Top Secret

  • 1.  Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Posted Oct 05, 2018 02:04 PM

    What security administrative or resource (CASECAUT) is required to allow AUDITOR to issue the following command and receive desired results?

     

    tss lis(*facstor) fac(cicsprod)

     

    and

     

    tss lis(*facstor) fac(all)

     

    AUDITOR should not be able to change, but should  be able to LIST all facility definitions using those list commands when FACSTOR(YES) is setup.



  • 2.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Broadcom Employee
    Posted Oct 05, 2018 04:36 PM

    For the TSS LIST(*FACSTOR) the is no special security administrative or resource (CASECAUT) to issue this LIST command

    Searching our database I see another site said the will open an IDEA in the community asking to perform some form of restriction checking (with either MISCx or CONSOLE attribute) for the listing of *FACSTOR.



  • 3.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Posted Oct 09, 2018 03:45 PM

    Is there a way to move this from a Question to an IDEA/Request for new functionality - allowing AUDITORS to have VIEW via TSS LIST(*FACSTOR) command but not allow modify?    maybe via a CASECAUDT resource permission with READ access?



  • 4.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Broadcom Employee
    Posted Oct 09, 2018 04:39 PM

    Hi Steve,

     

    I just tried and I can only change this from a question to a discussion.  You will have to open an IDEA as a new item.

     

    ~Eileen~



  • 5.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Posted Oct 16, 2018 04:36 PM

    An accessor ID having administrative access to the facility and DATA(ALL) authority can list the facility using a -

     

    TSS LIST(*FACSTOR) FACILITY({facility-ID-8})

     

    command.

     

    If the bypass lists are to be included, then the command should be -

     

    TSS LIST(*FACSTOR) FACILITY{facility-ID-8}) DATA(ALL)

     

    The accessor ID does not have the "CONSOLE" attribute, meaning that the accessor ID cannot revise the facility definition.

     

    John P. Baker



  • 6.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Posted Oct 16, 2018 05:16 PM

    John,

     

    yes, however if you have administrative access to the facility, you may also be able to add that facility to users within your scope (effectively changing security), were as an Auditor only should be able to View the facility definitions but not administer the access to the facility.

     

    Auditors should be able to review all facility definitions without having administrative control over facility definitions.   View only, allowing an auditor to view and validate setup.

     

    Thank you

    Steve



  • 7.  Re: Security Admin rights required for AUDITOR to Lis(*FACSTOR)

    Posted Oct 16, 2018 05:26 PM

    Steve,

     

    I agree.

     

    However, as an interim measure until CA Technologies can implement the functionality requested, a secondary accessor ID of TYPE(USER) can be created for the auditor having the specified administrative privileges (i.e., DATA(ALL) and FACILITY(ALL)) which would allow the auditor to look at the facility definitions without having the capability to revise the facility definitions.

     

    John P. Baker