Determine If SDSF Is Setup To Use SAF With Top Secret

book

Article ID: 185335

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

Is there a way to determine if SDSF is set up to use SAF with Top Secret, including how the GRPINDEX in SDSF is being setup for each TSOID?

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Issue TSS WHOOWNS SDSF(*) to see what resources are owned in the SDSF resource class. SDSF uses SAF to make its initial call for external security. If external security ignores the call (ie return code of 04 meaning the resource is not defined), then SDSF internal security is used utilizing the ISFPARMS dataset.

From the IBM z/OSMF SDSF Settings Help documentation at the following link:

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zosmfsdsf.settings.help.doc/izusfhpSDSFSettings.html

**
GRPINDEX - Index of your group in the SDSF PARMLIB member ISFPRMxx or in the SDSF customization module ISFPARMS. For example, an index number of 3 indicates that you were assigned to the group defined by the third GROUP statement in ISFPRMxx.
**

In RACF, to authorize membership in a group in ISFPARMS, the following commands are used:

 RDEFINE SDSF GROUP.group-name.server-name  UACC(NONE) 
 PERMIT GROUP.group-name.server-name CLASS(SDSF) ID(userid or  groupid) 
 ACCESS(READ)

The Top Secret equivalent commands are:

TSS  ADD(dept)  SDSF(GROUP.)
TSS PER(acid) SDSF(GROUP.group-name.server-name) ACCESS(READ)

Where 
‘dept’ is the deparment acid you want to own the resource.
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access.

If a name is not assigned to a group, SDSF generates one in the format: ISF plus the index value of the group, in the format ISFnnnnn.

The ISFPARMS and statements shipped with SDSF use the following group names:
ISFSPROG for group 1 resource: GROUP.ISFSPROG.SDSF
ISFOPER for group 2 resource: GROUP.ISFOPER.SDSF
ISFUSER for group 3 resource: GROUP.ISFUSER.SDSF