TSS7250E 136 Or TSS7220E 101 With Permitted Resource In Top Secret
search cancel

TSS7250E 136 Or TSS7220E 101 With Permitted Resource In Top Secret

book

Article ID: 5323

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

A user that has a permit for a resource receives:

TSS7250E 136 J=jobname A=acid TYPE=type RESOURCE=resource

or 

TSS7220E 101 J=jobname A=acid VOL= ACC=acc DSN=data.set.name

when trying to access that resource or dataset. The message indicates no permit was found for the resource and access is denied.

When running the Top Secret simulator (TSSSIM), the permit is found and the output shows that the user is allowed access.


Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Check the facility to see if the NORES or RES facility control option is set. If NORES is set, this needs to be changed to RES so rules for prefixed (maskable) resources get loaded into the security record for the user. To check this, issue:

TSS MODIFY FAC(fac)

where 'fac' is the facility associated with the region/jobname. Look for the following line:

TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,NORES,WARNPW,NOTSOC,LCFCMD

To change the facility to RES, issue:

TSS MODIFY FAC(fac=RES)

The region must be recycled in order to pick up this change.

The TSS MODIFY command is only valid until the next recycle of Top Secret. To make the change permanent, add the corresponding FAC statement to the Top Secret parameter file:

FAC(fac=RES)

Additional Information

RES provides for the interpretation and recognition of maskable resources within the facility.  Some examples of maskable resource classes are: DATASET, JESSPOOL, DB2DBASE and DB2COLL.  Without RES on the facility, security checks against these resource classes will fail. To see if a resource is maskable or not, issue:

TSS LIST(RDT) RESCLASS(class) 

where 'class' is the resource class (ie DATASET).

NORES on a FACILITY means permits for maskable resources will not be loaded into the user's security record when the user signs on. This means that the user is not authorized even though the user has a PERMIT for the maskable resource because the permission was never loaded in storage.

NORES was used to conserve storage in the olden days. RES means that all permissions are loaded into storage.  Since the user record is now loaded in 31 bit high private, there are no longer storage concerns when specifying RES on a facility.

TSSSIM finds the correct permit because it is not actually logging into the facility and creating a security record as defined by the facililty RES/NORES Control Option.

 

 

 

Powered by Wolken Software