The types or levels of access to some pre-defined RDT resources (minidisks, CP commands, DCSSs, OS/DOS data sets, and user-defined resources) can be closely controlled with CA Top Secret. The mechanism for controlling these resources is the ACCESS keyword of TSS PERMIT. For example, the following authorizes USER01 to read--but only read--all minidisks with MAINT as their highest-level qualifier.
TSS PERMIT(USER01) VMMD(MAINT) ACCESS(READ)
Note that, because the default access level is READ, the following has the same effect. (In other words, the access level can be omitted if the default access level is acceptable.)
TSS PER(USER01) VMMD(MAINT)
To control access to resources dynamically added to CA Top Secret’s RDT Record, use ACLST (the list of access levels that can be specified for the resource) and DEFACC (the default access level for the resource). For instance, the following tells CA Top Secret that the user-defined resource can be accessed at the WRITE, READ, or MULTI level.
TSS ADDTO(RDT) RESCLASS(user-defined resource)
RESCODE(rescode) ACLST(WRITE,READ,MULTI)
When no default access is specified, the access level for the newly defined resource is NONE.
To assign a default access level (other than NONE) to a resource, use the DEFACC keyword. For example, the following makes READ the default access level for the user-defined resource.
TSS ADDTO(RDT) RESCLASS(resclass) RESCODE(rescode) DEFACC(READ)
Later, the administrator can use TSS REPLACE to change the default level.
The following table shows the access levels that apply to minidisks.
|
Level |
Link access for minidisks |
|---|---|
|
READ |
R,RR |
|
WRITE |
W |
|
UPDATE |
R,W,RR,WR |
|
MULTI |
M |
|
MREAD |
R,RR,M,MR |
|
MWRITE |
W,M,MW |
|
SREAD |
SR |
|
SWRITE |
SW |
|
SMULTI |
SM |
|
EREAD |
ER |
|
EWRITE |
EW |
|
ALL |
ANY link |
|
NONE |
NO link |
The following table shows the access levels that can be specified for DCSSs.
|
Level |
Meaning for DCSSs |
|---|---|
|
SHR |
Shared copy of DCSS may be loaded |
|
NOSHR |
A non-shared copy of DCSS may be loaded |
|
FIND |
Entry point of DCSS may be located |
|
PURGE |
DCSS may be purged |
|
ALL |
ALL access |
|
NONE |
NO access |
The following table shows the access levels that can be specified for OS/DOS data sets and DASD volumes.
|
Level |
Meaning for Data Sets |
Meaning for Volumes |
|---|---|---|
|
READ |
Data set can be read (open for input) |
All OS/DOS data sets on the volume can be read |
|
WRITE |
Data set can be open for write |
All OS/DOS data sets on the volume can be written to |
|
UPDATE |
Data set can be open for simultaneous read and write |
All OS/DOS data sets on this volume can be updated |
|
ALL |
Data set can be accessed in any manner |
All OS/DOS data sets can be accessed in any manner |
|
NONE |
Data set cannot be used in any manner (overrides any explicit authorization) |
Volume and OS/DOS data sets cannot be accessed |
Note: VSAM clusters are not individually protected at the CP start I/O level. However, the use of VSAM is protected. A user must be PERMITted to the VSAM file extents on a given volume. Example: To access the VSAM extents on VOLSER(DASD01), the ACID needs the following PERMIT in its Security Record:
TSS PERMIT(USER01) DSN(SYSVSAM.VDASD01)
The following table shows the access levels that can be specified for VMMACH.
|
Level |
Meaning for Virtual Machine |
|---|---|
|
LOGON |
ACID may log onto virtual machine with the ACID= keyword in the CP LOGON command |
|
AUTOLOG |
ACID may autolog this virtual machine without a password |
|
GRPLOGON |
ACID may log on to the virtual machine with the GRPUSER= option of the CP LOGON command |
|
SUROGATE |
ACID may issue SUROGATE SET/RESET against the virtual machine |
|
APPC |
ACID can logon through an APPC connection. |
|
ALL |
ACID can use all of the above functions against the machine |
|
NONE |
ACID can use none of the above functions against the machine |
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|