Top Secret

I'm looking for a possibility to detect, which userid effectively   references class TSOAUTH permissions. I suppose, that z/OS checks these permissions with LOG(NONE) so they don't appear in the ATF-data. Beyond this, I suppose and fear, that the resclass is not checked, when the resource is effectively referenced ... (but probably only at logon-time)

Especially I'd be interested in TSOAUTH(TESTAUTH)

Thanks for any hint, idea and suggestion!     (....also for where to find docs ...)   

------------------------------------------------------------------------------------------------------------------------------------------------------

intermediately and afterwards edited table as a summary, contributions to complete the table very much appreciated ... 

Hello Josef,

The TSSAUTH class is checked at logon time by TSO with LOG=NONE.

You can set a sectrace against any ACID to logon onto TSO, you should see the TSS-F for TSOAUTH class with LOG=NONE, check L/xx80 on the TSS-F lines.

Sincerely, Jacques.

Hello Jacques, thank you for the details, I'll give them a try.

Well, I'm interested in the effective  references to that resources. When the resource is checked at logon time, it does not necessarily mean, that the user makes really use of that permission. I would like to determine the effective references to those resources, especially TESTAUTH, so that the permissions can be reworked. Maybe there is a smart possibility for it.....   

Regards, Josef   

Hello Josef,

There is no TSOAUTH(TESTAUTH) check with TSS.  TESTAUTH is checked with PROGRAM class when it is issued.

Sincerely, Jacques.

Many Thanks, Jacques,

... so it would come down to a

TSS ADD(xxxxxxxx) PROGRAM(TESTAUTH)

TSS PER(ALL) PROGRAM(TESTAUTH) ACTION(AUDIT)

Do you or somebody in the community or at Computer Associates have, ideas to detect the "effective reference" to the other TSOAUTH resources, namely

TSOAUTH(ACCT)
TSOAUTH(JCL) 
TSOAUTH(MOUNT)
TSOAUTH(OPER) 
TSOAUTH(PARMLIB) 
[TSOAUTH(TESTAUTH) --> PROGRAM(TESTAUTH) see above]
TSOAUTH(CONSOLE)   

Regards, Josef

sorry, TSOAUTH(RECOVER) missed

Hello Josef,

To clarify the TSOAUTH with TSS:

TSOAUTH(JCL)

TSOAUTH(ACCT)

TSOAUTH(MOUNT)

TSOAUTH(OPER)

TSOAUTH(RECOVER) are checked at logon time with LOG=NONE

TSOAUTH(PARMLIB) is checked when user enter this command in TSO command or other means.

e.g. PARMLIB UPDATE(00)

and as already seen TESTAUTH is checked via PROGRAM class with LOG=ASIS, then what you said should work to audit it.

Sincerely, Jacques.

Hello Josef,

I have to add some comment about TESTAUTH. From what I was able to test and saw in sectrace the TESTAUTH command as I said is checked with PROGRAM class. But, under certain circumstances it can be checked with TSOAUTH(TESTAUTH) as described in IBM documentation. I didn't have a chance to see this check with the tests I made.

Sincerely, Jacques.

Hello Josef,

My mistake! My TSO environment wasn't correct. Now, I can see the TSOAUTH(TESTAUTH) check coming after the PROGRAM(TESTAUTH) check, this check is not done with LOG=NONE then it should be auditable.

Sincerely, Jacques.