Access checking

Strobe has an access filter you can enable that interfaces with RACF, CA Top Secret, or CA ACF2 to validate the issuer’s authority to perform certain functions. The access filter works in conjunction with one of these security products and optionally, a user exit routine, to determine the types of measurement requests that Strobe accepts.

The default environment for Strobe is for the access filter to be disabled. To enable the access filter, see FILTER=DISABLE.

When the access filter is disabled, no attempt is made to find a security package and check the access privileges for the TSO user ID issuing the Strobe command. When the access filter is enabled through the PARMLIB, Strobe checks the TSO user ID of the user issuing the command. This check determines whether the user has the authority to:

  • Measure or monitor the requested job
  • Issue Strobe administrator commands
  • Start the Strobe session manager as a batch job.

If Strobe determines that any of the following is true for the TSO user ID, the access filter allows the command to be executed without checking the privileges defined through the security package:

  • Strobe previously determined the TSO user ID has administrator authority.
  • The user’s TSO ID matches the string of characters beginning the job name to be measured. For example, if your TSO ID is USER001, you can measure a job named USER001T.
  • For commands such as LIST and CHGGRP, the TSO ID of the user making the command issued the original ADD or ADDGROUP command.

If Strobe finds the TSO ID does not meet any of these conditions, it calls the security package at your site. To validate ADD or ADDGROUP commands, Strobe calls security from the measured address space (as opposed to the session manager or session requester address space), just before the measurement is to be initialized. To validate other types of requests such as LIST or CHGGRP, Strobe calls security from the TSO session or job that issues the command.

When a resource is not defined to the security product, the filter provides the following functionality:

  • Permits access when the security product is RACF or CA Top Secret
  • Denies access when the security product is CA ACF2. For more information, refer to the CA ACF2 Administrator Guide.

This section discusses the following tasks:

The following roles are required for these tasks:

  • The Strobe administrator
  • The z/OS security administrator.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*