Restrict to READ ACCESS Temporarily For All Users

book

Article ID: 35809

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

 

Issue

We have a need to temporarily restrict user to READ only access to DATACOM resources which they normally have UPDATE access.

They have thousands of users and they all don't share a common PROFILE.

What is the easiest administrative options do they have to quickly do this? 

 

Environment: 

-          z/OS

 

Resolution

 

Create PROFILE that will be used to temporarily restrict access to READ only to the DATACOM resources and use a user written program to generate to create the TSS commands to add and remove the PROFILE  as the first PROFILE to all your users.

 

1. Need to have CA Top Secret control option AUTH(OVERRIDE,ALLOVER) being used by your site. Use TSS MODIFY STATUS command to determine the AUTH control option setting. 

2. Create a PROFILE with the PERMITs that will restrict to READ only access to those DATACOM resources.

3. After creating the PROFILE, you will need to add the PROFILE to each of your users as the first PROFILE in the list with the following command:

TSS ADD(USERA) PROFILE(PROFA) FIRST

USERA is a user acid . PROFA is the PROFILE you created that restrict READ ACCESS to the DATACOM resources.

 

The  user program will generate the following for each user:

TSS ADD(xxxxxxx) PROFILE(PROFA) FIRST

TSS REMOVE(xxxxxxxx) PROFILE(PROFA)

for all your users.

It would go something like the following:

1. Run a TSSCMNDB batch job to list out your acids with the following commands:

      TSS LIST(ACIDS) DATA(NAMES) TYPE(USER)
TSS LIST(ACIDS) DATA(NAMES) TYPE(SCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(LSCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(DCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(VCA)
TSS LIST(ACIDS) DATA(NAMES) TYPE(ZCA)

CA Top Secret has many type of acids like PROFILE acids, DEPT acids, ZONE acid, DIVISION acids special acids.

The above commands will just list out the regular user/admin type acids.

 

2. Take the output generated by the TSSCMNDB job convert it to a text file so it can be used as input with a programming language running on a different platform.

 

3. Your program will create a:

TSS ADD(xxxxxxx) PROFILE(PROFA) FIRST

to add the PROFILE and:

TSS REMOVE(xxxxxxxx) PROFILE(PROFA)

to remove the profile for each users in the text file.

 

4. Then, you will have to transfer that text file back to the mainframe, wrap TSSCMNDB JCL around it and submit it.

 

Additional Information:  

Please refer to the CA Top Secret documentation for more details about the the TSS ADD, TSS REMOVE, PROFILE and FIRST keywords

 

Communities, external references, etc.

CA Top Secret documentation is located at https://docops.ca.com//pages/viewpage.action?pageId=288998254

 

 

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: