search cancel

Give Top Secret Admin Authorities Temporarily To ACIDs And Audit Them?

book

Article ID: 239672

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Is there a way to grant temporary administrator authorities/functions to additional ACID's and have everything done by those ACID's tracked?  

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

The FOR/UNTIL keywords are not valid with the TSS ADMIN command, so the admin authorities can’t be given for x days or until a specific date, however, you could create a specific ACID with the necessary Top Secret administrative authorities and cross authorize the others to that ACID. This way the other ACIDs could submit batch jobs to do the Top Secret commands and specify USER=adminacid on the jobcard, then that ACID could be suspended after a certain period. For example, the MSCA (master ACID) can create a type SCA ACID with the necessary administrative authorities and the ACID can be set to expire in a week (7 days).

TSS CREATE(ADMACID) TYPE(SCA) NAME(‘Temp Admin Acid’) PASS(xxxxx)
TSS ADD(ADMACID) FOR(7)
TSS ADD(ADMACID) AUDIT
TSS ADD(ADMACID) FAC(BATCH)
TSS ADMIN(ADMACID) admin authorities
ADMACID will need any other accesses required to execute a batch job. 

Then permit this ACID to the other ACIDs that need it.
TSS PER(acid1) ACID(ADMACID) 
TSS PER(acid2) ACID(ADMACID) 
TSS PER(acid3) ACID(ADMACID) 

Make sure Top Secret r16 PTF RO95026 is applied and set the LOG control option to log TSS commands to SMF and|or the audit file.

LOG(CMDS) for SMF
LOG(CMDA) for the ATF
LOG(CMDS,CMDA) for both SMF and ATF

Run TSSUTIL with REPORT CLASS(O) ACID(ADMACID) to get the commands issued by ACID ADMACID.

If you need separate auditing for acid1, acid2, etc, you can create a different SCA ACID for each with the AUDIT attribute and FOR(xx) or UNTIL(...) so the ACID will expire.