CASECAUT - RESOURCE LIST.

Document ID : KB000011417
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Details on the CASECAUT Class.

Question:

Is there a complete list of all the Resources that can be controlled with the CASECAUT Class?

Answer:

Here is a complete list of the current CASECAUT Resource Classes that are currently available.  Additional Resource Names may be added to CASECAUT in the future.

NOTE: CASECAUT will not allow an SCA to create and give current MISC authorities to another SCA.  It also will not allow the creation of an LSCA.

Commands
Scope of these are to allow Users with no administrative authorities to change certain password related fields for other Users within their Scope, provided they have the proper access to "TSSCMD.USER.cmd.fieldname" in the CASECAUT Resource Class.  The following table indicates the authorization required to change password related fields:

Field name     CASECAUT entity name
----------     --------------------
PASSWORD  TSSCMD.USER.cmd.PASSWORD
PHRASE        TSSCMD.USER.cmd.PHRASE
KERBVIO      TSSCMD.USER.cmd.KERBVIO
SUSPEND      TSSCMD.USER.cmd.SUSPEND
ASUSPEND    TSSCMD.USER.cmd.ASUSPEND
PSUSPEND    TSSCMD.USER.cmd.PSUSPEND
VSUSPEND    TSSCMD.USER.cmd.VSUSPEND
XSUSPEND    TSSCMD.USER.cmd.XSUSPEND
NOPWCHG     TSSCMD.USER.cmd.NOPWCHG
NOPW           TSSCMD.USER.cmd.NOPW

The third qualifier, 'cmd', may be specified as ADDTO/REPLACE/REMOVE, as long as it is supported in conjunction with the relevant field.  For all commands listed in the above table, the required access level is UPDATE.

Certificates
Similarly, Users with no administrative authorities will be allowed to issue certain Digital Certificate KEYRING and Token commands against other Users in their Scope, provided they have proper access to entity "TSSCMD.CERTUSER.function" in the CASECAUT Resource Class.

The following table indicates the authorization required to issue DIGICERT and KEYRING related commands:

Command     CASECAUT entity name
-------       --------------------
CHKCERT   TSSCMD.CERTUSER.CHKCERT
EXPORT     TSSCMD.CERTUSER.EXPORT
GENCERT   TSSCMD.CERTUSER.GENCERT
GENREQ     TSSCMD.CERTUSER.GENREQ
REKEY        TSSCMD.CERTUSER.REKEY
ADD           TSSCMD.CERTUSER.ADDTO
ROLLOVER  TSSCMD.CERTUSER.ROLLOVER
REMOVE      TSSCMD.CERTUSER.REMOVE
P11TOKEN   TSSCMD.DIGTCERT.P11TOKEN.tokencmd

Utilities
For batch utilities like TSSXTEND and TSSFAR, this eliminates the need for an MSCA User to run them, and allows any User, provided access is granted to entity
"TSSUTILITY.utilityname"  in the CASECAUT Resource Class.  For normal use the required access level is "USE", however for the ZAP function the required access level is "UPDATE".

For batch utilities like TSSCHART, TSSAUDIT and TSSCFILE, which normally can only run by a User with ACID(REPORT) and/or ACID(AUDIT) authorities, any User will be allowed to run them provided there is proper access to entity "TSSUTILITY.utilityname"  in the CASECAUT Resource Class.

CASECAUT(TSSUTILITY.TSSXTEND
                    TSSFAR
                    TSSAUDIT
                    TSSCHART
                    TSSUTIL
                    TSSSIM
                    TSSCFILE
                    TSSTRACK

Console
In a z/OS environment, the TSS MODIFY STATUS command can be issued by any administrator type ACID or any User with USE access to "TSSCMD.ADMIN.MODIFY"
in the CASECAUT Resource Class.

USE access is granted through the following command:
TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(USE)
Note: USE is the default access level.

To alter control options, administrators and Users must have one of the following authority levels:
(All other commands are considered alter commands and require PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.)
* CONSOLE attribute authority
* PRIVILEG access to "TSSCMD.ADMIN.MODIFY" in the CASECAUT Resource Class.

PRIVILEG access is granted through the following command:
TSS PERMIT(acid) CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(PRIVILEG)