ACLST Keyword—Resource Access Level

Keywords › ACLST Keyword—Resource Access Level

ACLST Keyword—Resource Access Level

Valid on z/OS, z/VSE, and z/VM.

Use the ACLST keyword to define, change, or remove access levels for the resource in the RDT Record.

This keyword has the following format:

TSS ADDTO(RDT) RESCLASS(resource Type)
               RESCODE(hex code)
               [ACLST(access level list)]

The access level list can consist of any combination of any user or CA Top Secret defined access levels. The access level mask is not required when specifying a standard access level name defined by CA Top Secret. However, the mask must be specified in order to redefine the hex‑value of an CA Top Secret defined access level name to a non‑standard access‑level mask, or to define your own unique access level.

Common CA Top Secret defined access levels and their hexadecimal value are:

ALL=FFFF               MWRITE=2400
AUTOLOG=4000           MULTI=0400
BLP=8000               NOCREATE=0100
BROWSE=0200            NONE=0000
COLLECT=0002           NONSHR=2000
CONTROL=0400           PURGE=0100
CREATE=1000            READ=4000
DELETE=1000            REPL=0800
FEOV=0200              SCRTCH=0800
FETCH=8000             SHR=4000
FIND=1000              SUROGATE=2000
GRPLOGON=1000          UPDATE=8000
LOGON=8000             WRITE=2000
MREAD=4400

Notes:

Access levels within the ACLST should be unique and in descending hexadecimal order so that permits with multiple access levels display the highest possible access level. For example, if the list specifies READ,UPDATE=6000; the UPDATE implies READ and a permit is issued for UPDATE access. The TSS LIST command will show that the permit includes READ access and will display READ instead of UPDATE. The access level is displayed correctly if the ACLST is specified as UPDATE=6000,READ.
When adding a new resource class that contains a two byte RESCODE, or a one byte RESCODE with the ATTR(MASK) value set, a default ACLST is established if there is no ACLST keyword included in the definition. This ACLST will include two access levels, ALL(FFFF) and NONE(0000). Additionally, the default access level DEFACC is set to ALL(FFFF). These values can be modified with a TSS REPLACE command.
Assigning an access level of ALL=FFFF protects the ALL access level as well as all other access levels that are defined in the ACLST. Security calls issued for undefined access levels will yield unpredictable results.
All hexadecimal values must be unique. You cannot specify two different access levels with the same hexadecimal value.
The hexadecimal values should be structured so that each binary position in the ACLST represents an independent attribute. Binary positions should only be re‑used in the ACLST when one access‑level is intended to include another. For instance, with the DATASET resource shown below, note that UPDATE uses the same bits in the hex‑mask as were used by READ and WRITE, but that all other access levels in the list represent independent binary positions in the ACLST mask.
```
ACLST(ALL,FETCH=8000,UPDATE=6000,READ=4000,WRITE=2000,CREATE=1000,
SCRATCH=0800,CONTROL=0400,INQUIRE=0080,SET=0040,NONE)
```
Granting permission with UPDATE access automatically confers READ and WRITE because the corresponding hex‑values are additive, as shown next:
```
UPDATE = READ + WRITE
 6000 = 2000 + 4000
```
If you construct an access level CONFIRM which includes CREATE, SCRATCH, and CONTROL access, add the following to the current access list, between WRITE and CREATE, to preserve the descending order.
```
CONFIRM=1C00=1000+800+400
```
When using ACLST with a TSS REPLACE command, the entire access list is replaced by the values specified in the command.

This keyword is used with:

The commands ADDTO and REPLACE
The RDT ACID only
MISC1(RDT) authority

Examples: ACLST keyword

This example adds a new resource called #PRODUCT to the RDT Record with READ and WRITE access levels:

TSS ADDTO(RDT) RESCLASS(#PRODUCT)
               ACLST(READ,WRITE)

This example uses the REPLACE function to add new access levels to a resource class already defined in the RDT Record:

TSS REPLACE(RDT) RESCLASS(#PRODUCT)
                 ACLST(READ,WRITE)

For unique access levels, which are more applicable to the resource, specify the hexadecimal values associated with each access level:

ACLST(ANSWER=0400,CALL=0200)

This example combines predefined values with the unique access levels:

ACLST(READ,ANSWER=0400)

This example uses the REPLACE command function to remove an access level list:

TSS REPLACE(RDT) RESCLASS(#PRODUCT)
                 ATTR(NOACCESS)