Ownable Resource Security › The Resource Descriptor Table (RDT) Record › Implementing the RDT › Command Syntax

Command Syntax

The following TSS command functions that relate to the RDT are shown below.

To define a new resource class to the RDT, enter:

TSS ADDTO(RDT) RESCLASS(resource class name) RESCODE(hex code)
    [ATTR(attribute list)] [ACLST(access level list)]
    [DEFACC(default access level)]

To change the values of previously-defined resource classes, enter:

TSS REPLACE(RDT) RESCLASS(resource class name)
    [ATTR(attribute list)] [ACLST(access level list)]
    [DEFACC(default access level)]

To remove a previously-defined resource class definition, enter:

TSS REMOVE(RDT)  RESCLASS(resource class name)

To list resource classes, enter:

TSS LIST(RDT) [RESCLASS(resource class name(s)]

The two keywords RESCLASS and RESCODE are required when adding a resource to the RDT Record. Only RESCLASS is required for modifying, listing and removing a particular resource class name.

RESCLASS

Is the eight-character resource class name. The TSS command, logging, and the security interface honor this name.

RESCODE

Is the two-digit hexadecimal code which is used internally by CA Top Secret to identify the resources of this particular class. This identifier is used in trace as well as logging information. When adding a resource class to the RDT Record, you can use any hexadecimal code between 001 - 03F and 101 - 13F which is reserved for dynamically-defined RESCODEs.

Optional keywords that can be used when dynamically defining a resource to the RDT Record or when modifying an existing resource class follow.

ATTR

Contains one or more of the following operands:

• EXIT—Calls the installation exit for this resource class
• NOEXIT—Deactivates the installation exit call
• DEFPROT—Protects this resource class by default
• NODEFPROT—Deactivates default protection
• PRIVPGM—Supports PRIVPGM for this resource class
• NOPRIVPGM—Deactivates PRIVPGM support
• GENERIC—Supports generic prefixing for this resource class
• NONGENERIC—Deactivates generic prefixing and treats the resource names as fully qualified names
• LIB—Supports LIB with PRIVPGM for this resource class
• NOLIB—Deactivates support for LIB with PRIVPGM
• LONG—Supports 44 character entities for this resource class
• SHORT—Deactivates 44 character support
• MERGE—Uuses AUTH(MERG) for access checking of this resource class
• NOMERGE—Deactivates AUTH(MERG) option for access checking
• ALLMERGE—Uses AUTH(ALLMERGE) for access checking of this resource class
• NOALLMERGE—Deactivates AUTH(ALLMERGE) option for access checking
• VMUSER—Supports VMUSER for this resource class
• NOVMUSER—Deactivates VMUSER support

Note: For PRIVPGM, LIB and VMUSER the security driver must also support these features. For all pre-defined CA Top Secret resource classes (such as DATASET and VOLUME), only the DEFPROT, EXIT, and MERGE attributes may be altered through the TSS REPLACE(RDT) command function.

Consider the following examples. An administrator wants to add PRODUCTA to the RDT Record, and give it default protection. He enters:

TSS ADDTO(RDT) RESCLASS(PRODUCTA) RESCODE(10) ATTR(DEFPROT)

If an administrator wishes to remove an attribute that he has assigned to a specific resource class, he simply uses the TSS REPL(RDT) command function and prefixes the attribute with NO. For example:

TSS REPLACE(RDT)  RESCLASS(PRODUCTA)  ATTR(NODEFPROT)

In this example, the resource class PRODUCTA no longer has default protection.

To remove the LONG attribute which is already attached to a specific resource class, specify ATTR(SHORT). This is the only exception that does not use the prefix NO when when attempting to remove an already defined attribute.

You can remove the LONG attribute only with dynamically defined resources, but not pre-defined resources. To list data concerning how PRODUCTA will be processed, the administrator enters:

TSS LIST(RDT) RESCLASS(PRODUCTA)

If an administrator wants to remove PRODUCTA from the RDT, he enters:

TSS REMOVE(RDT) RESCLASS(PRODUCTA)

Note: Removing a resource class from the RDT requires that all owned resources belonging to that particular resource class were previously removed.

ACLST

Lists up to 20 access levels for this resource class. If not specified, then the resource class does not support access level checking. It is recommended that ALL, CONTROL, UPDATE, and READ are defined. If the CA Top Secret defined access levels are used, the administrator can simply specify a list.

For example:

ACLST(READ,WRITE)

However, if he wants his own unique access levels, he must specify the hexadecimal values associated with each access level.

For example:

ACLST(ABC=0500,XYZ=0600,...)

The administrator can also mix defined with his own unique access levels.

For example:

ACLST(READ,XYZ=0600)

The access level list is supported both by the TSS command during administration, access validation, and for logging and reporting.

CA Top Secret pre-defined access levels follow and are given in hexadecimal values:

• NONE(0000)
• SET(0040)
• INQUIRE(0080)
• NOCREATE(0100)
• PURGE(0100)
• FEOV(0200)
• BROWSE(0200)
• CONTROL(0400)
• MULTI(0400)
• SCRTCH(0800)
• REPL(0800)
• CREATE(1000)
• DELETE(1000)
• GRPLOGON(1000)
• FIND(1000)
• SUROGATE(2000)
• WRITE(2000)
• MWRITE(2400)
• READ(4000)
• AUTOLOG(4000)
• MREAD(4400)
• FETCH(8000)
• UPDATE(8000)
• BLP(8000)
• ALL(FFFF)
• LOGON(8000)

Note: ALL and NONE cannot be coded.

If an administrator wishes to remove an access level list, he simply enters:

TSS REPLACE(RDT) RESCLASS(PRODUCTA) ATTR(NOACCESS)

DEFACC

Sets the default allowed access for this resource. If not specified, the default access is NONE.