The following was requested during an IRS Audit:
H.14.15 AC-6. Least Privilege: Test ID #TS-26. To close this finding, please provide a system generated report showing who has UPDATE (read/write access) and ALLOCATE access to all APF list and linklist libraries (include name and job function) with the agency's CAP.
Besides doing a TSSAUDIT APF utility to list all DSN's in the APF/LNKLST, then doing a WHO HAS on each of the DSN's listed, then listing each Profile to display the ACIDS in the profile, and then listing each ACID individually, is there a easier method of doing this?
Release : 16.0
Component : CA Top Secret for z/OS
Instead of running TSSAUDIT APF, D PROG,APF can be issued from the console to display the APF authorized libraries. If a profile is permitted to a dataset, there isn't an option on the WHOHAS command that displays the acids within that profile or the NAME associated with each acid.
TSS LIST(profile) DATA(ACIDS) can be used to see the profile and just the attached acids.
TSS LIST(acid) DATA(NAMES) can be used to get the acid and just the NAME associated with the acid.
If the Compliance Information Analysis (CIA) feature is set up and running, the CIARPT03 (List Roles and Users By Resource) can be used to answer the following:
- What users and profiles have access to the resource through special attributes?
- What users and profiles have access to the resource through ownership, either of the best fit resource entity or of a different masked resource entity?
- What users and profiles have access to the resource through PERMITs, either through the best fit resource entity or through a different masked resource entity?
- For profiles that have access to the resource, who are the users that have access because they are connected to a profile?