Top Secret

  • 1.  tss list profiles ?

    Posted Nov 17, 2017 01:30 PM

    Is there a way to list Top Secret profiles that are either empty (no rules) or have no connected acids?



  • 2.  Re: tss list profiles ?

    Posted Nov 17, 2017 04:24 PM

    If there is, I never knew about it.  I eventually wrote a utility that reads the CFILE and lists various situations that call for attention.  At every installation I program into it conditions that are unique to that company: A user ID that doesn't have an employee # in the installation data, for example, or that is missing a specific permission.  But some are common to most installations: ACIDs that haven't been used in 14 months, for instance.  Profiles that have no permissions or no ACID members are two of the conditions I'm checking for.  I can run the command every so often to see what needs attention.

     

    I know that doesn't help you, unless you're a REXX programmer.  It's really by way of saying that if TSS had that ability natively, I wouldn't have had to write it.



  • 3.  Re: tss list profiles ?

    Broadcom Employee
    Posted Nov 17, 2017 05:29 PM

    Hi Steve,

     

    There isn't a direct command to get these. You can issue:

     

    TSS LIST(ACIDS) TYPE(PROFILE) DATA(XAUTH,ACIDS)

     

    This will limit the output to profiles only and the permits in the profile and the acids attached.

     

    If there are no permits, you will see:

     

    ACCESSORID = profile NAME = name
    ACIDS = acids  

     

    If no acids are attached, the output will show:

     

    ACIDS = *NONE*

     

    This can be also be done in TSSCFILE so the output is formatted.

     

    NOTE: If you are running TSS r16 with fixes RO95454, RO96670, and RO97041 applied: RO95454 is an enhancement that allows TSSCFILE to be run against the TSS backup files in a private address space.
    If not, the TSS LIST(ACIDS) ... command should be run during off peak hours because this can be I/O intensive to the security file which could negatively impact performance.

     

    Best regards,

    Bob Boerum



  • 4.  Re: tss list profiles ?

    Posted Nov 17, 2017 06:00 PM

    Hello Bob, Steve,

    - it depends, what you consider as "no rules" ... DATA(XAUTH,ACIDS) would not show LCF nor FACILITY ...

    - Perhaps some cleverly coded SORT-jobs could transform a TSS LIST-output to show the requested informations.

    Kind regards

    Josef 



  • 5.  Re: tss list profiles ?

    Posted Nov 17, 2017 06:17 PM

    Hm, good point.  The routine I said I use on demand—CFILECHK, it's called—counts the following CFILE record types as permissions:

    • 0700 (attributes), if not entirely blank
    • 2001 (XA ACID)
    • 2002 (XA DATASET)
    • 2003 (XA VOLUME)
    • 2005 (XA general)
    • 2500 (SCTYKEY)
    • 3090 (XA MODE)
    • 3260 (XA PROGRAM)
    • 3700 (FACILITY)

     

    Are there others I should be looking for too?  Of course, all CFILECHK does is display the suspect profiles; only a human deletes an "empty" profile, after visual examination.  And at our installation I'm not concerned about 2004; but other than that I want to be complete.