CASECAUT Permission Versus DATA() Admin Authorities when running a TSSCFILE.
search cancel

CASECAUT Permission Versus DATA() Admin Authorities when running a TSSCFILE.

book

Article ID: 48539

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

How can you explain that an SCA without any admin authorities would be allowed to run a TSSCFILE?
Can you explain the TSSCFILE return codes?

Solution:

General discussion:

The CASECAUT(TSSUTILITY.TSSCFILE) ACCESS(USE) replaces the need for the user to have the ACID(REPORT) and RESOURCE(REPORT) admin authorities in order to run TSSCFILE.

Note that the error message if these authorities or the equivalent CASECAUT permission is not present is:

TSS8017E INSUFFICIENT REPORT AUTHORITY

However, while that permission is enough to run TSSCFILE, the user also needs sufficient authority to issue the commands being issued by TSSCFILE.

As these are normally LIST(ACIDS) commands, that essentially means having one or more DATA(. . .) authorities. It is not necessary to have DATA(ALL), as the list command will return whatever fields the user actually has the authority to list, but at least one DATA authority must be present. There is no substitute for DATA authorities using CASECAUT.

Be aware that if a user with less scope than an SCA and with less DATA authority than DATA(ALL) issues the command, the results returned will only be for the users within his scope and will only be the fields he has authority for. There will be no indication that the results are less than what was requested.

In another words, there are 2 checks here for administrative authority. TSSCFILE checks for the authority to run TSSCFILE, and this is the authority that can be replaced by the CASECAUT permission. For each command issued, the command is passed to theTSS address space where it is processed just as it would be if the user issued the command directly (rather then through TSSCFILE). For a user with no administrative authority, all of the commands will fail. The check for the DATA authorities available to the user is the one that can't be replaced by a CASECAUT permission.

Since there is no way to substitute for DATA authorities using CASECAUT and the error message issued indicates the user has enough authority to run TSSCFILE but not enough to issue the LIST command, this is working as designed.

RO50700 discussion:

Prior to that maintenance, the return code of the commands issued from TSSCFILE had no effect on the return code for TSSCFILE. So if a user didn't have enough authority to run TSSCFILE, the program would end with RC=8. If the user did have enough authority to run TSSCFILE but no additional authority, each command would fail but TSSCFILE would end with RC=0. Technically, the SCA with no authority can run TSSCFILE but can't actually get any output from the LIST commands.

After RO50700, all the commands failing results in TSSCFILE also getting a non-zero return code. While there actually isn't any difference in the output produced, it is now clear that the CASECAUT permission did not allow TSSCFILE to produce the desired output.

Keep in mind that if the user has something like DATA(BASIC) rather than DATA(ALL) TSSCFILE will end in RC=0 even after RO50700, but the TSSCFILE output will not have the same information that would be present if the user has DATA(ALL). RC=0 in that case means that the LIST command successfully listed all of the data that the user has enough authority to see.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: