To implement SAF security checking with TopSecret, perform the following steps:
- Contact your TopSecret administrator to add a new SAF class.
The SAF class defines the functions that are to be protected. The default class name is DLP#. However, if you want to change the class name, you can edit member DLPYSAF of the DLPSAMP library (as documented in the member). Run job DLP#SAF1 from the DLPCNTL library to update the DLPU007 module in the load module library. The class name supplied in member DLPYSAF of the DLPSAMP library will be the class name that is used for SAF security checking.
- Define the class in the TopSecret Resource Definition Table (RDT). Issue the following TSS command:
TSS ADD(RDT) RESCLASS(DLP#) RESCODE(hex_code) MAXLEN (100) [ACLST(access_level_list)] [DEFACC(default_access_level)]
Your TopSecret administrator should be able to determine the RESCODE, ACLST, and DEFACC.
- Determine which functions within the product that you want to restrict.
For example, to restrict access to the Convert-History-to-Stage1-Macros Utility, issue the following TSS command:
TSS ADD(DLP#) RESCLASS(DLP.*.CONVERT.HISTORY.STAGE1) DEFACC(ALL)
To protect a specific function, you must define the associated resource name within the product class. A user must have at least READ access to a resource to have access to the function. If the user who is requesting the function does not have READ access to the resource, the request will be rejected.
Any function that is not protected (the associated resource name is not defined within the product class) can be accessed by any user requesting the function. If a user has UPDATE access, READ access is also assumed.
- Issue the following TSS commands to define the ACTIVATE resource within the class, where deptims is the owner of the resources:
TSS ADD(deptims) DLP#(ACTIVATE)
For example, the owner could be a department or a user.
TSS PERMIT(ALL) DLP#(ACTIVATE) ACC(READ)
You must define the ACTIVATE resource before you can activate the SAF security interface. This feature allows you to quickly activate and deactivate the interface. Users must have READ access to the ACTIVATE resource to access the product ISPF interface or batch functions. You should not define the ACTIVATE resource until you have defined all other resources.
- Log on to the ISPF interface and issue the SAF command. The panel will display whether SAF is active.
- Press F1. The following information displays:
SAF security is enabled for product, class class_name.
Ensure that class_name matches the SAF class that you defined.
- To restrict individual users, issue the following TSS command:
TSS PERMIT(userid) RESCLASS(DLP.*.CONVERT.HISTORY.STAGE1) ACCESS(NONE)