Converting SDSF ISFPARMs security to using Top Secret hints and tips to ease migration.

Release : 16.0

Component :

Recommendations to help ease the migration:

After running the IBM conversion utility to convert ISFPARMS to RACF commands needs to be converted to TSS commands which is documented at z/OS IBM SDSF Conversion Guide.

1. RDEFINE commands need to be converted to TSS ADD commands to own SDSF resource at the highest level as possible:

Example:

RACF commands

RDEFINE SDSF GROUP.ABCD UACC(NONE)
RDEFINE SDSF GROUP.EFGH UACC(NONE)
RDEFINE SDSF GROUP.IJKL UACC(NONE)
...
RDEFINE SDSF ISF.ABCD UACC(NONE)
RDEFINE SDSF ISF.EFGH UACC(NONE)
RDEFINE SDSF ISF.IJKL UACC(NONE)
...

can be converted into two TSS commands:

TSS ADD(owningacid) SDSF(GROUP.)
TSS ADD(owningacid) SDSF(ISF.)

This will define all SDSF resources that start with string GROUP and ISF as protected in Top Secret.

If you receive error message:

TSS0351E SPECIFY "UNDERCUT" TO TRANSFER OWN

for the TSS ADD command, please see Article 130857 TSS0351E SPECIFY "UNDERCUT" TO TRANSFER OWNERSHIP  for details on resolving the error message.

2. Use generic prefixing when appropriate for PERMIT commands:

Example:

RACF commands:

PERMIT GROUP.ABCD CLASS(SDSF) ACCESS(READ)
PERMIT GROUP.EFGH CLASS(SDSF) ACCESS(READ)
PERMIT GROUP.IJKL CLASS(SDSF) ACCESS(READ)
...
PERMIT ISF.ABCD CLASS(SDSF) ACCESS(READ)
PERMIT ISF.EFGH CLASS(SDSF) ACCESS(READ)
PERMIT ISF.IJKL CLASS(SDSF) ACCESS(READ)
...

Can be converted into two TSS commands:

TSS PERMIT(acid) SDSF(GROUP.) ACCES(READ)
TSS PERMIT(acid) SDSF(ISF.) ACCES(READ)

which will give user access to all SDSF resources that start with 'GROUP.' and 'ISF.'. 

3. Use existing PROFILEs used for regular TSO users, systems programmers/administrators, auditors and operators to PERMIT the various SDSF resources appropriately. This will save you from creating new PROFILEs, PERMITing the PROFILEs appropriately to the SDSF resources and assigning the PROFILEs to the acids.

4, See "Table 11-26: SDSF SAF Resources" of the "z/OS SECURITY TECHNICAL IMPLEMENTATION GUIDE(STIG) ADDENDUM" makes recommendations on what type of user should be authorized to the various SDSF resources. Try to map the "User Groups" to existing PROFILEs on your system. For "User Groups" that dont map to an existing PROFILE, please create a new PROFILE and add the resources recommeneded by the article.

TSS CREATE(USRGRPA) TYPE(PROFILE) NAME('USER GROUP A') DEPT(department) 

TSS PERMIT(USRGRPA) to the various resources recommended by the article.

Then add to the appropriate users:

TSS ADD(USEREA) PROFILE(USRGRPA)

5. Please refer to the z/OS IBM SDSF Conversion Guide for more details and information about the IBM ISFPARMs to RACF conversion utility and the various SDSF resources.

6. Converted commands should be reviewed to confirm that they meet your site's security policies.

7. The ISFPARMs Conversion Utility will not convert the GROUPs. The GROUPs will need to be manually added to TSS:

TSS ADD(owningacid) SDSF(GROUP)
TSS PER(user_acid or profile_acid) SDSF(GROUP) ACC(ALL)

otherwise, the following error message will be received at sign on to SDSF:

ISF024I USER TSHXC NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT

For additional information, please see Article 135024 SDSF External Security with Top Secret for z/OS 2.5 Knowledge Document.