How To Audit ALT-ACID Resource Class?

book

Article ID: 51197

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Question:

 

How is it possible to audit ALT-ACID resource class, which is used for acid cross-authorization?

TSS ADD(AUDIT) ALT-ACID(acid) is accepted, but nothing is audited.

 

Answer:

 

Here is the way to audit cross-authorization:

  1. Set LOG(ACCESS) control option on submitting facility

  2. AUDIT attribute on submitting facility

  3. AUDIT attribute on submitting user
    e.g. TSS ADD(acid) AUDIT

  4. ACTION(AUDIT) on the permit granting access
    e.g. TSS PER(ACID1) ACID(ACID2) ACTION(AUDIT)

  5. NORESCHK on submitting user.
    e.g. TSS ADD(acid) NORESCHK

There are no other ways to create audit records for cross authorization checks.

In particular, there is no way (and never has been any way) to use the AUDIT record to audit these checks.

The resource class ALT-ACID simply exists to support resource checking for acid cross authorization.

Since ALT-ACID is in the RDT, issuing a PERMIT in the class or adding it to the AUDIT record is accepted as valid syntax.

The entry in the RDT allows the resource class to be used in a RACROUTE call, but is treated as a request to check the acid cross authorization and not to treat the call as a resource check in the ALT-ACID resource class.

 

Additional Information: 

 

For CA top Secret r15.0 refer to CA Top Secret for z/OS User Guide; chapter #13 Maintaining Special Records; RDT record

 

For CA Top Secret r16.0 go to docops.ca.com site; signon; choose your product CA Top Secret for z/OS - 16.0; click on "Using" link; then click on "Maintaining Special Security Records" link; then click "Maintain the RDT Record" to have more information about CA Top Secret RDT.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: