CASECAUT - RESOURCE LIST in Top Secret.

Document created by Chris_Williams Employee on Nov 23, 2015
Version 1Show Document
  • View in full screen mode

In CA Top Secret Security for z/OS r15.0, is there a complete list of all the Resources that can be controlled with the CASECAUT Class?

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Here is a complete list of the current CASECAUT Resource Classes, that are currently available.  Additional Resource Names may be added to CASECAUT in the future.

 

NOTE: CASECAUT will not allow an SCA to create and give current MISC authorities to another SCA.  It also will not allow the creation of an LSCA.

 

 

Commands

Scope of these are to allow Users with no administrative authorities to change certain password related fields for other Users within their Scope, provided they have the proper access to "TSSCMD.USER.cmd.fieldname" in the CASECAUT Resource Class.  The following table indicates the authorisation required to change password related fields:

 

Field name     CASECAUT entity name

----------     -------------------------

PASSWORD       TSSCMD.USER.cmd.PASSWORD

PHRASE         TSSCMD.USER.cmd.PHRASE

KERBVIO        TSSCMD.USER.cmd.KERBVIO

SUSPEND        TSSCMD.USER.cmd.SUSPEND

ASUSPEND       TSSCMD.USER.cmd.ASUSPEND

PSUSPEND       TSSCMD.USER.cmd.PSUSPEND

VSUSPEND       TSSCMD.USER.cmd.VSUSPEND

XSUSPEND       TSSCMD.USER.cmd.XSUSPEND

NOPWCHG        TSSCMD.USER.cmd.NOPWCHG

NOPW           TSSCMD.USER.cmd.NOPW

 

The third qualifier, 'cmd', may be specified as ADDTO/REPLACE/REMOVE, as long as it is supported in conjunction with the relevant field. For all commands listed in the above table, the required access level is UPDATE.

 

 

Certificates

Similarly, Users with no administrative authorities will be allowed to issue certain Digital Certificate KEYRING and Token commands against other Users in their Scope, provided they have proper access to entity "TSSCMD.CERTUSER.function" in the CASECAUT Resource Class.

 

The following table indicates the authorization required to issue DIGICERT and KEYRING related commands:

 

Command     CASECAUT entity name

-------     -----------------------------------

CHKCERT     TSSCMD.CERTUSER.CHKCERT

EXPORT      TSSCMD.CERTUSER.EXPORT

GENCERT     TSSCMD.CERTUSER.GENCERT

GENREQ      TSSCMD.CERTUSER.GENREQ

REKEY       TSSCMD.CERTUSER.REKEY

ADD         TSSCMD.CERTUSER.ADDTO

ROLLOVER    TSSCMD.CERTUSER.ROLLOVER

REMOVE      TSSCMD.CERTUSER.REMOVE

P11TOKEN    TSSCMD.DIGTCERT.P11TOKEN.tokencmd

 

 

Utilities

For batch utilities like TSSXTEND and TSSFAR, this eliminates the need for an MSCA User to run them, and allows any User, provided access is granted to entity "TSSUTILITY.utilityname"  in the CASECAUT Resource Class.  For normal use the required access level is "USE", however for the ZAP function the required access level is "UPDATE".

 

For batch utilities like TSSCHART, TSSAUDIT and TSSCFILE, which normally can only run by a User with ACID(REPORT) and/or ACID(AUDIT) authorities, any User will be allowed to run them provided there is proper access to entity "TSSUTILITY.utilityname"  in the CASECAUT Resource Class.

 

CASECAUT(TSSUTILITY.TSSXTEND

                    TSSFAR

                    TSSAUDIT

                    TSSCHART

                    TSSUTIL

                    TSSSIM

                    TSSCFILE

                    TSSTRACK

 

 

Console

In a z/OS environment, the TSS MODIFY STATUS command can be issued by any administrator type ACID or any User with USE access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.

 

USE access is granted through the following command:

TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(USE)

Note: USE is the default access level.  To alter control options, administrators and Users must have one of the following authority levels:

(All other commands are considered alter commands and require PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.)

* CONSOLE attribute authority

* PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.

 

PRIVILEG access is granted through the following command:

TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(PRIVILEG)

1 person found this helpful

Attachments

    Outcomes