View - Not Honoring External Security calls
Article ID: 221592
Updated On:
Products
Issue/Introduction
We have noticed that our original security settings from View r11 don't seem to be working at the moment for preventing printing of reports (line commands "P" and "J").
Looks like we get a write call:
OSGTEST FUNC=CPLFCHG ACCESS=WRITE CLASS=CHA1VIEW ENTITY=SAR.REPT.OSSVOO5O-R02
However, the user should only have READ.
TSS DEF:
XA CHA1VIEW= SAR.REPT.OSSVOO5O OWNER(9VIEWDEP)
ACCESS = UPDATE
XA CHA1VIEW= SAR.REPT.OSSVOO5O-R02 OWNER(9VIEWDEP)
ACCESS = READ
ATTRIB = MASK
XA CHA1VIEW= SAR.REPT.OSSVOO5O-R03 OWNER(9VIEWDEP)
ACCESS = NONE
ATTRIB = MASK
The NONE access does seem to work for R03 but the Test user can still print R01 and R02.
Please can you advise?
Environment
Release : 14.0
Component : CA View
Resolution
Here is what was found by Top Secret support:
. The "-", in the CHA1VIEW permits, is used by Top Secret as a floating mask, which represents a variable number of characters (including no characters).
. From testing done with different masking characters, if the "-" is changed to "+", the client will get the desired result.
Note: The "+" masking character represents a single position in the resource name.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Though the "-" is a literal within the Report ID, Top Secret interprets it as a masking character.
Here is a rule sample:
TSS REV(TEST1) CHA1VIEW(SAR.REPT.REPORT-R03)
TSS PER(TEST1) CHA1VIEW(SAR.REPT.REPORT+R03) ACCESS(NONE)
The reason that R03 is blocked with "–" or "+" is that the access level permitted is NONE.
When multiple matching permits are found with the same length resource name, a permit with ACCESS(NONE) will override the other access level(s) and deny access.
Feedback
