Top Secret

  • 1.  ACCES(ALTER) instead of ACCES(ALL)

    Posted Oct 20, 2017 02:41 PM

    Hi, Top Secret warriors,

    My client wants to use ACCES(ALTER) instead of ACCES(ALL) when giving acces to datasets.

     

    He is getting this error:

    CA TOP SECRET VERSION 16.0     SECURITY ACTIVITY/INCIDENTS REPORT #
    ACCESSOR JOBNAME  FFM VC PROGRAM  R-ACCESS A-ACCESS SRC/DRC
    myacid  myjob 13F 01 myprog   ALTER    RS       *08*-66    
    So, my client wants to stablish rules like TSS PER(myacid)DSN(mydataset)ACCES(READ,SCRATCH,ALTER)
    My client does not want to use rules like TSS PER(myacid)DSN(mydataset)ACCESS(ALL)
    Can I include this ALTER into the resource class DATASET (Inside the RDT)?
    How to do that?
    Would this measure really improve the security ?
    Thanks,
    Paulo
     


  • 2.  Re: ACCES(ALTER) instead of ACCES(ALL)
    Best Answer

    Broadcom Employee
    Posted Oct 23, 2017 10:26 AM

    Hi Paulo,

     

    For DATASETs, the TSS equivalent of ALTER access is CONTROL, SCRATCH, and CREATE. So if you do not want to give ALL access and you want to include READ (from the permit in your example), the permit should be:

     

    TSS PER(myacid) DSN(mydataset) ACCES(READ,CONTROL,SCRATCH,CREATE)

     

    The difference between the above permit and a permit with ACCESS(ALL) is ACCESS(ALL) includes the following access levels that ACCES(READ,CONTROL,SCRATCH,CREATE) does not:

     

    FETCH, UPDATE, WRITE(2000), CREATE(1000), INQUIRE, and SET

     

    Best regards,

    Bob Boerum



  • 3.  Re: ACCES(ALTER) instead of ACCES(ALL)

    Posted Oct 27, 2017 11:27 AM

    Merci beaucoup, Mr. Boerum.
    The client has just tested and approved your solution. The vulnerability has been mitigated.

    Great job!

    Yours,

    Paulo