CA Top Secret for z/OS question regarding DEFPROT in FAIL mode If a resources is not assigned to an owner, does this mean that access to that resource will not be restricted or logged? How can I determine who is using what RDT classes?

Document ID : KB000045615
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:
 
If a resources is not assigned to an owner, does this mean that access to that resource will not be restricted or logged?
How can I determine who is using what RDT classes?

 

Answer:

Most of the time for resources to be protected by CA Top Secret, the resource name(s) or prefixes of the resource name(s) should be owned (TSS ADD(dept) resclass(resname)) for the resources within that class. Then permit the resource(s) to the acids that should be allowed access. If the resource name is not owned, CA Top Secret passes back a return code of 04 on the security call and it is then up to the calling application to allow or deny the access. (Usually the calling application allows access, but this is not always the case.)

If all resource names within a resource class are to be protected, set the DEFPROT attribute on the resource class in the RDT. 

WARNING: Be very careful before setting DEFPROT on a resource class. DEFPROT will cause all resource names within that class to be protected, regardless of whether they are owned or not. This could cause acids that worked fine before to become suspended because of excessive violations. 

Datasets are automatically protected by default in FAIL mode. 

To see all resource names owned within a resource class, issue:

TSS WHOOWNS resclass(*) 

where 'resclass' is the resource class

To see who is permitted to a resource name within a class, issue:

TSS WHOHAS resclass(resname) 

where 'resclass' is the resource class 

'resname' is the resource name or a prefix of the resource name

Additional Information:

https://docops.ca.com/ca-top-secret/16-0/en/product-information