Question:
Is is possible to restrict an SCA with ACID(MAINTAIN) or MISC8(PWMAINT) from resetting the password for the MSCA ACID?
Answer:
Prior to CA Top Secret R15, any SCA with ACID(MAINTAIN) or MISC8(PWMAINT) could reset the MSCA password. There was no way to limit this.
In CA Top Secret R15 and above, to set a new password for the MSCA (using ADDTO or REPLACE), an SCA must have UPDATE access to entity TSSCMD.USER.cmd.MSCAPW in the CASECAUT resource class, where cmd is the command being issued. This authority is required even if the administrator already has ACID(MAINTAIN) or MISC8(PWMAINT) authority. To give this:
TSS ADD(dept) CASECAUT(TSSCMD.USER.cmd.MSCAPW) if not already owned
TSS PERMIT(scaacid) CASECAUT(TSSCMD.USER.cmd.MSCAPW) ACCESS(UPDATE)
where 'cmd' is the command being issued (ADDTO or REPLACE).
Additional Information:
Please see the CA Top Secret R15 Command Functions and User Guides for more information on the CASECAUT resource class.