CA Top Secret provides comprehensive security capabilities without modifying TSO.
To sign on to TSO, a user’s ACID must be authorized to access the TSO facility.
To grant access authorization, you can:
When signing on to TSO, a user must have an CA Top Secret ACID and may have a TSO UADS userid defined using the TSO ACCOUNT command. The TSO UADS userid is not required. When either is used, the ACID is limited to seven characters and must match the TSO UADS userid.
Users with access to TSO are permitted to all TSO commands by default.
To grant access authorization, enter the command:
TSS ADDTO(acid) FACILITY(TSO)
Unattended terminals are protected against unauthorized access with automatic terminal locking. Cumulative security violation thresholds can be established that automatically force terminal locking if this threshold is exceeded.
Locking is enforced whenever a command (not a subcommand) is about to be executed. If the time since the last command execution exceeds the LTIME threshold for the user or the LOCKTIME of the facility, the terminal locks.
The TSSTRACK utility allows security administrators to monitor security‑related events for one or more systems in real time. This utility can also be executed under CICS. For information on TSSTRACK, see the Report and Tracking Guide.
TSO commands execute specific programs which need to be protected by CA Top Secret. To ensure that an ACID does not gain access to a TSO command, assign ownership of the program to another ACID. Users who want access to the program must be authorized with TSS PERMIT.
Changes to the security database made through a TSS command are immediately recognized by all facilities. A user’s TSO access could be administered during a CICS terminal session. Changes made to an ACID’s security record while the ACID is signed on do not immediately take affect. The ACID must sign off and then sign back on, or the Security Record must be refreshed with TSS REFRESH.
TSO users do not automatically have access to data sets starting with their ACID. The security administrator must establish ownership by adding the data set prefix to an ACID and then permitting it to the user. This is facilitated by using masking.
If your installation uses a non-standard procedure, CA Top Secret sign on processing operates correctly if the CICS DFHSNP sign on program is invoked by the procedure.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|