What is the procedure to define a new SAF Profile, that controls Access to the SYSLOG? This resource is READ access to resource name 'nodeid.+MASTER+.SYSLOG.SYSTEM.sysid', in the JESSPOOL Class.

===============================================================================
TSS ADD(dept) JESSPOOL(nodeid.)
TSS PER(acid) JESSPOOL(nodeid.+BYPASS+.SYSLOG.SYSTEM.sysid) ACC(READ)

===============================================================================

The reason the second qualifier is BYPASS and not MASTER is as follows:

The second qualifier in a JESSPOOL Resource is the ACID that owns the SYSOUT data being protected. So, in Top Secret, it's normally an ACID Name.

Top Secret usually doesn't allow ACEEs to be created for Undefined Users ('+MASTER+' is undefined in RACF, but RACF does allow ACEEs to be created for Undefined Users).

In Top Secret, there is a specific exception for ACIDs starting with '+' in a handful of FACILITYs, but these are treated as 'Bypass Users', and use an ACID of *BYPASS* in the ACEE that is created.

When a JESSPOOL resource name is constructed, it uses the ACID from the ACEE (actually, from the TOKEN associated with the ACEE, but that ACID is a copy of the one in the ACEE).

So a *BYPASS* ACEE will result in a JESSPOOL resource owned by*BYPASS*.

You can use *BYPASS* in the PERMIT command, but Top Secret will interpret the "*" as masking characters. For that reason, it is probably better to use '+BYPASS+' in the PERMIT.

There are still masking characters, but there are fewer resource names that will match.