search cancel

Define a new SAF Profile.

book

Article ID: 21381

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Issue:

What is the procedure to define a new SAF Profile, that controls Access to the SYSLOG?

This Resource is READ Access to Resource 'nodeid.+MASTER+.SYSLOG.SYSTEM.sysid', in the JESSPOOL Class.

 

Resolution:

===============================================================================
TSS ADD(dept) JESSPOOL(nodeid.) TSS PER(acid) JESSPOOL(nodeid.+BYPASS+.SYSLOG.SYSTEM.sysid) ACC(READ)
===============================================================================

The reason the second qualifier is BYPASS and not MASTER is as follows:

The second qualifier in a JESSPOOL Resource is the ACID that owns the SYSOUT data being protected. So, in CA Top Secret, it's normally an ACID Name.

CA Top Secret usually doesn't allow ACEEs to be created for Undefined Users ('+MASTER+' is undefined in RACF, but RACF does allow ACEEs to be created for Undefined Users).

We make a specific exception for ACIDs starting with '+' in a handful of FACILITYs, but we treat these as 'Bypass Users', and use an ACID of *BYPASS* in the ACEE that's created.

When a JESSPOOL Resource Name is constructed, it uses the ACID from the ACEE (actually, from the TOKEN associated with the ACEE, but that ACID is a copy of the one in the ACEE).

So a *BYPASS* ACEE will result in a JESSPOOL Resource owned by*BYPASS*.

You can use *BYPASS* in the PERMIT command, but CA Top Secret will interpret the "*'s" as masking characters. For that reason, it's probably better to use '+BYPASS+' in the PERMIT.

There are still masking characters, but there are fewer Resource Names that will match.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: