

This example adds this new resource class name $PAY to a department that is within your scope:

TSS ADDTO(DEPT01) $PAY(401K)

401K is a resource name that is now accessed by the resource class $PAY.

This example permits this resource to USER01 with READ access:

TSS PERMIT(USER01) $PAY(401K)  
                   ACCESS(READ)