View - Not Honoring External Security calls

book

Article ID: 221592

calendar_today

Updated On:

Products

CA View

Issue/Introduction

We have noticed that our original security settings from View r11 don't seem to be working at the moment for preventing printing of reports (line commands "P" and "J").

Looks like we get a write call:

 OSGTEST  FUNC=CPLFCHG ACCESS=WRITE CLASS=CHA1VIEW ENTITY=SAR.REPT.OSSVOO5O-R02   

However, the user should only have READ.

TSS DEF:
XA CHA1VIEW= SAR.REPT.OSSVOO5O                             OWNER(9VIEWDEP) 
   ACCESS  = UPDATE                                                        
XA CHA1VIEW= SAR.REPT.OSSVOO5O-R02                         OWNER(9VIEWDEP) 
   ACCESS  = READ                                                          
   ATTRIB  = MASK                                                          
XA CHA1VIEW= SAR.REPT.OSSVOO5O-R03                         OWNER(9VIEWDEP) 
   ACCESS  = NONE                                                          
   ATTRIB  = MASK                                                          

The NONE access does seem to work for R03 but the Test user can still print R01 and R02.

Please can you advise?

Environment

Release : 14.0

Component : CA View

Resolution

Here is what was found by Top Secret support:

 . The "-", in the CHA1VIEW permits, is used by Top Secret as a floating mask, which represents a variable number of characters (including no characters). 

 . From testing done with different masking characters, if the "-" is changed to "+", the client will get the desired result. 

   Note: The "+" masking character represents a single position in the resource name.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Though the "-" is a literal within the Report ID, Top Secret interprets it as a masking character.

Here is a rule sample:

 TSS REV(TEST1) CHA1VIEW(SAR.REPT.REPORT-R03)
 TSS PER(TEST1) CHA1VIEW(SAR.REPT.REPORT+R03) ACCESS(NONE)

The reason that R03 is blocked with "–" or "+" is that the access level permitted is NONE.

When multiple matching permits are found with the same length resource name, a permit with ACCESS(NONE) will override the other access level(s) and deny access.