UR1/UR2 Resource Class—Secure Resource Restrictions

Resources › UR1/UR2 Resource Class—Secure Resource Restrictions

UR1/UR2 Resource Class—Secure Resource Restrictions

Valid on z/OS, z/VSE, and z/VM.

Use UR1/UR2 to secure general installation‑defined resource restrictions as account codes.

When used with TSS ADDTO/REMOVE, this resource class has the following format:

TSS ADDTO(acid) UR1(oper,oper,...)|UR2(oper,oper,...)

Prefix length: One to eight characters
Capacity of list: One to five prefixes per TSS command

When used with TSS PERMIT/REVOKE, this resource class has the following format:

TSS PERMIT(acid) UR1(p‑fix)|UR2(p‑fix)
                 ACCESS(access levels)

Prefix length: One to forty‑four characters
Capacity of list: One to five prefixes per TSS command

This keyword is used with:

The commands CREATE, ADDTO, REMOVE, PERMIT, REVOKE, ADMIN, DEADMIN, WHOHAS, and WHOOWNS
The ACID types User, Profile, Department, Division, Zone, DCA, VCA, ZCA, LSCA, SCA, and MSCA when used with TSS ADD/REMOVE
The UR1/UR2 keywords are used with the ACID types: User, Profile, DCA, VCA, ZCA, LSCA, SCA, and MSCA when used with TSS PERMIT/REVOKE
UR1/UR2(OWN) authority to ADD or REMOVE UR1/UR2 resources from ACIDs
UR1/UR2(XAUTH) authority to permit or revoke access to UR1/UR2 resources

The administrator can:

Specify the access levels: ALL, NONE, READ, WRITE, and UPDATE. If access is not specified, CA Top Secret defaults to READ access.
Use any of the following methods to control access to user‑defined resources: Expiration, Facility, Program Pathing, Time/Day, and Actions.

Required Customization for the UR1 or UR2 Keyword

The UR1 or UR2 keyword requires prior customization of application programs or system exits to invoke the VM and z/OS security interface such that, it will call CA Top Secret to verify access to installation‑defined resources.

Ownership

Once the resource classes are defined, the administrator can use the UR1 keyword to assign ownership of up to five UR1 resource prefixes.

An installation‑defined resource type, such as account codes, is identified as being a class 1 (UR1) or a class 2 (UR2) user owned resource.

Examples: UR1/UR2 resource class

This example assigns ownership of an account number to Corporate:

TSS ADDTO(CORPORAT) UR1(ACCT788I)

The administrator may now PERMIT access to users or profiles that require access.

This example removes ownership:

TSS REMOVE(CORPORAT) UR1(ACCT788I)

This example permits a group of users all access to a set of account numbers:

TSS PERMIT(CLKPROF) UR2(ACCT7889,ACCT4567) ACCESS(ALL)

This example revokes access:

TSS REVOKE(CLKPROF) UR2(ACCT7889,ACCT4567)