CPSMOBJ, CPSMXMP, and GCMPMOBJ resource class questions.
According the the Implementation:CICS Guide, the CPSMOBJ, CPSMXMP, and GCMPMOBJ resource class IDs should be defined using a command of the following form -
TSS ADDTO(RDT) RESCLASS9resource-class-ID-8) rescode(resource-code-3) ACLST(ALL,UPDATE,CONTROL,READ,NONE) DEFACC(READ)
However, this generates an RDT entry as follows -
RESOURCE CLASS = CPSMOBJ
RESOURCE CODE = X'032'
ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(008),ACCESS
ACCESS = ALL(FFFF),UPDATE(8000),READ(4000),CONTROL(0400)
ACCESS = NONE(0000)
DEFACC = READ
However, according to IBM Publication SA23-2288-02 z/OS Security Server RACF Macros and Interfaces, the maximum length should be forty-four (44) for resource class IDs CPSMOBJ and CPSMXMP, and two hundred and forty-six (246) for resource class ID GCPSMOBJ.
In addition, the specification of ACLST(...,UPDATE,...) generates a bitmask for access level ID UPDATE of "8000". I believe that the command should specify "UPDATE=6000".
In addition, all three (3) resource class IDs should have associated POSIT(nnnn) settings.
I also question the lack of ATTR(MASK) for these resource class IDs.
Documentation will be corrected to increase the MAXPERMIT to 44.
ACLST should be 8000 for UPDATE and not 6000.
The MASK/NOMASK setting is based on IBM's requirements and not CA Top Secret's.
At this time we do not know of any need for the POSIT number on those resource classes. If needed in the future we would need to add it. No need to update the doc for POSIT. As for the maxlen, we should add maxlen parm for the three classes:
CPSMOBJ maxlen = 44
CPSMXMP maxlen = 44
GCPSMOBJ maxlen = 57
As for the resource access levels, we are using the standard IBM access levels for these classes.