RDT definition in Top Secret for resource class TSOAUTH
search cancel

RDT definition in Top Secret for resource class TSOAUTH

book

Article ID: 12611

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

Per the IBM RACF documentation about TSOAUTH class:

You can use RACF® to protect certain TSO resources. These resources include TSO logon procedures, account numbers, and performance groups.

In addition, you can protect resources called TSO user authorities, whose settings determine whether a user can issue certain authorized TSO commands. Examples of TSO user authorities include ACCT, JCL, MOUNT, OPER, RECOVER, PARMLIB, TESTAUTH, and CONSOLE. For detailed information about the TSO resources you can protect with RACF, see z/OS TSO/E Customization.

If you are defining TSO segments in user profiles, you must protect these TSO resources, using the following general resource classes:
  • TSOPROC (for protecting TSO logon procedures)
  • ACCTNUM (for protecting TSO account numbers)
  • PERFGRP (for protecting TSO performance groups)
  • TSOAUTH (for protecting TSO user authorities)
The following access authorities apply to these resources:
NONE
No access allowed.
READ
For TSOPROC, ACCTNUM, and PERFGRP, allows users to specify the logon procedure, account number, or performance group when logging on.

For TSOAUTH, gives the user the authority to issue the associated authorized TSO command.

For PARMLIB, allows the user to issue the PARMLIB LIST command.

For TESTAUTH, allows the user to invoke a program in authorized state.

UPDATE
For PARMLIB, allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ.
CONTROL
Same as READ.
ALTER
Allows users to change the profile, if the profile is discrete.
*** End Of Excerpt ***

What is the correct RDT definition in Top Secret for resource class TSOAUTH ? 

Resolution

In the Top Secret Resource Descriptor Table (RDT), the TSOAUTH resource class shows:

ACCESSORID = *RDT*     NAME       = RESOURCE DEFINITIONS
     RESOURCE CLASS = TSOAUTH
      RESOURCE CODE = X'088'   POSIT =    124
                  ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(008),PRIVPGM

There is not an access list and it has always been supplied that way. There is not any granularity with Top Secret. The only difference is with UPDATE For TSOAUTH(PARMLIB), it allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ. With Top Secret, you can LIST and UPDATE the PARMLIB.

For pre-defined resource class, only attributes can be changed.

Additional Information

See TSOAUTH Resource Class—Secure TSO User Attributes or more information on the Top Secret TSOAUTH resource class. 

Powered by Wolken Software