Issuing Commands to Communicate Administrative Requirements
Security administrators use CA Top Secret command functions to communicate their administrative requirements to CA Top Secret. A command function lets you define ACIDs, assign attributes, and determine resource ownership and resource access.
CA Top Secret command functions are independent of the system facility. The security administrator uses command functions in the same manner, regardless of whether the facility is TSO, CICS, BATCH, CA Roscoe, IMS, or CA IDMS.
CA Top Secret command syntax has the following format:
- TSSCA Top Secret commands always begin with TSS.
- functionSpecifies the function CA Top Secret performs. The rules for the function are:
- The function must immediately follow the TSS.
- There can be one function only per TSS command.
- One or more spaces must be entered between TSS and the function.
- acid|ACIDS|ALL|APPCLU|AUDIT|DLF|FDT|MLS|STC|NDT|RDT|SDTSpecifies the ACID or record being affected by the function.
- keywordSpecifies the resource type or security attribute being processed by the function. The rules for the keywords are:
- Keywords can be entered in any order.
- Keywords must be entered in full. Some keywords will not work if shortened.
- Keywords can be entered from line to line without special action.
- The last keyword on a continuing line must be followed by a blank and a dash. The next keyword can be entered on the next input line.
- operandSpecifies the prefix, resource name, required value, or name for a security attribute. The rules for operands are:
- Operands must be provided
- () is required to indicate no value
- If an operand is missing, any following keyword is ignored
- commentsEnter comments at any point in a command after the first keyword.The rules for comments are as follows:
- Comments must begin with /*.
- Comments should end with */, but this requirement may not apply to all cases. If a comment is not terminated with */ AND, the command line ends without a dash and the command and comment are considered complete.
- If you use a left parenthesis, (, in the comment, the parenthesis must be preceded by a non-blank character.
- Comments may appear anywhere after the first keyword and may be followed by additional keywords provided the closing */ exists.
- Comments are maintained on the command when logged to the recovery file. This tool may be useful for documenting the reason the administration was performed.
Enter Commands Freeform
You can enter command functions freeform onto the command screen of an online terminal.
Example: Entering a Command Freeform
This example creates the user USER01 with all of their required properties:
TSS CREATE(USER01) TYPE(USER) NAME('H.PARKER') PASSWORD(1234,30,EXPIRE) SOURCE(GRAF0076) PROFILE(BUDGET,TAXES,CRIME) DSNAME(SYS.01) DEPARTMENT(DEPTB01)
Enter Commands on Administration Panels
TSS command functions can be entered and changed using the CA Top Secret full-screen administration panels, if the TSO installation uses IBM's System Productivity Facility (SPF or ISPF), or if the administrator is running under CMS. These panels provide the administrator with a
fill-in-the-blankapplication for the TSS command.
To access the CA Top Secret selection panel
- Access the ISPF/PDF Primary Option Menu.
- Enter the option identifier corresponding to CA Top Secret security into the OPTION field of the ISPF Menu.The system displays the CA Top Secret Selection Panel:P000001 Security Administration Main Menu CA TOP SECRET ===> Concerning Me... Resource Administration 1 Who am I? 21 Assign/remove resource ownership 2 Lock my terminal 22 Permit/revoke resource access 3 Unlock my terminal 23 Display resource access/ownership 24 Certificate Management processing ACID Administration 11 Create ACID CA TOP SECRET System Administration 12 Change ACID attributes 32 Modify security tables 13 Assign administrative authority 14 Display ACID information, REFRESH ACID 15 Acid Compare/Modeling Options for TSS Administration Session ( _ ) List after successful command ( _ ) Clear after successful command ( _ ) Display TSS command text PF1= Help 2= Defaults 3= End 4= Return 5= 6= PF7= Up 8= Down 9= 10= 11= 12=
Online Processing of Commands
When an ACID enters a CA Top Secret command function, CA Top Secret:
- Parses the entry for the correct syntax
- Determines if the ACID contains the proper administrative authority and scope to enter the command function
- Executes the command
CA Top Secret processes only command functions (with the exceptions of HELP and WHOAMI) issued by ACIDs who have administrative authority. This administrative authority is limited to the scope of the administrator.
Generic prefixing, designated with a (G), allows the administrator to identify multiple VMUSER IDs. This is used with:
- The PERMIT command
- The ACID types User, Profile, DCA, VCA, ZCA, LSCA, SCA, MSCA, and ALL
Example: generic prefixing
This example permits a System's Programmer to use the spooling command CHANGE for files belonging to any user ID prefixed with TDG:
TSS PERMIT(SYSPROG) CPCMD(CHANGE) VMUSER(TDG(G))
Enter Commands on a z/OS Console
In emergency situations or other circumstances, operators can issue TSS commands on a z/OS console (for example, in a situation without access to TSO).
Commands that are entered through this method are audit events. The product records the events to provide an audit trail.
Follow these steps:
- Enter the following command at the O/S console:F TSS,TSSAn operator console prompt requests the MSCA’s previous password.
- Enter the MSCA'spreviousRxx,passwordxxSpecifies the message reply number that appeared in the preceding operator console prompt.For example, you would specify R 08,passwordin response to a prompt that contained this information:08 TSS9273A ENTER TSS COMMAND PASSWORDA second prompt allows entry of any CA Top Secret command:
- Enter the TSS command function (including the initialTSSkeyword) at the O/S console:An example command entry is Rxx,TSS ADDTO(USERO1) DSNAME(ABC.DEF)The product produces command output as needed. To protect secure data from being posted on the system, log command output is routed only to the console. To avoid flooding the console, command output is limited to 50 lines.
- When all commands are complete, enter the following command to end the session (to avoid security exposure):Rxx,END