Default security class definitions

CLASS(' intclass')

Specifies the internal class name whose attributes are to be defined

The ' intclass' value is a one- to eight-character class name referenced by a resource manager.

DESCRIPTION=' description'

Specifies a user-readable description of the class

The parameter value is a string of up to 40 characters that must be delimited with enclosing apostrophes.

NEXT=' nxticlas'

Specifies the one- to eight-character class name of the next CLASS statement that contains class name and access attribute transformation specifications

These specifications also are applied to resource access authorization requests by resource managers using this class name.

For more information about the NEXT parameter, see Additional-information-for-the-NEXT-parameter.

ACTIVE=YES|NO

Specifies whether the class is active

The following values can be specified:

• YES - the class is active, and resource access attribute and entity name transformation (including the NEXT= parameter) processing continues normally

• NO - the class is considered inactive

  Any resource access authorization request that uses this class name (or any request that reaches here through a previous specification of the NEXT= parameter) is not passed to the ESM, but instead causes the security interface to respond to the resource manager with return code 04, which indicates that the resource is undefined (or unprotected).

MAXLEN= length

Specifies the maximum length of the resource entity name that is supported by the ESM

The following length values can be specified:

• CDT - maximum length is determined by the RACF class descriptor table entry for this class name
• STD - maximum length is that implied by CA-Top Secret RDT entry attribute STD (nominally, 8)
• LONG - maximum length is that implied by CA-Top Secret RDT entry attribute LONG (nominally, 44)
• integer - maximum length is the integer value specified.

LOGFAIL= option

Specifies whether, in the case of resource access authorization failure, logging by the ESM is to be allowed

The following option values can be specified:

• ALLOW - if specified in the resource profile, logging of access authorization failures is to be permitted
• NEVER - if resource access authorization fails, it is not to be logged by the ESM

LOGAUTH= option

Specifies whether, in the case of resource access authorization success, logging by the ESM is to be allowed

The following option values can be specified:

• ALLOW - if specified in the resource profile, logging of a successful access authorization is to be permitted
• NEVER - if resource access authorization is permitted, it is not to be logged by the ESM

INTENT=( list)

Specifies a list of access intent transformations (which may be null), separated by commas, to be performed on the resource access authorization

See Transformation-list-values-for-the-INTENT-parameter for information about acceptable list values.

RESLIST= option

PREFIX=' prefix'

Specifies that the entity name is to be prefixed with the string value specified, which must be enclosed in apostrophes

If no prefix is to be applied, specify a null string as the value for the prefix (two consecutive apostrophes).

The prefix is applied even if the NEXT parameter is specified, and the new resource entity name with the specified prefix added is passed to the next resource name/attribute transformation phase as it may specify them. Therefore, all of the PREFIX values are cumulative.

The maximum length of the prefix is subject only to the maximum length of the entity name as supported by the ESM. Normally, however, you should not use a prefix string with a length greater than nine characters (one data set name index level, plus a period delimiter).

For example, to cause all entity names that are used by ordinary CA-ACF2 data set access rules with initial rule key of $BBM, specify the following commands in member BBMTSP00:

SUFFIX=' suffix'

Specifies that the entity name is to be suffixed with the string value specified, which must be enclosed in apostrophes

If no suffix is to be applied, specify a null string as the value for the suffix (two consecutive apostrophes).

The suffix is applied even if the NEXT parameter is specified, and the new resource entity name with the specified suffix added is passed to the next resource name/attribute transformation phase as it may specify them. Therefore, all of SUFFIX values are cumulative.

The maximum length of the suffix is subject only to the maximum length of the entity name as supported by the ESM. Normally, however, you should not use a suffix string with a length greater than nine characters (one data set name index level, plus a period delimiter).

For example, to cause all entity names to use generic RACF data set profiles that follow a convention that has been established for use with other products and that requires some additional suffix on the profile to trigger the generic profile, specify the following commands in member BBMTSP00:

TSSCLASS= tss-class

Specifies the internal class name used when CA-Top Secret is the ESM

The following values can be specified:

• tss-class - one- to eight-character (internal) class name, which must be enclosed in apostrophes, to be passed to TSS for resource authorizations for this (external) class name

• UNCHANGED - specifies that no class name transformation is to be performed, and the internal class name as currently specified is to be passed to TSS as the external class name

  Warning

  Note

  In the SECDEFD view, UNCHANGED is denoted by blanks, or a blank Class Name field in the TSS section of the dialog.

• DISALLOW - specifies that this (internal or external) class name is disallowed in a TSS environment, and such requests, if inadvertently made, will be rejected

CA--Top Secret requires that the security interface pass the internal TSS class name (rather than the external class name that is used with the TSS command interface) for certain resource access authorizations. All such classes that are normally referenced by any resource manager are already properly defined according to TSS requirements in member BBMTSP.

Certain internal class names are supported by TSS for the REQUEST=AUTH or FASTAUTH interfaces for special, very privileged functions that manipulate resources, return information about them, or alter TSS system operation. These classes should never appear in a normal RACROUTE resource access authorization SAF parameter list. To ensure that you do not inadvertently select one of these special, restricted names for a class, member BBMTSP already includes CLASS statements that specify the restricted class names with the specified TSSCLASS=DISALLOW attribute. Normally, you will not have to specify this parameter on any CLASS statement that you add to BBMTSP00, unless you want to disallow specifically any access to what would otherwise be a valid internal or external class name.

TSSAUTH= option

Specifies whether a standard AUTH request is to be substituted for a FASTAUTH request when CA-Top Secret is the ESM

The following values can be specified:

• YES - if TSS is your ESM, a RACROUTE REQUEST=AUTH is to be performed instead for this class under all circumstances, even when the resource manager requests that a resource list be built and requests resource access authorization through RACROUTE REQUEST=FASTAUTH
• NO - AUTH is not substituted for FASTAUTH in a TSS environment (intended mainly for use in diagnostic scenarios)

TSSFAUTH= option

Specifies whether a special FASTAUTH request is to be substituted for a standard AUTH request when CA Top Secret is the ESM

The following values can be specified:

• YES - if TSS is the ESM, a RACROUTE REQUEST=FASTAUTH is to be performed instead for this class under all circumstances, even when the resource manager has not requested that a resource list be built and does not request resource access authorization through RACROUTE REQUEST=FASTAUTH
• NO - FASTAUTH is not substituted for AUTH in a TSS environment

TSSFAUTH=YES is normally used, together with TSSCLASS=' tssclass', to force certain classes to be authorized through FASTAUTH. This situation occurs because of special TSS requirements forced onto the security interface to support all TSS PERMIT command language parameters (such as PRIVPGM) that are not supported through AUTH.

TSSLIST= response

Specifies the response by the security interface to a request by a resource manager (when running in a CA-Top Secret environment) to build a resource list

A resource list is built in anticipation of subsequent FASTAUTH resource access authorization requests. The following values can be specified:

• OK - resource list build request is ignored, and a successful return code that indicates that profiles actually exist in the specified class is returned to the resource manager

  TSS does not support RACROUTE REQUEST=LIST. If one is executed, no action is taken and a successful return code is always returned to the caller.

• PERFORM - resource list build request is to be acted upon normally, as if TSS actually supported the RACROUTE REQUEST=LIST call, and the return code actually returned by TSS is processed as it would be for RACF
• NOPROFILES - resource list build request is ignored, and a successful return code that indicates that no profiles exist in the class is returned to the resource manager
• ALREADY - resource list build request is ignored, and a warning return code that indicates that a resource list for the class has already been built is returned to the resource manager
• BADCLASS - resource list build request is ignored, and an error return code that indicates that the class is invalid is returned to the resource manager

TSSDEFPROT= option

Specifies whether resource ownership checking is to be assumed (by way of bypassing checking) in a CA-Top Secret environment

The following values can be specified:

• YES - resource ownership checking is to be bypassed
• NO - resource ownership checking is to be performed

TSSDEFPROT=YES should be specified only for those internal TSS classes that support it and for which you want resource ownership checking to be bypassed. For more information about bypassing ownership checking, refer to the appropriate CA-Top Secret documentation.

TSSRESMASK= option

Specifies whether the resource entity name requires an extended resource access mask in the first character that follows the entity name (at offset +8 for MAXLEN=STD; at offset +44 for MAXLEN=LONG) in a CA-Top Secret environment

The following values can be specified:

• YES - extended resource access mask is required
• NO - extended resource access mask is not required

For more information about bypassing ownership checking, refer to the appropriate CA-Top Secret documentation.

TSSCLSMASK= option

Specifies whether the class name requires an extended class access mask in the first character that follows the class name (at offset +8 for all classes) in a CA-Top Secret environment

The following values can be specified:

• YES - extended class access mask is required
• NO - extended class access mask is not required

DATASETX is an example of an internal/external TSS class name that requires the extended class access mask value. For more information on bypassing ownership checking, refer to the appropriate CA-Top Secret documentation.

TSSPRIVPGM= option

Specifies whether the resource entity name requires a privileged program name in the second through ninth characters that follow the entity name (at offset +9 for MAXLEN=STD; at offset +45 for MAXLEN=LONG) in a CA-Top Secret environment

The following values can be specified:

• YES - privileged program name is required
• NO - privileged program name is not required

For more information on bypassing ownership checking, refer to the appropriate CA-Top Secret documentation.

ACF2RULE= typ

For CA-ACF2 environments, specifies the underlying three-character generalized resource rule type that corresponds to the SAF class in question, as mapped by the SAFMAPS GSO record

The following values can be specified:

• NONE - specifies that this class name does not map to a CA-ACF2 generalized resource rule type

Generally, all class names map to a generalized resource rule type, except DATASET. Classes not used (or not relevant) in the CA-ACF2 environment may be specified to have the ACF2RULE=NONE attribute.

• typ - is the three-character CA-ACF2 generalized resource rule type

  Most CA-ACF2 rule types can be specified without the enclosing apostrophes.

• 'typ' - is the three-character CA-ACF2 generalized resource rule type, enclosed in apostrophes

You must use this form of specification if the three-character rule type, without apostrophes, happens to match a reserved keyword that is used in the specification of parameters in these members.

The security interface can usually determine, from internal CA-ACF2 control blocks, which CA-ACF2 generalized resource rule type, if any, a SAF class has been mapped to (through the SAFMAPS or CLASMAP GSO records). If the security interface cannot determine which rule type is being used, this specification will be used instead. If a mismatch is detected, a warning message is issued to alert you, so that it can be corrected.

ACF2RESDIR= option

For CA-ACF2 environments, specifies whether a CA-ACF2 resource rule directory is required to be built for the underlying generalized resource rule type to process resource access authorization requests properly

The following values can be specified:

• YES - a CA-ACF2 resource directory is required

• NO - a CA-ACF2 resource directory is not required

  A CA-ACF2 resource rule directory will be required when all the following are true:

• CA-ACF2 masking characters are used in the resource rule keys.
• The class is one that is not normally accessed through resource managers and the security interface using the SAF RACROUTE REQUEST=FASTAUTH interface. (For classes that are accessed in that manner, the resource list build request that is made will result in the construction of a resource directory in the appropriate address space. No further installation action will be required to process those classes properly.)
• A resource directory for the underlying generalized resource rule type has not been made globally resident through the INFODIR or RESDIR GSO record.

If you have specified that a resource directory for the underlying generalized resource rule type be made globally resident through INFODIR, it is not necessary to request that one be built in each using address space.

Here is an example of how to specify to CA-ACF2 that rules of type FAC are to be made globally resident. From the TSO READY prompt, type the following commands:

ACF

SET Control(GSO) SYSID( sysid)

CHANGE INFODIR ADD TYPES(R-RFAC)

END

Normally, you will not have to specify ACF2RESDIR=YES for any classes accessed through the standard definitions included in the distributed BBMTSP member. This situation may not still be the case, however, if you have customized these specifications by using overrides in member BBMTSP00.

ACF2AUTH= option

Specifies whether a standard AUTH request is to be substituted for a FASTAUTH request when CA-ACF2 is the ESM

The following values can be specified:

• YES - if CA-ACF2 is the ESM, a RACROUTE REQUEST=AUTH is to be performed instead for this class under all circumstances, even when the resource manager requests that a resource list be built and requests resource access authorization through RACROUTE REQUEST=FASTAUTH
• NO - AUTH is not substituted for FASTAUTH in a CA-ACF2 environment

This parameter is intended mainly for use in diagnostic scenarios.

ACF2LIST= response

Specifies the response by the security interface to a request by a resource manager (when running in a CA-ACF2 environment) to build a resource list

A resource list is built in anticipation of subsequent FASTAUTH resource access authorization requests

The following values can be specified:

• OK - resource list build request is ignored, and a successful return code that indicates that profiles actually exist in the specified class is returned to the resource manager

  This value should not be specified unless it will always be the case that a globally resident directory will be created.

  Warning

  Note

  CA-ACF2 does support RACROUTE REQUEST=LIST in a certain manner, for classes normally accessed through RACROUTE REQUEST=FASTAUTH.

• PERFORM - resource list build request is to be acted upon normally, and the return code actually returned by CA-ACF2 is to be processed as it would be for RACF
• NOPROFILES - resource list build request is ignored, and a successful return code that indicates that no profiles exist in the class is returned to the resource manager
• ALREADY - resource list build request is ignored, and a warning return code that indicates that a resource list for the class has already been built is returned to the resource manager
• BADCLASS - resource list build request is ignored, and an error return code that indicates that the class is invalid is returned to the resource manager

UPDUSERID= userid

Specifies, for audit purposes, the UserID (USERID, ACID, LOGONID) of the user who last updated this CLASS statement

You should update this parameter to provide change tracking information.

UPDSYSTEM= sysid

Specifies, for audit purposes, the SMF system ID of the system image where this CLASS statement was last updated

You should update this parameter to provide change tracking information.

UPDDATE= ddmmmyyyy

Specifies, for audit purposes, the date (in Gregorian ddmmmyyyy notation) when this CLASS statement was last updated

You should update this parameter to provide change tracking information.

UPDTIME= hh:mm

Specifies, for audit purposes, the time (in 24-hour clock hh:mm notation) when this CLASS statement was last updated

You should update this parameter to provide change tracking information.