In CA Top Secret Security for z/OS r15.0, is there a complete list of all the Resources that can be controlled with the CASECAUT Class?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is a complete list of the current CASECAUT Resource Classes, that are currently available. Additional Resource Names may be added to CASECAUT in the future.
NOTE: CASECAUT will not allow an SCA to create and give current MISC authorities to another SCA. It also will not allow the creation of an LSCA.
Commands
Scope of these are to allow Users with no administrative authorities to change certain password related fields for other Users within their Scope, provided they have the proper access to "TSSCMD.USER.cmd.fieldname" in the CASECAUT Resource Class. The following table indicates the authorisation required to change password related fields:
Field name CASECAUT entity name
---------- -------------------------
PASSWORD TSSCMD.USER.cmd.PASSWORD
PHRASE TSSCMD.USER.cmd.PHRASE
KERBVIO TSSCMD.USER.cmd.KERBVIO
SUSPEND TSSCMD.USER.cmd.SUSPEND
ASUSPEND TSSCMD.USER.cmd.ASUSPEND
PSUSPEND TSSCMD.USER.cmd.PSUSPEND
VSUSPEND TSSCMD.USER.cmd.VSUSPEND
XSUSPEND TSSCMD.USER.cmd.XSUSPEND
NOPWCHG TSSCMD.USER.cmd.NOPWCHG
NOPW TSSCMD.USER.cmd.NOPW
The third qualifier, 'cmd', may be specified as ADDTO/REPLACE/REMOVE, as long as it is supported in conjunction with the relevant field. For all commands listed in the above table, the required access level is UPDATE.
Certificates
Similarly, Users with no administrative authorities will be allowed to issue certain Digital Certificate KEYRING and Token commands against other Users in their Scope, provided they have proper access to entity "TSSCMD.CERTUSER.function" in the CASECAUT Resource Class.
The following table indicates the authorization required to issue DIGICERT and KEYRING related commands:
Command CASECAUT entity name
------- -----------------------------------
CHKCERT TSSCMD.CERTUSER.CHKCERT
EXPORT TSSCMD.CERTUSER.EXPORT
GENCERT TSSCMD.CERTUSER.GENCERT
GENREQ TSSCMD.CERTUSER.GENREQ
REKEY TSSCMD.CERTUSER.REKEY
ADD TSSCMD.CERTUSER.ADDTO
ROLLOVER TSSCMD.CERTUSER.ROLLOVER
REMOVE TSSCMD.CERTUSER.REMOVE
P11TOKEN TSSCMD.DIGTCERT.P11TOKEN.tokencmd
Utilities
For batch utilities like TSSXTEND and TSSFAR, this eliminates the need for an MSCA User to run them, and allows any User, provided access is granted to entity "TSSUTILITY.utilityname" in the CASECAUT Resource Class. For normal use the required access level is "USE", however for the ZAP function the required access level is "UPDATE".
For batch utilities like TSSCHART, TSSAUDIT and TSSCFILE, which normally can only run by a User with ACID(REPORT) and/or ACID(AUDIT) authorities, any User will be allowed to run them provided there is proper access to entity "TSSUTILITY.utilityname" in the CASECAUT Resource Class.
CASECAUT(TSSUTILITY.TSSXTEND
TSSFAR
TSSAUDIT
TSSCHART
TSSUTIL
TSSSIM
TSSCFILE
TSSTRACK
Console
In a z/OS environment, the TSS MODIFY STATUS command can be issued by any administrator type ACID or any User with USE access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.
USE access is granted through the following command:
TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(USE)
Note: USE is the default access level. To alter control options, administrators and Users must have one of the following authority levels:
(All other commands are considered alter commands and require PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.)
* CONSOLE attribute authority
* PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.
PRIVILEG access is granted through the following command:
TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(PRIVILEG)