ACCTNUM RDT Definition In CA Top Secret

Document ID : KB000129587
Last Modified Date : 15/03/2019
Show Technical Document Details
Question:
In RACF, there is a TSO related resource called ACCTNUM used secure TSO account codes, but this resource class is not defined in the Resource Descriptor Table (RDT) in CA Top Secret. Is a user defined resource class required in the RDT?
Answer:
The security calls for the ACCTNUM class are internally converted (by CA Top Secret) to use the TSOACCT resource class. TSOACCT is predefined resource class in CA Top Secret, so no user defined resource class is required. 

All one- to 40-character account numbers must be owned and permitted to users wishing to use a specific number. TSO issues a security request on the account number specified at logon; if this check fails, TSO prompts the user for a new account number. Logon does not complete unless the user is authorized to an account number. Ownership and permission are required. The TSS ADD and PERMIT commands can be used to assign ownership and authorization, respectively, to TSOACCT resources.

TSS ADDTO(dept) TSOACCT(nnnnnn)

TSS PERMIT(acid) TSOACCT(nnnnnn)

where:
- 'dept' is the department to own the resource

- 'nnnnnn' is the account number. TSOACCT allows up to 8 characters in the TSS ADD command and up to 44 characters in the TSS PERMIT command

- 'acid' is the user's acid, an attached profile, or the ALL record if all users should be allowed access
 
Additional Information:
Additional information regarding the TSOACCT resource class can be found here:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/resources/tsoacct-resource-classsecure-tso-logon-account-codes

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/implementing-in-cics-and-other-interfaces/implementing-security-for-tso/uads-replacement/tso-related-resources