Using Search to Perform Resource Checks

You can use the CA LDAP Server Server search operation to perform authorization checks against the CA Top Secret database. RESCHECK performs the authorization check and returns success (return code 0) or insufficient access (return code 50). If you are not authorized to the LOG and/or STATUS parameters, then you receive an inappropriate authentication (return code 48).
cszscss151
You can use the CA LDAP Server search operation to perform authorization checks against the CA Top Secret database. RESCHECK performs the authorization check and returns success (return code 0) or insufficient access (return code 50). If you are not authorized to the LOG and/or STATUS parameters, then you receive an inappropriate authentication (return code 48).
To use the LOG and STATUS parameters, the logged in user ID must be authorized to the configured class and entity combination. The CA LDAP Server performs one RACROUTE AUTH check for each LOG and STATUS keyword value against the logged in user ID per connection to the CA LDAP Server. If more than one RESCHECK is performed with the same LOG and STATUS parameters, only one AUTH call is issued for the life of the connection. The AUTH call that is issued is logged (LOG=ASIS) and cannot be overridden.
The default class is CALDAP and the entity
HLQ
is LDAP. When the resource check is made, the full entity value is
HLQ
.RESCHK.LOG.
keyword
and
HLQ
.RESCHK.STATUS.
keyword
with an access level of READ. You can change the default class and entity
HLQ
that is used with the tssRescheckClass and tssRescheckEntity keywords. For details, see CA Top Secret Configuration Options.
This functionality is specific to the CA LDAP Server and the CATSS backend. This functionality is not supported with the CADB2 backend.
The following defines the RESCHECK and RESSIM search option.
Search DN
Scope
Search Filter
suffix DN
Base
RESCHECK=
userid
,
access_level
,
class
,
entity[, log[, status]]
RESSIM=
userid
,
access_level
,
class
,
entity,facility
RESCHECK
Where
access_level
has a value of:
  • READ, UPDATE, CONTROL, or ALTER
Where
class
has a value of:
  • The class name, if you are performing a resource rule check
  • A value of data set, if you are performing a data set check
  • DB2 rules are not supported at this time.
Where log is optional. If used,
log
has a value of:
  • ASIS, NONE, NOFAIL or NOSTAT (If not specified, the default is ASIS)
Where status is optional. If used,
status
has a value of:
  • NONE, ERASE, EVERDOM, WRITEONLY or ACCESS. The default is NONE.
    You can specify this parameter only when you also specify the log parameter.
For example, to see whether a user has read access to the SYS1.* data sets, issue the following command:
ldapsearch -x -D cn=userid-w password -H ldap://127.0.0.1:389 -s base -b host=xe17,o=ca,c=us rescheck=userid,read,dataset,sys1
To see whether a user has read access to the SYS1.* data sets without logging occurring if the user is not authorized, issue the following command:
ldapsearch -x -D cn=userid -w password -H ldap://127.0.0.1:389 -s base -b host=xe42,o=ca,c=us rescheck=userid,read,dataset,sys1,none
RESSIM
Where
access_level
has a value of:
  • READ, UPDATE, CONTROL, or ALTER
Where
class
has a value of:
  • The class name, if you are performing a resource rule check
  • A value of data set, if you are performing a data set check
  • DB2 rules are not supported at this time.
Where
facility
is any valid CA Top Secret-defined facility.
For example, to see whether a user has read access to the SYS1.* data sets, issue the following command:
ldapsearch -x -D cn=userid-w password -H ldap://127.0.0.1:389 -s base -b host=xe17,o=ca,c=us ressim=userid,read,dataset,sys1,tso
To see if a user has read access to the SYS1.* data sets without logging occurring if the user is not authorized, issue the following command:
ldapsearch -x -D cn=userid -w password -H ldap://127.0.0.1:389 -s base -b host=xe42,o=ca,c=us ressim=userid,read,dataset,sys1,none