Define TSS Facilities in the TSS Security File

Idea created by jbaker314 on Jun 18, 2014
    Delivered
    Score10

    I would like to recommend that CA Top Secret Security for z/OS be enhanced by providing the capability to define TSS facilities in the TSS security file, rather than in the TSS parameter file.

     

    I propose that a command of the form "TSS CREATE(facility-accessor-id) TYPE(FACILITY) NAME(facility-name)" be supported.

     

    TSS faciity definitions would not be defined within a department, division, or zone, but rather within a special accessor ID, which for the purpose of this enhancement request, I will designate as "*FAC*".

     

    Existing attributes of the form [NO]xxxxxxxx would be handled by adding the attribute ("xxxxxxxx") to the facility accessor ID.  If the attribute is not present, it will be treated as equivalent to "NOxxxxxxxx".

     

    I suggest that the bypass and protect lists could be managed by permitting the resource to the facility accessor ID with an access level of "BYPASS" or "PROTECT".

     

    These access levels would be added to all resource classes whose members can appear in the corresponding bypass or protect list.  These access levels would not be usable on a permit to an accessor ID of any type other than FACILITY.  Likewise, access levels other than BYPASS and PROTECT would not be usable on a permit to an accessor ID of type FACILITY.

     

    I would recommend that a new CASECAUT privilege, TSSCMD.ADMIN.FACILITY, be defined and that a permit with an access level of USE would permit an administrative accessor ID to issue a TSS LIST command for an accessor ID of

    type FACILITY, while a permit with an access level of PRIVILEG would permit an administrative accessor ID to CREATE, DELETE, and revise an accessor ID of type FACILITY.

     

    I am not proposing any capability to have a different set of facilities defined for each system in a complex of systems sharing a common security file.

     

    In this proposal, all sharing systems would have the same facility definitions.

     

    However, if the user community feels that such a capability is warranted, I would support an extension of this proposal to incorporate such functionality.

     

    This proposal would greatly simplify the definition and maintenance of TSS facility definitions.