TSS7251E Access Denied to CASECAUT <TSSCMD.ADMIN.MODIFY> With F TSS,STATS From OPS/MVS

book

Article ID: 227078

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

There is an automatic process controlled by OPS/MVS that, on an hourly basis, executes the Top Secret command: F TSS,STATS. This process receives error message:

TSS7251E Access Denied to CASECAUT <TSSCMD.ADMIN.MODIFY>

for the command. The TSSUTIL EVENT(VIOL) shows that:

  DATE      TIME    SYSID ACCESSOR  JOBNAME   FACILITY  MODE  VC  PROGRAM   R-ACCESS A-ACCESS  SRC/DRC  SEC  JOBID  
--------      --------        -----      --------          --------          --------       ----          --     --------           --------         --------           -------           ---      -------
06/29/20  08:00:06  ssss  *MISSING      jjjjjjjj              STC          FAIL           TSSOPCOM  USE             NONE          *08*-88                iiiiiiii
                    RESOURCE  TYPE & NAME :   CASECAUT  TSSCMD.ADMIN.MODIFY                                         


JOBID iiiiiiii is the Top Secret started task.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

The user that is assigned to the OPSMAIN started task does not have the CASECAUT authority to issue the TSS MODIFY command. You will need to grant USE authority as follows:

TSS PER(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(USE)

This will allow the user to issue TSS MODIFY commands that only list data (including STATS). It will not allow any MODIFY command that could change control option data. The 3 things needed are:

1.  Assign the OPS/MVS started task to an acid in the Top Secret STC table. (This will prevent the ACCESSOR in the TSSUTIL report from being *MISSING or *BYPASS, neither of which can be the 'acid' in a TSS PERMIT command.

2.  Insure the assigned ACID has the permission to execute TSS MODIFY commands that list data only (the TSS PERMIT command above).

3.  After Top Secret initializes (message TSS9000I is displayed on console), issue the OPS/MVS command 'MODIFY OPSx,RESTART(SECURITY)'. This forces OPS/MVS to update its user token data with the newly assigned STC ACID. This token is what is supplied on all future console commands issued in this manner.  

According to the OPS/MVS documentation, there is an AOF sample message rule TSS9000I to assist in automating the command response highlighted in step 3. Once the TSS MODIFY command is running successfully again, you may want to implement this.