What are the Top Secret Admin controls for MFA that could be used to restrict which Top Secret administrators can administer the new Top Secret MFA segment?
To administer MFA, the SCA-type ACID must have both:
Permission to CASECAUT(TSSCMD.ADMIN.CARSA) ACCESS(UPDATE)
This APAR enhances security control for all MFA factor administration:
To administer multi-factor authentication factors to users, an SCA administrator must now have ACID(MAINTAIN) and UPDATE access to entity TSSCMD.ADMIN.factor in the CASECAUT resource class, where factor represents the appropriate authentication type (CARSA, IBMRSA, or CAPAM).
Any SCA that administers the factors now requires ACID(MAINTAIN), and the CASECAUT permission.
TSS PERMIT(scaadm1) CASECAUT(TSSCMD.ADMIN.CARSA) ACCESS(UPDATE)