1. How does the implementation process go?
When the HFSSEC option is turned on but there are no profiles/missing profiles in HFSSEC class, what happens to UNIX security during this transition period? Is there no protection of UNIX resources or quite opposite - all the directories are protected and inaccessible  without matching HFSSEC profile?
Is there any recommended migration path/procedure?

2. Does Cleanup track HFSSEC resources?

Release : 16.0

Component : CA Top Secret for z/OS

Before attempting to implement HFS security in TSS, please make sure TSS is configured correctly to support HFS security which is documented at the following:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/controlling-access-to-the-hierarchical-file-system/ca-saf-hfs-security.html

Questions:

1. How does the implementation process go? When the HFSSEC option is turned on but there are no profiles/missing profiles in HFSSEC class,

Answer:

USS native security will no longer be checked for directory access.

Access to the directories will be determined by TSS once HFSSEC is set to ON.

Directories are secured just like any other resource in TSS, which means the directory must be owned if you want it secured by TSS. Then, PERMITed to users that need access to the directory.

Unowned resources are not protected just like every other resource.

Just treat it like any other Top Secret protected resource.

2. What happens to UNIX security during this transition period?

Answer:

See answer to 4 below.

3. Is there no protection of UNIX resources or quite opposite - all the directories are protected and inaccessible  without matching HFSSEC profile?

Answer:

See answer to 4.

4. Is there any recommended migration path/procedure?

Answer:

Ownerships and PERMITs should be done ahead of time before HFSSEC is set to ON. 

So, once you set HFSSEC to ON, security definitions and authorization is already setup.

The directories will be defined to Top Secret and PERMITted to the appropriate users and PROFILES.

Own all the directories you want to secure just like any other resource via:

TSS ADD(ownginacid) HFSSEC(directory) 

Unowned directories will not be secured which means anyone will be able to access them just like any unowned resources in TSS.

Then TSS PERMIT the directory to users and PROFILEs that need access to it just like any other resource:

TSS PER(ownginacid) HFSSEC(directory) ACC(accesslevel)

Then when you are ready, turn HFSSEC(ON) which will deactivate USS native directory security and activate TSS USS directory security.

5. Does Cleanup track HFSSEC resources?

Answer:

Yes since there is a security check being issued when a HFSSEC resource is accessed.

Cleanup can only track resources if a security check is done when the resource is accessed.

To Cleanup, USS directories is just another TSS resource to keep track of.