Valid on z/OS, z/VSE, and z/VM.
Use the ACTION keyword to assign actions:
When used with FACILITY, this keyword has the following format:
TSS ADDTO(acid) FACILITY(facility)
ACTION(AUDIT,NOTIFY,DENY)
CA Top Secret audits the ACID when logged on to the facility.
CA Top Secret notifies the security console that the ACID is signing onto the facility.
CA Top Secret denies access to a facility even though it was specified in the ACID's PROFILE.
When used with resource, this keyword has the following format:
TSS PERMIT(acid) resource(prefix)
ACTION(FAIL,AUDIT,NOTIFY,DENY,VMPRIV,PASSWORD
,NODSNCHK,ADMIN, EXIT, REVERIFY)
TSS REVOKE(acid) resource(prefix)
ACTION(ADMIN)
If this permission is used by CA Top Secret as the "best fit" for the resource, CA Top Secret processes the request as if the user were in FAIL mode. CA Top Secret fails any unauthorized access to the resource, and conversely, allow authorized access (superseding, for example, native password protection on data sets and minidisks).
Note: FAIL can be used with resources that have access levels, whereas DENY is used with resources that do not have access levels.
CA Top Secret audits the access.
CA Top Secret notifies the security console of resource access via the message TSS7299I.
If the PERMIT is granted, CA Top Secret issues the EXIT call to invoke the TSS Installation Exit for data sets and volumes only in z/OS and for all z/VM resources.
Valid for all resources which do not support access levels, ACTION(DENY) fails any attempted access to the resource defined in the PERMIT. This ACTION effectively provides ACCESS(NONE) to the resource. The ACID's mode is still honored.
(VMPRIVILEGE) The privileged form of CP commands and DIAGNOSE instructions.
For minidisks and data sets only.
If the PERMIT is granted, CA Top Secret returns control to z/VM for password protection. This assumes that a link password exists for the minidisk.
Note: Any data set checks which occur as a result of the allocation of an SMS‑managed data set is not prompted for a data set password. This is a normal function of SMS.
For volumes only. Only volume checking is performed. All data set restriction is bypassed, and the minimum and maximum access levels to all data sets are controlled by the volume access with PERMIT.
Under normal circumstances, CA Top Secret allows an administrator to PERMIT and REVOKE only those resources which fall under his scope. The ACTION(ADMIN) keyword gives the security administrator the ability to allow ACIDs within his scope the authority to administer resources that are not within the permitted ACID's scope. If an access level is not specified, CA Top Secret permits the default access level for that resource class.
Note: ACTION(ADMIN) is not valid for Profile type ACIDs.
Transactions that require additional security can be defined to require the signon password entered with each use. Use this to prevent sensitive transactions being entered by an unauthorized individual at an unlocked terminal.
This keyword is used with:
This example audits an ACID accessing CICSTEST:
TSS ADDTO(USER01) FACILITY(CICSTEST)
ACTION(AUDIT)
This example denies a user's attempts to logon to a facility:
TSS ADDTO(USER01) FACILITY(CICSPROD)
ACTION(DENY)
This example indicates that the user is allowed to sign on to CICS and everything the ACID does is audited:
TSS ADDTO(acid) FACILITY(CICS)
ACTION(AUDIT)
In this example, USER01 is in WARN mode, and is not connected to PROF01, which allows access to MASTER.PAYROLL.FILE. Ordinarily, if USER01 attempted to access the MASTER.PAYROLL.FILE, he would be warned. This example fails USER01 if he attempts to access the MASTER.PAYROLL.FILE:
TSS PERMIT(USER01) DSNAME('MASTER.PAYROLL.FILE')
ACTION(FAIL)
ACCESS(NONE)
This example creates an audit record every time USER01 updates the PERS.PAY data set:
TSS PERMIT(USER01) DSNAME(PERS.PAY)
ACTION(AUDIT)
ACCESS(UPDATE)
This example issues message TSS7299I whenever USER01 accesses PERS.PAYROLL:
TSS PERMIT(USER01) DSNAME('PERS.PAYROLL')
ACCESS(R)
ACTION(NOTIFY)
In this example, USER01 is connected to a profile (PROF01) that allows him to access all terminals in the Accounting Department:
TSS PERMIT(PROF01)TERMINAL(K06L1234)
This example denies USER01 access to terminals K06L4567 and K06L1233:
TSS PERMIT(USER01)TERMINAL(K06L4567,K06L1233)
ACTION(DENY)
This example denies access and result in a failure in any mode:
TSS PERMIT(USER01)TERMINAL(K06L4567,K06L1233)
ACTION(FAIL,DENY)
This example allows USER05 to permit or revoke access to this resource to other users‑although the resource itself is not owned within his scope.
TSS PERMIT(USER05) DSNAME(SYS1.)
ACTION(ADMIN)
This example removes authority from USER05 to permit or revoke access to this resource. The resource itself is not owned within his scope.
TSS REVOKE(USER05) DSNAME(SYS1.)
ACTION(ADMIN)
Note: If the FACILITY keyword had been specified on the above command, the command would have been processed without an error. However, FACILITY restrictions are not in effect.
In this example with OTRAN, password re‑verification is indicated on the PERMIT by the ACTION(REVERIFY) parameter once the resource is owned:
TSS PERMIT(USER01) OTRAN(PROD)
ACTION(REVERIFY)
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|