ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Change Specific SDSF Group Assignments From ISFPARMS To Top Secret

book

Article ID: 214222

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Is it possible to move only 2 of the SDSF group assignments to Top Secret and leave the others in ISFPRMxx? What steps are needed to accomplish this?

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

You may already have permits in the ALL record for the following:

SDSF(ISFCMD.) ACCESS(ALL) ACTION(PASSWORD,FAIL)
SDSF(ISFATTR.) ACCESS(ALL) ACTION(PASSWORD,FAIL)
SDSF(ISFINIT.) ACCESS(ALL) ACTION(PASSWORD,FAIL)

These were recommended in a PIB (GI18084) from Top Secret 4.4, but these are still valid.

ACTION(PASSWORD,FAIL) on a permit will force a return code of 4 to be returned to SDSF when checking for access to SYSOUT. This will make SDSF honor ISFPARMS or the SDSF user exit, effectively enforcing SDSF security checking as intended.

The first things to do are:

1) Determine what resource names you will be permitting.
2) List the ALL record to see if these permits are there. 

If the above permits are in the ALL record (with ACTION(PASSWORD,FAIL) ), then you can just permit the SDSF resources to the acids (or attached profiles) that are affiliated with the 2 SDSF groups. The other ACIDs will fall through to the permits in the ALL record with ACTION(PASSWORD,FAIL) and should revert to ISFPARMS.