search cancel

ACF2 command limiting, benefits, how is it setup and how to determine if active

book

Article ID: 54064

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Description:

CA ACF2 TSO command limiting allows a site to enhance security in the TSO environment by implementing TSO command restrictions for individual logonids or globally for a site. CA ACF2 logonid fields, C(GSO) TSO parameters and a command limiting module are used to implement CA ACF2 TSO command limiting. CA ACF2 commands can be used to determine if CA ACF2 command limiting is in effect.

 




Environment

Release:
Component: ACF2MS

Resolution

 The CA ACF2 TSO restricted commands lists contains the list of commands that a user is authorized to use. This command list lists the available TSO commands for an individual user or for your entire site. This command limiting applies to TSO commands entered under READY mode or under ISPF.

CA ACF2 TSO command lists can be specified for individual logonids or globally.

To activate this feature for an individual, use the TSOCMDS field of the logonid record; to activate it for your entire site, use the CMDLIST field of the C(GSO) record named TSO. If you do not specify a system-wide default and leave the TSOCMDS field blank, TSO operates without CA-ACF2 command limiting.

To check if CA ACF2 TSO command limiting is being used the following can be done.

  1. To check if any logonids have a command list specified in their TSOCMDS logonid field the following command can be issued from TSO:
    ACF SET TERSE LIST LIKE(-) IF(TSOCMDS > ' ')
  2. To determine if there is a global command list specified in the CA ACF2 C(GSO) TSO record the following command can be issued from TSO:
     ACF  SHOW TSO
    Look for "TSO CMD LIST= " which will specify the command list module being used, or "NONE" if there is no global command list.
    For example: "TSO CMD LIST=NONE" or "TSO CMD LIST=SYSTCMD"

CA ACF2 will first check the logonid record for a TSO command list(TSOCMDS field), if no TSOCMDS is specified, then CA ACF2 will check the C(GSO) TSO record (CMDLIST parameter). If both TSOCMDS for users and the global C(GSO) TSO CMDLIST is blank, then users are not restricted or limited in their TSO commands.

In a LOGONID record the TSOCMDS and ALLCMDS parameters can be used with TSO command limiting:

TSOCMDS(module)
Specifies the name of a TSO command list module that contains the list of commands that this user is authorized to use. You cannot mask this field. Command limiting is effective for all logonids including privileged ones. It takes place in all modes with the exception of QUIET. (Eight characters)

ALLCMDS|NOALLCMDS
Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character. The ALLCMDS works in conjunction with the C(GSO) TSO BYPASS character parameter.

In the C(GSO) TSO record there is the CMDLIST and BYPASS parameter:

CMDLIST(moduleid)
Specifies the default TSO command limiting list. If you specify a module, no users, even privileged logonids, can run without the command list present in a link list library. This field is optional and has no default. It is effective in all modes with the exception of QUIET.

BYPASS(#|character)
Defines the TSO command list bypass character. The default value is a pound sign (#).

The restricted commands list module is defined using the $TSOCST, $TSOCEND, and the $TSOCMD macros which can be found ACF2 CAI.CAIMAC library. The restricted commands lists are link edited with the RENT attribute into a library in the system link list. The module name of the restricted command list can be specified in the logonid TSOCMDS field for the CA ACF2 GSO TSO CMDLIST parameter. A sample TSO command list can be found in the CAI.CAX1MAC0 member ACF$CMDS.

Sample JCL:

//ASM     EXEC PGM=ASMA90,PARM='DECK',REGION=4096K       
//SYSLIB   DD  DISP=SHR,DSN=SYS1.MODGEN                  
//         DD  DISP=SHR,DSN=SYS1.MACLIB                  
//         DD  DISP=SHR,DSN=SECMF.ACFR16.CAX1MAC0        
//SYSUT1   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSUT2   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSUT3   DD  UNIT=VIO,SPACE=(1700,(1200,300))          
//SYSLIN   DD  DUMMY                                     
//SYSPRINT DD  SYSOUT=*                                  
//SYSTERM  DD  SYSOUT=*                                  
//SYSPUNCH DD  DSN=&&TEMP,DISP=(,PASS),SPACE=(CYL,(1,1)),
//         UNIT=SYSDA                                    
//SYSIN  DD  DSN=your.ACFR16.CAX1MAC0(ACF$CMDS),DISP=SHR
/*                                                       
//S2  EXEC PGM=IEWL,PARM='NCAL,LET,MAP,LIST,XREF,RENT'   
//SYSPRINT DD SYSOUT=*                                   
//SYSPUNCH DD  DISP=(OLD,PASS),DSN=&&TEMP                
//SYSUT1  DD UNIT=DISK,SPACE=(CYL,10)                    
//SYSLMOD DD DSN=your.ACF2R16.LINKLST,DISP=SHR           
//SYSIN   DD DUMMY                                       
//SYSLIN   DD *                                          
 INCLUDE SYSPUNCH                                        
 NAME    TSOCMDMO(R)                                     
//

Notes:
- your.ACFR16.CAX1MAC0(ACF$CMDS) This is the library that contains your copy of modified sample TSO command list member ACF$CMDS.
- your.ACF2R16.LINKLST This is a LINKLIST library that your modified TSO command list module will be linked into.
- TSOCMDMO is the TSO command limiting module that is specified in a logonid TSOCMDS(module) field.                

When adding new entries to a command list, the user must logoff and log back onto the system to see the new table entries.

Sample ACF$CMDS member :

$CMDS    TITLE  'A C F 2  --> STANDARD TSO COMMAND LIST ***' 
*                                                            
*                                                            
*  LICENSE:                                                  
*                                                            
*     THIS IS A PART OF THE ACF2 SYSTEM.                     
*     Copyright (c) 2015 CA, INC. All rights reserved.       
*                                                            
*                                                            
ACF$CMDS CSECT                                               
         $TSOCST  ,                                          
         $TSOCMD  ACF                                        
         $TSOCMD  ACFCOMP                                    
         $TSOCMD  ACFDEL                                     
         $TSOCMD  (ACFN,ACFNRULE)                            
         $TSOCMD  ACFSUB                                     
         $TSOCMD  ACCOUNT                                    
         $TSOCMD  ALLOCATE                                   
         $TSOCMD  (ATTRIB,ATTR)                              
         $TSOCMD  (ALTER,DEFINE,DEF,DELETE,DEL,EXPORT,IMPORT)
         $TSOCMD  (PRINT,REPRO,VERIFY,VFY)                   
         $TSOCMD  CNVTCAT
         $TSOCMD  FMNMAIN

         ...

         $TSOCMD  WHEN               
         $TSOCMD  ,                  
         $TSOCMD  ,                  
         $TSOCEND ,                  
         END                         

Additional Information

For details regarding the TSOCMDS and ALLCMDS see the CA ACF2 Administrator Guide, Chapter 3: Maintaining Logonid Records, section "Logonid Record Fields".

For details regarding the GSO TSO CMDLIST and BYPASS parameter see the CA ACF2 Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Time-Sharing Options and Defaults (TSO)".

For details on creating a TSO command lists see the CAACF2 System Programmer Guide, section "eTrust CA-ACF2 TSO Facilities", sub-section "Restricting TSO Commands".