Previous Topic: Character TranslationsNext Topic: Steps for Converting CA View 2.0 CA Top Secret Permissions

SecurityExternal SecurityImplementing External Security for CA Top Secret

Implementing External Security for CA Top Secret

Note: For more information about the commands listed in this section, see the CA Top Secret Command Functions Guide. The sample jobs can be found in CVDEOPTN member SARTSS.

Follow these steps:

  1. Add the CA View resource types (classes) to the Resource Descriptor Table, for example: 
    

    //EXAMPLE JOB ACCOUNT,PROGRAMMER
//RDT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS ADDTO(RDT) RESCLASS(CHA1VIEW) RESCODE(20) +
ATTR(LONG,MASK) DEFACC(NONE) +
ACLST(ALL,CONTROL,UPDATE,READ,NONE) + 
/*

    Note: CA Top Secret does not normally resolve authority in hierarchies. This depends on how a resource class is defined to the Resource Descriptor Table (RDT). The RDT documentation sample given for CA View resource class CHA1VIEW shown in the previous example does not allow hierarchical access.

    For hierarchical checking, access level masks in the RDT ACLST should be specified in descending hexadecimal order and defined so that CONTROL access includes UPDATE and READ access and UPDATE access includes READ access.

    For example, based on the following ACLST definition:

    ACLST(ALL(FFFF),CONTROL(6400),UPDATE=(6000),READ=(0400),NONE(0000))

    The bit pattern for CONTROL access (6400 = 011001..) includes the bits set for UPDATE (011...) which in turn includes the bit set for READ (01...) access.

    Note: To support security checking on fully qualified resource names - including characters from the expanded special character set, the CA View resource class has to be defined with the NOMASK and NONGENERIC attributes as follows:

    //EXAMPLE JOB ACCOUNT,PROGRAMMER
//RDT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS ADDTO(RDT) RESCLASS(CHA1VIEW) RESCODE(20) +
ATTR(LONG,NOMASK,NONGENERIC) DEFACC(NONE) +
ACLST(ALL,CONTROL,UPDATE,READ,NONE)  
/*

    Altering the CA View resource class to NOMASK from MASK makes existing resources un-administrable. Before making such a change, we recommend that all existing permissions and ownerships be revoked and removed, then re-administered after the attribute change.

  2. Create a department to own the resources, for example: 
    //EXAMPLE JOB ACCOUNT,PROGRAMMER
//DEPT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS CREATE(VIEWDEPT) TYPE(DEPT) NAME('VIEW DEPARTMENT')
/*
//EXAMPLE JOB ACCOUNT,PROGRAMMER
//OWNER EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS ADDTO(VIEWDEPT) CHA1VIEW(VIEW.)
TSS ADDTO(VIEWDEPT) CHA1VIEW(DBAS.)
/*
  3. Make a profile and permit resource access to it, for example: 
    //EXAMPLE JOB ACCOUNT,PROGRAMMER
//PROFILE EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS CREATE(VIEWPROF) TYPE(PROFILE) NAME('VIEW') DEPT(VIEWDEPT)
/*
//EXAMPLE JOB ACCOUNT,PROGRAMMER
//PERMIT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS PERMIT(VIEWPROF) CHA1VIEW(VIEW.) ACCESS(ALL) ACTION(FAIL)
TSS PERMIT(VIEWPROF) CHA1VIEW(DBAS.) ACCESS(ALL) ACTION(FAIL)
/*
  4. Add the profile to a user, for example: 
    //EXAMPLE JOB ACCOUNT,PROGRAMMER
//ADDTO EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
TSS ADDTO(userid) PROFILE(VIEWPROF)
/*