book
Article ID: 185335
calendar_today
Updated On:
Issue/Introduction
Is there a way to determine if SDSF is set up to use SAF with Top Secret, including how the GRPINDEX in SDSF is being setup for each TSOID?
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
Issue TSS WHOOWNS SDSF(*) to see what resources are owned in the SDSF resource class. SDSF uses SAF to make its initial call for external security. If external security ignores the call (ie return code of 04 meaning the resource is not defined), then SDSF internal security is used utilizing the ISFPARMS dataset.
From the IBM z/OSMF SDSF Settings Help documentation at the following link:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zosmfsdsf.settings.help.doc/izusfhpSDSFSettings.html
**
GRPINDEX - Index of your group in the SDSF PARMLIB member ISFPRMxx or in the SDSF customization module ISFPARMS. For example, an index number of 3 indicates that you were assigned to the group defined by the third GROUP statement in ISFPRMxx.
**
In RACF, to authorize membership in a group in ISFPARMS, the following commands are used:
RDEFINE SDSF GROUP.group-name.server-name UACC(NONE)
PERMIT GROUP.group-name.server-name CLASS(SDSF) ID(userid or groupid)
ACCESS(READ)
The Top Secret equivalent commands are:
TSS ADD(dept) SDSF(GROUP.)
TSS PER(acid) SDSF(GROUP.group-name.server-name) ACCESS(READ)
Where
‘dept’ is the deparment acid you want to own the resource.
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access.
If a name is not assigned to a group, SDSF generates one in the format: ISF plus the index value of the group, in the format ISFnnnnn.
The ISFPARMS and statements shipped with SDSF use the following group names:
ISFSPROG for group 1 resource: GROUP.ISFSPROG.SDSF
ISFOPER for group 2 resource: GROUP.ISFOPER.SDSF
ISFUSER for group 3 resource: GROUP.ISFUSER.SDSF