Defining CA top secret access rules

The following procedure defines access rules for CA Top Secret. Use the values in TSS ADD and TSS PERMIT Keywords for the ADD and PERMIT commands. Issue the commands from the command line during a TSO session.

1.Define a resource class in the resource definition table (RDT). The RESCODE is in hexadecimal notation. With Release 17.02 and more current, Strobe supports a user-defined resource class. See SECURITY_CLASS= for more information.

TSS ADD(RDT) RESCLASS(STROBE) RESCODE(xx) ATT(DEFPROT,LONG)

2. Specify the types of access allowed.

ACLST(NONE,READ,UPDATE)

3. Assign ownership of the Strobe profile. The high-level qualifier of $STROBE must match the value in the PROFILE keyword of your PARMLIB.

TSS ADD(ownerid) STROBE($STROBE.)

4. Specify user access to target jobs of identified types on identified systems. Repeat for each user that needs access.

TSS PERMIT(userid|department|division)
STROBE($STROBE.sysid.jobtype.jobnamemask) ACCESS(READ)

5. Specify user access to MANAGER and ADMIN profiles; repeat for each user who requires access to Strobe administrative functions.

TSS PERMIT (userid) STROBE($STROBE.authtype) ACCESS(READ)

TSS ADD and TSS PERMIT Keywords

Keyword

Function

sysname

Provide the MVS system name, as specified in the IEASYSxx member of SYS1.PARMLIB.

jobtype

Specify the type of target address space (job for batch job, stc for started tasks, tsu for TSO user IDs, appc for advanced program-to-program communication, omvs for OpenEdition).

jobname

Identify the Job name or set of job names with a common prefix of targets to which CA Top Secret allows access.

Identify names with a common prefix with an asterisk (*) after the prefix. For example:

  • MEASURE1 specifies access only to the job name MEASURE1.
  • M* specifies access to all jobs whose job names begin with M.

userid

Specify the user ID of the submitter of the request.

grp

Identify the group to which the user ID of the request submitter is defined.

authtype

Specify the Strobe authorization type (ADMIN or MANAGER) for access to management functions.

Task 3.6.1: Initialize the CA Top Secret Examples

The CA Top Secret examples assume that the following commands have been issued to define a resource class with the hex identifier 4A:

TSS ADD(RDT) RESCLASS(STROBE) RESCODE(4A) ATT(DEFPROT,LONG)ACLIST(NONE,READ,UPDATE)

Example 1: Access to a Specific System

The following command defines and allows users belonging to the department (or division) STROBERS access to all address spaces running on system SYSA:

TSS PERMIT(STROBERS) STROBE($STROBE.SYSA.) ACCESS(READ)

Example 2: Access to a Set of Jobs

The following commands give the user IDs WOLFE and DAVIS access to all batch jobs on system SYSB with job names beginning with RED.

TSS PERMIT(WOLFE) STROBE($STROBE.SYSB.JOB.RED*) ACCESS(READ)
TSS PERMIT(DAVIS) STROBE($STROBE.SYSB.JOB.RED*) ACCESS(READ)

Example 3: Privileged Access to Session Manager

The following commands authorize the user ID TIBBETTS to start Strobe from a batch job and the user ID JCDALY to maintain Strobe.

TSS PERMIT(TIBBETTS) STROBE($STROBE.MANAGER) ACCESS(READ)
TSS PERMIT(JCDALY) STROBE($STROBE.ADMIN) ACCESS(READ)

Next, skip ahead to Implementing-security-in-a-multisystem-environment.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*