CASECAUT And SCOPE

book

Article ID: 17670

calendar_today

Updated On:

Products

CA Cleanup CA Datacom CA DATACOM - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

 A type USER ACID was permitted to CASECAUT(TSSCMD.USER.REPLACE.PASSWORD), but when this ACID tried to replace another ACID's password, the following error was received:

 

 	TSS0352E ACID NOT OWNED WITHIN SCOPE

 

 

 

Environment

Release: TOPSEC00200-15-Top Secret-Security
Top Secret r16.0
 

Resolution

Even when using the new class CASECAUT, the administrative rights gained are limited by the scope of the ACID.

I.e. an ACID being type USER only has scope over himself. If the ACID was a DCA, it would have scope over all ACIDs within the department the DCA belongs to.

The CA Top Secret User Guide states:

The CASECAUT resource class to enables users with no administrative authorities to change certain password and issue digital certificate keyring and token commands for users WITHIN THEIR SCOPE.

In order to have no scope limitations the acid needs to be an SCA.