There is an automatic process controlled by OPS/MVS that, on an hourly basis, executes the Top Secret command: F TSS,STATS. This process receives error message:
TSS7251E Access Denied to CASECAUT <TSSCMD.ADMIN.MODIFY>
for the command. The TSSUTIL EVENT(VIOL) shows that:
DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VC PROGRAM R-ACCESS A-ACCESS SRC/DRC SEC JOBID
-------- -------- ----- -------- -------- -------- ---- -- -------- -------- -------- ------- --- -------
06/29/20 08:00:06 ssss *MISSING jjjjjjjj STC FAIL TSSOPCOM USE NONE *08*-88 iiiiiiii
RESOURCE TYPE & NAME : CASECAUT TSSCMD.ADMIN.MODIFY
JOBID iiiiiiii is the Top Secret started task.
Release : 16.0
Component : CA Top Secret for z/OS
The user that is assigned to the OPSMAIN started task does not have the CASECAUT authority to issue the TSS MODIFY command. You will need to grant USE authority as follows:
TSS PER(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(USE)
This will allow the user to issue TSS MODIFY commands that only list data (including STATS). It will not allow any MODIFY command that could change control option data. The 3 things needed are:
1. Assign the OPS/MVS started task to an acid in the Top Secret STC table. (This will prevent the ACCESSOR in the TSSUTIL report from being *MISSING or *BYPASS, neither of which can be the 'acid' in a TSS PERMIT command.
2. Insure the assigned ACID has the permission to execute TSS MODIFY commands that list data only (the TSS PERMIT command above).
3. After Top Secret initializes (message TSS9000I is displayed on console), issue the OPS/MVS command 'MODIFY OPSx,RESTART(SECURITY)'. This forces OPS/MVS to update its user token data with the newly assigned STC ACID. This token is what is supplied on all future console commands issued in this manner.
According to the OPS/MVS documentation, there is an AOF sample message rule TSS9000I to assist in automating the command response highlighted in step 3. Once the TSS MODIFY command is running successfully again, you may want to implement this.