ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Restrict SCA From Resetting MSCA Password?

book

Article ID: 53397

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services Datacom/AD CA ecoMeter Server Component FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA On Demand Portal CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Question:

Is is possible to restrict an SCA with ACID(MAINTAIN) or MISC8(PWMAINT) from resetting the password for the MSCA ACID?

Answer:

Prior to CA Top Secret R15, any SCA with ACID(MAINTAIN) or MISC8(PWMAINT) could reset the MSCA password. There was no way to limit this.

In CA Top Secret R15 and above, to set a new password for the MSCA (using ADDTO or REPLACE), an SCA must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, where cmd is the command being issued. This authority is required even if the administrator already has ACID(MAINTAIN) or MISC8(PWMAINT) authority. To give this:

TSS ADD(dept) CASECAUT(TSSCMD.USER.cmd.MSCAPW)   if not already owned

TSS PERMIT(scaacid) CASECAUT(TSSCMD.USER.cmd.MSCAPW) ACCESS(UPDATE)

where 'cmd' is the command being issued (ADDTO or REPLACE).

Additional Information:

Please see the CA Top Secret R15 Command Functions and User Guides for more information on the CASECAUT resource class.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: