ACF2 command limiting, benefits, how is it setup and how to determine if active
Article ID: 54064
Updated On:
Products
Issue/Introduction
Description:
CA ACF2 TSO command limiting allows a site to enhance security in the TSO environment by implementing TSO command restrictions for individual logonids or globally for a site. CA ACF2 logonid fields, C(GSO) TSO parameters and a command limiting module are used to implement CA ACF2 TSO command limiting. CA ACF2 commands can be used to determine if CA ACF2 command limiting is in effect.
Environment
Release:
Component: ACF2MS
Resolution
The CA ACF2 TSO restricted commands lists contains the list of commands that a user is authorized to use. This command list lists the available TSO commands for an individual user or for your entire site. This command limiting applies to TSO commands entered under READY mode or under ISPF.
CA ACF2 TSO command lists can be specified for individual logonids or globally.
To activate this feature for an individual, use the TSOCMDS field of the logonid record; to activate it for your entire site, use the CMDLIST field of the C(GSO) record named TSO. If you do not specify a system-wide default and leave the TSOCMDS field blank, TSO operates without CA-ACF2 command limiting.
To check if CA ACF2 TSO command limiting is being used the following can be done.
- To check if any logonids have a command list specified in their TSOCMDS logonid field the following command can be issued from TSO:
ACF SET TERSE LIST LIKE(-) IF(TSOCMDS > ' ')
- To determine if there is a global command list specified in the CA ACF2 C(GSO) TSO record the following command can be issued from TSO:
ACF SHOW TSO
Look for "TSO CMD LIST= " which will specify the command list module being used, or "NONE" if there is no global command list.
For example: "TSO CMD LIST=NONE" or "TSO CMD LIST=SYSTCMD"
CA ACF2 will first check the logonid record for a TSO command list(TSOCMDS field), if no TSOCMDS is specified, then CA ACF2 will check the C(GSO) TSO record (CMDLIST parameter). If both TSOCMDS for users and the global C(GSO) TSO CMDLIST is blank, then users are not restricted or limited in their TSO commands.
In a LOGONID record the TSOCMDS and ALLCMDS parameters can be used with TSO command limiting:
TSOCMDS(module)
Specifies the name of a TSO command list module that contains the list of commands that this user is authorized to use. You cannot mask this field. Command limiting is effective for all logonids including privileged ones. It takes place in all modes with the exception of QUIET. (Eight characters)ALLCMDS|NOALLCMDS
Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character. The ALLCMDS works in conjunction with the C(GSO) TSO BYPASS character parameter.
In the C(GSO) TSO record there is the CMDLIST and BYPASS parameter:
CMDLIST(moduleid)
Specifies the default TSO command limiting list. If you specify a module, no users, even privileged logonids, can run without the command list present in a link list library. This field is optional and has no default. It is effective in all modes with the exception of QUIET.BYPASS(#|character)
Defines the TSO command list bypass character. The default value is a pound sign (#).
The restricted commands list module is defined using the $TSOCST, $TSOCEND, and the $TSOCMD macros which can be found ACF2 CAI.CAIMAC library. The restricted commands lists are link edited with the RENT attribute into a library in the system link list. The module name of the restricted command list can be specified in the logonid TSOCMDS field for the CA ACF2 GSO TSO CMDLIST parameter. A sample TSO command list can be found in the CAI.CAX1MAC0 member ACF$CMDS.
Sample JCL:
//ASM EXEC PGM=ASMA90,PARM='DECK',REGION=4096K
//SYSLIB DD DISP=SHR,DSN=SYS1.MODGEN
// DD DISP=SHR,DSN=SYS1.MACLIB
// DD DISP=SHR,DSN=SECMF.ACFR16.CAX1MAC0
//SYSUT1 DD UNIT=VIO,SPACE=(1700,(1200,300))
//SYSUT2 DD UNIT=VIO,SPACE=(1700,(1200,300))
//SYSUT3 DD UNIT=VIO,SPACE=(1700,(1200,300))
//SYSLIN DD DUMMY
//SYSPRINT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSPUNCH DD DSN=&&TEMP,DISP=(,PASS),SPACE=(CYL,(1,1)),
// UNIT=SYSDA
//SYSIN DD DSN=your.ACFR16.CAX1MAC0(ACF$CMDS),DISP=SHR
/*
//S2 EXEC PGM=IEWL,PARM='NCAL,LET,MAP,LIST,XREF,RENT'
//SYSPRINT DD SYSOUT=*
//SYSPUNCH DD DISP=(OLD,PASS),DSN=&&TEMP
//SYSUT1 DD UNIT=DISK,SPACE=(CYL,10)
//SYSLMOD DD DSN=your.ACF2R16.LINKLST,DISP=SHR
//SYSIN DD DUMMY
//SYSLIN DD *
INCLUDE SYSPUNCH
NAME TSOCMDMO(R)
//
Notes:
- your.ACFR16.CAX1MAC0(ACF$CMDS) This is the library that contains your copy of modified sample TSO command list member ACF$CMDS.
- your.ACF2R16.LINKLST This is a LINKLIST library that your modified TSO command list module will be linked into.
- TSOCMDMO is the TSO command limiting module that is specified in a logonid TSOCMDS(module) field.
When adding new entries to a command list, the user must logoff and log back onto the system to see the new table entries.
After adding new entries to the command list, an LLA Refresh will be required.
Sample ACF$CMDS member :
$CMDS TITLE 'A C F 2 --> STANDARD TSO COMMAND LIST ***'
*
*
* LICENSE:
*
* THIS IS A PART OF THE ACF2 SYSTEM.
* Copyright (c) 2015 CA, INC. All rights reserved.
*
*
ACF$CMDS CSECT
$TSOCST ,
$TSOCMD ACF
$TSOCMD ACFCOMP
$TSOCMD ACFDEL
$TSOCMD (ACFN,ACFNRULE)
$TSOCMD ACFSUB
$TSOCMD ACCOUNT
$TSOCMD ALLOCATE
$TSOCMD (ATTRIB,ATTR)
$TSOCMD (ALTER,DEFINE,DEF,DELETE,DEL,EXPORT,IMPORT)
$TSOCMD (PRINT,REPRO,VERIFY,VFY)
$TSOCMD CNVTCAT
$TSOCMD FMNMAIN
...
$TSOCMD WHEN
$TSOCMD ,
$TSOCMD ,
$TSOCEND ,
END
Additional Information
For details regarding the TSOCMDS and ALLCMDS see the CA ACF2 Administrator Guide, Chapter 3: Maintaining Logonid Records, section "Logonid Record Fields".
For details regarding the GSO TSO CMDLIST and BYPASS parameter see the CA ACF2 Administrator Guide, Chapter 14: Maintaining Global System Options Records, section "Time-Sharing Options and Defaults (TSO)".
For details on creating a TSO command lists see the CAACF2 System Programmer Guide, section "eTrust CA-ACF2 TSO Facilities", sub-section "Restricting TSO Commands".
Feedback
