Database tables and columns for TSS

Security Policy Manager utilizes the SQLite database engine. During startup, and after significant events, the tables are built or updated. Most of the tables are created in storage for efficiency. The tables created can be accessed by creating SQL queries. This topic describes the tables and fields that are available to SQL queries.

Most tables can be JOINed by connecting on a common field.

Table—cics

Field	Format	Description	Value
system	Text	System name
jobname	Text	CICS region name
type	Text	Entry type	CICS (SPE2204) DSN
parm	Text	Parameter	CICS - cicsParameter DSN - ddName (STEPLIB or DFH*)
value	Text	Parameter value	CICS - cicsParameterValue DSN - dataSetName

Table—config

Field	Format	Description	Value
system	Text	LPAR name
type	Text	Entry type	SYSTEM, PASSWORD TSSPARM entries are configuration entries from the TSSPARM file. TSSPARMC are current live values of the TSSPARM settings (that is, they might have changed since Top Secret started). (SPE2104) SMF, DISA (SPE2110) USS (SPE2201) CONSOLE, TSO, CNGRP
parm	Text	Parameter	DISA - CLASSIFIED SMF - ACTIVE, INTVAL, JWT, MAXDORM, MEMBER, MEMLIMIT, SID, STATUS, STC, STCDETAIL, STCINTVAL, STCTYPES, SWT, SYNCVAL, SYS, SYSDETAIL, SYSINTVAL, SYSTYPES, TSO, TSODETAIL, TSOINTVAL, TSOTYPES, TWT SYSTEM - ALLOWUSERKEYCSA, AUTHTSF, ESM, (SPE2110) IPLDATE, (SPE2110) IPLTIME TSSPARM - ADSP, AUTH, AUTOERASE, BACKUP, CPF, CPFNODES, DATE, DEBUG, DL1B, DOWN, EXIT, FACILITY, HPBPW, INACTIVE, INSTDATA, IOTRACE, JES, JOBACID, LOG, MFA, MODE, MSUSPEND, NEWPW, PRODUCTS, PTHRESH, PWEXP, RECOVER, SECTRACE, SHRFILE, SUBACID, SWAP, TAPE, TEMPDS, TIMER, VTHRESH TSSPARMC - Audit File, ADABAS, ADMINBY, ADSP, AES_ENCRYPTION, AESCACHE, AESENC, AUTH, AUTOERASE, BACKUP, CACHE, CANCEL, CATADELPROT, CHOWN_RESTRICTED, CMDNUM, CPF, CPFrecfl, CPFAUTOGID, CPFAUTOUID, CPFLISTMULT, CPFRCVUND, CPFTARGET, CPFWAIT, DATE, DB2FAC, DEBUG, DFLTRNGG, DFLTRNGU, DL1B, DOWN, DUFPGM, ETRLOG, ETROPTS, EXIT, EXPAND_COUNTER, EXPDAYS, FACMODE, FACSTOR, FSACCESS, GENNDT, GENSMSG, GOSETGID, GTRACE, HFSACL, HFSSEC, HPBPW, Id=PRIMARY, IMS, INACTIVE, INSTDATA, IOTRACE, JCT, JES, JESNODE, JOBACID, KERBLVL, Last changed, LARGE_VSAM_RECORD, LOG, LUUPDONCE, MATCHLIM, MAX_ACID_SIZE, MAXKEYSIZE, MFA, MFACCESS, MIRROR, MODE, MODLUSER, MSUSPEND, NEW_PASSWORD, NEWPHRASE, NEWPW, NJEUSR, NPPTHRESH, NPWRTHRESH, OMVSGRP, OMVSUSR, OPTIONALS, PDSPROT, PHRASEONLY, PPEXP, PPHIST, PRODUCTS, PROFINTERVAL, PROPXREP, PSWDPHRASE, PTHRESH, PTKRESCK, PWADMIN, PWEXP, PWHIST, PWVERIFY, PWVIEW, Recovery File, RCACHE, RDT2BYTE, Security File, SDNSIZE, SECCACHE, SECTRACE, SMFTYPE, STATUS, SUBACID, SWAP, SYSOUT, TAPE, TEMPDS, TEXTTSS, TIMELOCK, TIMER, TNG MONITOR, TSSCMDOPTION, UNIQUSER, UNIXOPTS, Vsam File, VSAM_DIGICERT, VSAMCAT, VTHRESH USS - STARTUPPROC, STEPLIBLIST, SUPERUSER, TTYGROUP, USERIDALIAS CONSOLE - MCS TSO - UADS CNGRP - GROUPNAME
value	Text	Parameter value	DISA - CLASSIFIED - YES \| NO SYSTEM - ESM - RACF \| TSS \| ACF2 CONSOLE - MCS - attributesOfMasterConsole TSO - UADS - useridFromSYS1.UADS CNGRP - GROUPNAME - member

Examples:

Type=DISA, parm=CLASSIFIED, value=YES | NO
The value indicates whether this instance should be treated as a classified system. This field can be queried by a compliance query. Manually set these values in the configuration member, in the SPMParms block.
Type=SYSTEM, parm=ESM, value=RACF | TSS | ACF2
The value indicates the external security manager. This field can be queried by a compliance query.
Type=SYSTEM, parm=IPLDATE, value=yyyy-mm-dd
The value indicates the date of last IPL.
Type=SYSTEM, parm=IPLTIME, value=hh:mm:ss
The value indicates the time of last IPL.
Type=CONSOLE, parm=MCS, value=attributesOfMasterConsole
Value examples: NAME(BMC23700) STATUS(ACT-BMC2) AUTH(MASTER) DEV(3700) LOGON(OPTIONAL) USERID(N/A) ROUT(ALL)

Table—console

(SPE2201)

Field	Format	Description	Value
name	Text	Console name
stflg	Single hexadecimal digit	Status flag
status	Text	Representation of stflg with Y or N corresponding to 0 or 1 For example, X'F0' is YYYYNNNN.	Status bit settings: 80: active 40: pending 01: inactive
key	Text	User-assigned key
sysnm	Text	System name
rtflg	Single hexadecimal digit	Routing flag
routing	Text	Representation of rtflg with Y or N corresponding to 0 or 1 For example, X'F0' is YYYYNNNN.	Routing bit settings: 40: hc 20: auto 10: monitor job names 08: monitor status 04: monitor sessions 02: MSCOPE=ALL 01: n mscope data available
domflg	Single hexadecimal digit	DOM settings
dom	Text	Representation of domflg with Y or N corresponding to 0 or 1 For example, X'F0' is YYYYNNNN.	DOM bit settings: 80: DOM=ALL 40: DOM=NORMAL 20: DOM=NONE
mlvlflg	Single hexadecimal digit	MLVL flags, a single hexadecimal digit
mlvl	Text	Representation of mlvlflg with Y or N corresponding to 0 or 1 For example, X'F0' is YYYYNNNN.	MLVL bit settings: 80: display WTORs 40: display immediate action messages 20: display critical eventual action messages 10: display eventual action messages 08: display informational messages 04: display broadcast messages
authflg	Single hexadecimal digit	Console AUTH settings, a single hexadecimal digit
auth	Text	Representation of authlflg with Y or N corresponding to 0 or 1 For example, X'F0' is YYYYNNNN.	AUTH bit settings: 80: SYS authority 40: IO authority 20: CONS authority 10: MASTER authority
terminal	Text	Eight-character terminal name
jobnm	Text	Eight-character job name
rout	Text	Route codes for this console	All, None, or specific codes as a 16-character hexadecimal value

Table—digtnmap

(SPE2204)

The DIGTNMAP table stores values from the DIGTNMAP class.

Field	Format	Description	Value
profile	Text	Profile name
owner	Text	Profile owner
user	Text	User ID or criteria-filter name
status	Text	Status	T=Trust
label	Text	lcertificates label
idn	Text	Issuer's distinguished name
sdn	Text	Subject's distinguished name

Table—modules

(SPE2201)

The modules table stores all load module details from all APF libraries as long as the Security Policy Manager started task user ID has ESM access to open the APF data set and read the directory. An authorization check is performed before an attempt is made to read the directory.

Field	Format	Description	Value
System	text	LPAR name where the APF library resides
Dataset	text	APF data set name
Name	text	APF module name
Aliasof	text	Root member if directory entry is an alias
Size	text	Size of the load module
Amode	text	AMODE of the load module	24, 31, 64, or ANY
Rmode	text	RMODE of the load module	24 or ANY
TTR	text	Hex TTR address of the load module
Rent	text	RE-ENTRANT attribute	Y or N
Reus	text	RE-USABLE attribute	Y or N
Refr	text	REFRESHABLE attribute	Y or N
Ovly	text	OVERLAY attribute	Y or N
Sctr	text	SCATTER attribute	Y or N
AC	text	Auth code	00 or 01

Table—mqqmgr

The mqqmgr table stores all parameters related to all active queue managers running on the system.

Field	Format	Description
system	Text	LPAR name on where the MQ queue manager is active
QMNAME	Text	Four-character MQ queue manager name
parm	Text	Parameter
value	Text	Parameter value

Table—mqqueue

(SPE2204)

The mqqueue table stores all parameters related to a specific queue manager. All the parameters are those displayed by the DISPLAY QUEUE(*) ALL command.

Field	Format	Description
system	Text	LPAR name on where the MQ queue manager is active
QMNAME	Text	Four-character MQ queue manager name
QUEUE	Text	Full name of the MQ queue
parm	Text	Parameter
value	Text	Parameter value

Table—sens (sensitive data sets)

Field	Format	Description	Value
apf	Text	Is APF authorized?	Y or blank
audit	Text	Profile audit settings	Success/Failures
cat	Text	Is data set cataloged?	Y or blank
cdate	Text	Creation Date	yyyy-mm-dd
dsn	Text	Sensitive Data set Name
fqg	Text	Fully Qualified Generic data set?	Y or blank
idstar	Text	ID(*) access	N, R, U, C, A, E, T
level	Text	Profile level	1-99
profile	Text	Protecting profile
rdate	Text	Last reference date	yyyy-mm-dd
sms	Text	Is SMS managed?	Y or blank
system	Text	LPAR Name of Reporting system
type	Text	Data set type	ACS, APF, CSF, DUMP, ESMC, HFS, IODF, IPL, JES2, LINK, LPA, MCAT, PAGE, PARM, RACF, SMF, SMS, TFS, UADS, UCAT, USER, VIO, ZDT, ZFS (SPE2110) PSWD, REXX, VTAM For a description of each type of data set, see the Data set type descriptionstable.
uacc	Text	Data set UACC	N, R, U, C, A, E, T
volser	Text	Data set volume
warn	Text	WARN attribute?	Y or blank

Data set type descriptions

Data set type	Description
ACS	DFSMS Automatic Class Selection (ACS) routines source library
APF	Authorized program facility (APF) – authorized libraries
CSF	Cryptographic Key Data Set (CKDS)
DUMP	Dump data sets
ESMC	Potential external security manager (ESM) database copies
HFS	Hierarchical file system (HFS)
IODF	System input/output definition file (IODF) data set
IPL	IPLPARM, NUCLEUS and IMAGELIB data sets
JES2	JES2 related data sets
LINK	LINKLIST data sets
LPA	Link pack area (LPA) data sets
MCAT	Master catalog
PAGE	PAGE data set
PARM	System PARMLIB data sets
PSWD	OS PASSWORD data set Do not use this data set if an ESM is present and active on the system.
RACF	RACF Database
REXX	System REXX data sets
SMF	System management facilities (SMF) data sets
SMS	DFSMS ACS and COMMDS data sets
TFS	USS temporary file system (TFS)
UADS	User attribute data set
UCAT	User catalog
USER	USER data set specified in Security Policy Manager configuration
VIO	Virtual Input/Output (VIO) STGINDEX data set
VTAM	Virtual Telecommunications Access Method (VTAM) – related data sets
ZDT	Data sets used for Security Policy Manager configuration
ZFS	z/OS file system

Table—summary

(SPE2104)

Field	Format	Description	Value
System	Text	System the compliance check was run on
Reference	Text	Reference as defined in the RULES(INDEX) data set
Rule	Text	Rule name from the RULES(INDEX) data set
ESM	Text	External security manager on the system	RACF, TSS, or ACF2
Category	Text	Defined in the RULES(INDEX) data set
Priority	Text	Defined in the RULES(INDEX) data set
Failures	Text	Number of failures discovered by the query
Lastrun	Text	Date and time the query was last run	dd mm HH:MM:SS
Lastrun	Text	Date and time the query will next run	dd mm HH:MM:SS
Description	Text	Description from the RULES(INDEX) data set

Table—tss

Field	Format	Description	Value
system	Text	System Name
date	Text	Date	yyyy-mm-dd
time	Text	Time	hh:mm
user	Text	user ACID
portofentry	Text	Port of Entry
jobname	Text	Job name
rc	Text	Return Code
ac	Text	Abend Code
type	Text	Command Type
flag1	Text	ACEE flag1
flag2	Text	ACEE flag2
flag3	Text	ACEE flag3
command	Text	Command Text

Table—tss_acid

Field	Format	Description	Value
acid	Text	ACID name
asuspend	Integer	user has ASUSPEND
audit	Integer	user has AUDIT
console	Integer	user has CONSOLE
credate	Text	Creation Date	yyyy-mm-dd
cretime	Text	Creation Time	hh:mm
dept	Text	Department
div	Text	Division
dufupd	Integer	user has DUFUPD
dufxtr	Integer	user has DUFXTR
expires	Text	user has an expiration date
gap	Integer	user is globally administered
human	Text	user is human - Not currently used
instdata	Text	user's INSTDATA
language	Text	language preference code
lastcnt	Integer	Last Use Count
lastcpu	Text	Last Use CPU
lastdate	Text	Last Use Date	yyyy-mm-dd
lastfac	Text	Last Use Facility
lasttime	Text	Last Use Time	hh:mm
lds	Integer	user has LDS attribute
lockfac	Text	Lock Time Facility
locktime	Integer	Lock Time minutes
mastfac	Text	Master Facility
matchlim	Integer	Limit Audit Activity
moddate	Text	Modified Date	yyyy-mm-dd
mode	Text	Operating Mode
modtime	Text	Modified Time	hh:mm
mro	Integer	user has MRO
multipw	Integer	user has MULTIPW
name	Text	User's Name
noadsp	Integer	user has NOADSP
noats	Integer	user has NOATS
nodsnchk	Integer	user has NODSNCHK
nolcfchk	Integer	user has NOLCFCHK
noomvsdf	Integer	user has NOOMVSDF
nopwchg	Integer	user has NOPWCHG
norefres	Integer	user has NOREFRES
noreschk	Integer	user has NORESCHK
nosubchk	Integer	user has NOSUBCHK
nosuspen	Integer	user has NOSUSPEN
novmdchk	Integer	user has NOVMDCHK
novolchk	Integer	user has NOVOLCHK
oidcard	Integer	user has OIDCARD
parent	Text	Parent - not currently used
phraseexpirydate	Text	Passphrase Expiry Date
phraseinterval	Text	Passphrase Interval
psuspend	Integer	user has PSUSPEND
pswdphr	Integer	user has a Password Phrase
pwexpirydate	Text	Password Expiry Date	yyyy-mm-dd
pwfacility	Text	Facility if user has MultiPW
pwinterval	Text	Password interval
rstdacc	Integer	user has RSTDACC
scope	Text	user's authority scope
size	integer	ACID size
suspend	Integer	user is suspended
suspended	Text	date suspension ends
timezone	Text	user's timezone
trace	Integer	diagnostic trace is active
tsompw	Integer	user has multiple UADS passwords
type	Text	ACID type
vmsfsdir	Text	Currently unused
vsuspend	Integer	user has VSUSPEND
xsuspend	Integer	user has XSUSPEND
zonename	Text	user's zone ACID
zone	Text	user's zone name

Table—tss_admin_auths

Field	Format	Description
acid	Text	ACID
authority	Text	Admin authority
authority_type	Text	Admin authority tyoe

Table—tss_group_connects

Field	Format	Description	Value
acid	Text	ACID
grp	Text	Group Name
until	Text	Expiry date	yyyy-mm-dd

Table—tss_profile_connects

Field	Format	Description	Value
acid	Text	ACID
profile	Text	Profile name
until	Text	Expiry date	yyyy-mm-dd

Table—tss_rdt

Field	Format	Description
class	Text	Class Name
defacc	Text	Resource Default Access
posit	Text	Posit value

Table—tss_rdt_access

Field	Format	Description
class	Text	Class Name
level	Text	Resource Access Level
mask	Text	Resource Access Mask

Table—tss_rdt_attribute

Field	Format	Description	Value
class	Text	Class Name
attribute	Text	RDT Attribute

Table—tss_started_tasks

Field	Format	Description
stc	Text	Started Task Name
stcacid	Text	Associated ACID
stcact	Text	Operator Accountability

Table—tss_xa_access

Field	Format	Description	Value
acid	Text	ACID
class	Text	Resource class
resource	Text	Resource Name
owner	Text	Resource Owner
until	Text	Expiry date/time
quoted	Integer	Resource has quotes
facility	Text	Facility Name
access	Text	Access Level
action	Text	(SPE2201) Associated actions	Any of the following actions (as defined in CA Top Secret documentation): FAIL, DENY, AUDIT, NOTIFY, PASSWORD, NODSN, EXIT, REVERIFY, or VMPRIV