Converting SDSF ISFPARMs security to using Top Secret hints and tips to ease migration.
Release : 16.0
Recommendations to help ease the migration:
After running the IBM conversion utility to convert ISFPARMS to RACF commands needs to be converted to TSS commands which is documented at z/OS IBM SDSF Conversion Guide.
1. RDEFINE commands need to be converted to TSS ADD commands to own SDSF resource at the highest level as possible:
RDEFINE SDSF GROUP.ABCD UACC(NONE)
RDEFINE SDSF GROUP.EFGH UACC(NONE)
RDEFINE SDSF GROUP.IJKL UACC(NONE)
RDEFINE SDSF ISF.ABCD UACC(NONE)
RDEFINE SDSF ISF.EFGH UACC(NONE)
RDEFINE SDSF ISF.IJKL UACC(NONE)
can be converted into two TSS commands:
TSS ADD(owningacid) SDSF(GROUP.)
TSS ADD(owningacid) SDSF(ISF.)
This will define all SDSF resources that start with string GROUP and ISF as protected in Top Secret.
If you receive error message:
TSS0351E SPECIFY "UNDERCUT" TO TRANSFER OWN
for the TSS ADD command, please see knowledge document TSS0351E SPECIFY "UNDERCUT" TO TRANSFER OWNERSHIP for details on resolving the error message.
2. Use generic prefixing when appropriate for PERMIT commands:
PERMIT GROUP.ABCD CLASS(SDSF) ACCESS(READ)
PERMIT GROUP.EFGH CLASS(SDSF) ACCESS(READ)
PERMIT GROUP.IJKL CLASS(SDSF) ACCESS(READ)
PERMIT ISF.ABCD CLASS(SDSF) ACCESS(READ)
PERMIT ISF.EFGH CLASS(SDSF) ACCESS(READ)
PERMIT ISF.IJKL CLASS(SDSF) ACCESS(READ)
Can be converted into two TSS commands:
TSS PERMIT(acid) SDSF(GROUP.) ACCES(READ)
TSS PERMIT(acid) SDSF(ISF.) ACCES(READ)
which will give user access to all SDSF resources that start with 'GROUP.' and 'ISF.'.
3. Use existing PROFILEs used for regular TSO users, systems programmers/administrators, auditors and operators to PERMIT the various SDSF resources appropriately. This will save you from creating new PROFILEs, PERMITing the PROFILEs appropriately to the SDSF resources and assigning the PROFILEs to the acids.
4, Starting on page 135 of the "z/OS SECURITY TECHNICAL IMPLEMENTATION GUIDE(STIG) ADDENDUM Version 6, Release 52 27 January 2022 Developed by DISA for the DoD" makes recommendations on what type of user should be authorized to the various SDSF resources. Try to map the "User Groups" to existing PROFILEs on your system. For "User Groups" that dont map to an existing PROFILE, please create a new PROFILE and add the resources recommeneded by the article.
TSS CREATE(USRGRPA) TYPE(PROFILE) NAME('USER GROUP A') DEPT(department)
TSS PERMIT(USRGRPA) to the various resources recommended by the article.
Then add to the appropriate users:
TSS ADD(USEREA) PROFILE(USRGRPA)
5. Please refer to the z/OS IBM SDSF Conversion Guide for more details and information about the IBM ISFPARMs to RACF conversion utility and the various SDSF resources.
6. Converted commands should be reviewed to confirm that they meet your site's security policies.
7. The ISFPARMs Conversion Utility will not convert the GROUPs. The GROUPs will need to be manually added to TSS:
TSS ADD(owningacid) SDSF(GROUP)
TSS PER(user_acid or profile_acid) SDSF(GROUP) ACC(ALL)
otherwise, the following error message will be received at sign on to SDSF:
ISF024I USER TSHXC NOT AUTHORIZED TO SDSF, NO GROUP ASSIGNMENT
Please see SDSF External Security with Top Secret for z/OS 2.5 Knowledge Document for additional information.