Previous Topic: DEFPROT AttributeNext Topic: VM Protection Examples

Securing ResourcesResource Access ControlBypass Resource Checking

Bypass Resource Checking

Earlier in this chapter you learned that by using ACTION(NODSN), along with the TSS PERMIT command, you can specify that no data set checking will be performed for that particular volume. In some rare cases, however, you may want to extend that bypass privilege so that any time a particular ACID makes a certain type of access request, those requests will bypass security checks.

Note: We do not recommend this type of blank check security access for ordinary usage. Limit its use to setting up disaster recovery procedures.

You can do this by simply adding one or more bypass attributes to the ACID. This type of action is not recommended for most users. The following list of bypass options (also called no-check attributes) should be used with great care if at all. They are as follows:

NORESCHK

Allows the ACID to bypass all resource checking with the exception of data sets and volumes.

NOVOLCHK

Allows the ACID to bypass all volume checking.

Note: If data set access it being requested,CA Top Secret responds according to the data set authorizations. To allow an ACID unrestricted access to an entire volume, you must also add the NODSNCHK attribute.

NODSNCHK

Allows an ACID to bypass data set checking. Not to be confused with ACTION(NODSN) which only affects access requests for a particular volume.

NOLCFCHK

Allows an ACID to bypass LCF checking.

NOSUBCHK

Allows an ACID to bypass job submission security checking. This way an associated ACID can submit all jobs regardless of the (derived) ACID on the job card being submitted.

NOVMDCHK

Allows an ACID to bypass VM minidisk link checking.

Add these attributes to an ACID through the TSS ADD command, and rescind them through the TSS REMOVE command. For example, the following allows the SUPRACID to bypass all resource checking:

TSS ADD(SUPRACID) NORESCHK NOVOLCHK NODSNCHK NOVMDCHK

While the following example removes those privileges:

TSS REM(SUPRACID) NORESCHK NOVOLCHK NODSNCHK NOVMDCHK

To administer these no-check attributes, the Security Administrator must have the appropriate administrative authority.