CA Top Secret Admin controls for MFA/AAM (Multi Factor Administration

book

Article ID: 16114

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction



What are the Top Secret Admin controls for MFA that could be used to restrict which Top Secret administrators can administer the new Top Secret MFA segment?

 

 

Environment

Release:
Component: TSSMVS

Resolution

With APAR(RO98051)

To administer MFA, the SCA-type ACID must have both:

ACID(MAINTAIN)

Permission to CASECAUT(TSSCMD.ADMIN.CARSA) ACCESS(UPDATE)

This APAR enhances security control for all MFA factor administration:

ENHANCEMENT DESCRIPTION:                                              

To administer multi-factor authentication factors to users, an SCA administrator must now have ACID(MAINTAIN) and UPDATE access to entity TSSCMD.ADMIN.factor in the CASECAUT resource class, where factor represents the appropriate authentication type (CARSA, IBMRSA, or CAPAM).        

IMPACT:

Any SCA that administers the factors now requires ACID(MAINTAIN),  and the CASECAUT permission.

Example:    

TSS PERMIT(scaadm1) CASECAUT(TSSCMD.ADMIN.CARSA)    ACCESS(UPDATE)