PERMIT search alogrithm questions in CA Top Secret

book

Article ID: 106832

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

PERMIT search alogrithm questions in CA Top Secret

1.
PROFA is before PROFB on a user.
PROFA gives read access to HLQ "CMNPPO".
PROFB gives update access to dataset "CMNPPO.TESTSHR".
Selection ends at PROFA, denying update access to DSN CMNPPO.TESTSHR.TEST, correct?

2.
PROFA has the following permits:
XA DATASET = CMNPPO
ACCESS = READ
XA DATASET = CMNPPO.TESTSHR
ACCESS = UPDATE
If a user tries to edit dataset "CMNPPO.TESTSHR", will they be allowed?
If a user tries to edit dataset "CMNPPO.TESTSHR1", will they be allowed?

3.
If I have the following 5 permissions:
DATASET(PD) ACCESS(READ)
DATASET(PDI) ACCESS(READ)
DATASET(PDP) ACCESS(READ)
DATASET(PDPP) ACCESS(READ)
DATASET(PDR) ACCESS(READ)

The first one (PD) is all that is needed, correct?
The last 4 are redundant/would all fall under the first?

Environment

Release:
Component: TSSMVS

Resolution

.1. 
PROFA is before PROFB on a user. 
PROFA gives read access to HLQ "CMNPPO". 
PROFB gives update access to dataset "CMNPPO.TESTSHR". 
Selection ends at PROFA, denying update access to DSN CMNPPO.TESTSHR.TEST, correct? 
Answer: 
You are correct. 
Once TSS find a match, it stops searching the rest of the PROFILES. So if PROFA is before PROFB, if a PERMIT is found that matches, it will stop in PROFA and not bother searching PROFB even though there is a more specific PERMIT in PROFB. 


2. 
PROFA has the following permits: 
XA DATASET = CMNPPO 
ACCESS = READ 
XA DATASET = CMNPPO.TESTSHR 
ACCESS = UPDATE 
If a user tries to edit dataset "CMNPPO.TESTSHR", will they be allowed? 
If a user tries to edit dataset "CMNPPO.TESTSHR1", will they be allowed? 
Answer: 
Yes, UPDATE access will be give for both. CA Top Secret will choose the more specific PERMIT over a more generic PERMIT from within the same PROFILE. 

3. 
If I have the following 5 permissions: 
DATASET(PD) ACCESS(READ) 
DATASET(PDI) ACCESS(READ) 
DATASET(PDP) ACCESS(READ) 
DATASET(PDPP) ACCESS(READ) 
DATASET(PDR) ACCESS(READ) 

The first one (PD) is all that is needed, correct? 
The last 4 are redundant/would all fall under the first? 

Answer: 
Yes you are correct.