Top Secret

  • 1.  FSACCESS Control Option

    Posted Oct 20, 2016 04:49 AM

    Hi all,

     

    I need detailed explanation for FSACCESS. What records will be written and what records will not be written if we swtich from control option "FSACCESS(ENABLE)" to "FSACCESS(DISABLE) ? 

    We don't have any FSACCESS resources protected. I need details about,which records are written what type of SAF calls are done and effects on performance.

     

    Thank you, 

     

    Erdem.



  • 2.  Re: FSACCESS Control Option

    Posted Oct 20, 2016 05:21 AM

    Hello Erdem,

     

    The following link points to the IBM documentation about FSACCESS class.

     

    https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxb200/fsastepp.htm

     

    From this description and the way it works, it's the way TSS acts.

     

    And from that link to can go to other documentation which I hope sheds some lights on FSACCESS..

     

    Sincerely, Jacques. 



  • 3.  Re: FSACCESS Control Option

    Posted Oct 20, 2016 07:06 AM

    Hi Jacques_Hulak

     

    Is there any list of PTFs/documentations related with fsaccess and its performance issues, so that we can check in our environment, if we have them?

     

    Thank you,

     

    Erdem.



  • 4.  Re: FSACCESS Control Option

    Posted Oct 20, 2016 07:51 AM

    Hello Erdem,

     

    Here it is a list of PTFs related to FSACCESS or so for TSS r15.0. There is no additional PTF for TSS r16.0

     

    RO76973

    RO68148

    RO45811

    RO45458

    RO53985

    RO40271

    RO38634

    and all necessary prerequisites.

     

    For TSS r15.0 the CA Top secret Control Options Guide contains information about FSACCESS settings.

    For TSS r16.0 go to docops.ca.com site.

     

    Sincerely, Jacques.



  • 5.  Re: FSACCESS Control Option

    Broadcom Employee
    Posted Oct 20, 2016 10:22 AM

    Hi Erdem,

     

    If you're looking for the Top Secret-specific content surrounding FSACCESS, you'll find some information as follows:

    -Kris



  • 6.  Re: FSACCESS Control Option

    Posted Oct 20, 2016 10:29 AM

    Thank you all for your quick responses and answers.

     

    All I want to know is:

     

    I will set FSACCESS control option to DISABLE. What type of data / checks will we lose after disabling fsaccess checks?

     

    We have SMF logging and SMF231 records are collected.

     

    Regards,

    Erdem.



  • 7.  Re: FSACCESS Control Option

    Posted Oct 20, 2016 10:40 AM

    Hello Erdem,

     

    FSACCESS being disable you will "lose" the security check for the FSACCESS resource class to verify user authority to access the file system objects on z/OS UNIX zFS.

     

    But, disabling that security checks can help to reduce overhead.

    And, in any case the access to any unix file is controlled by the UID/GID and security bits.

     

    Sincerely, Jacques.

     



  • 8.  Re: FSACCESS Control Option

    Posted Oct 24, 2016 04:53 AM

    Salut Jacques, hello Erdem,

     

    just for a proper comprehension of the question and the answers ...

     

    Is it correct, that when reclass FSACCESS is defined with NODEFPROT and there are no ownerships for this reclass, some uss-cpu-cycles (overhead) can be saved by setting control option FSACCESS to disabled, without any loss of security-related functionality/checks?

     

    Thanks,

    Josef     



  • 9.  Re: FSACCESS Control Option
    Best Answer

    Posted Oct 24, 2016 05:03 AM

    Hello Josef,

     

    That's what FSACCESS TSS control option is all about. When FSACCESS is DISABLE cpu-cycles is saved.

    DEFPROT/NODEFPROT comes into play when FSACCESS is ENABLE. With DEFPROT set any acid in FAIL mode has to be explicitly permitted to access to FSACCESS resources. This is valid whatever the resource class is.

    Except DATASET which are protected by default.

     

    Sincerely, Jacques.