Top Secret

Two lpars share same security file : SYSE and SYSJ . Restriction must be given to execute a program in one lpar only - SYSE . Can't find a way to do that .

Cannot restrict access of a program because SYSID checking is
disabled for program resource class.

Can use sysid restrictions with datasets for example but not program
resource.

TSS PER(ALL) DSN(***) SYSID(SYSX)

Hi Ashera,

docs to find the restriction mentioned by lynro03 see https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/resources/program-resource-classsecure-programs-and-utilities.

If your program DPROG is called from Linklist and restriction to use that program only in one lpar should apply to every user, your z/os administrators could create an lpar-specific linklist-library to store and provide that program only in that specific lpar. Users to call the program in the forbidden lpar would then receive a S878 (or similar) abend in place of a security-violation, but the effect of the restriction would be achieved. 

Kind regards, Josef

Good morning ,

Thank you for your response . I know that SYSID restriction is not valid for programs . This was the reason for asking CA Security community for advice . Do you know of a way to allow such an implementation ?

    Best regards ,

        Asher

Hello Asher,

just from the top of my head: as Top Secret currently does not support your request, it depends from your specific circumstances to find a feasible approach.

(1) one possible approach I already sketched in my previous post, to implement the program only in that lpar, where it is to be called. (SYSE)

(2) maybe TSSINSTX (Top Secret Exit) offers the possibility to extend the security according to your need. (Probably Performance-disadvantage, because this code would be executed for every program invocation)

(3) If you have the possibility to modify program xxxxxxxx, you could add a user security call (TSSAI or RACROUTE) at the beginning of program xxxxxxxx, to handle your  needs.

(4) If your program xxxxxxxx is called within a specific facility, and it is possible to implement this facility in system SYSE only, you could use that option to implement the desired restriction.

Hope that helps a little, best regards, Josef

Good morning Josef ,

Thank you for your detailed explanations . I think we will encapsulate the program which we need to limit its execution with a program that will check the SMFID (or SYSID) of the lpar this program is running in and fail it if it is not SYSE .

     Best regards ,

         Asher