Convert RACF APPL Resource Class to CA Top Secret

Document ID : KB000039863
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

We are installing security for a Liberty applicaiton on zOS.  According to the programmer the IBM documentation calls for the use of the APPL class and that it must contain an access level.  Our Top Secret RDT definition for APPL does not specify access levels.  The programmer has requested we contact you as they are concerned this is incorrect.

 

Example from IBM Liberty installation documentation:

 

// Define APPL

RDEFINE APPL BBGZTST UACC(NONE)

 

// Activate the APPL class. 

//If not active, the domain is not restricted, which means anyone can authenticate to it.

SETROPTS CLASSACT(APPL)

 

//All users to be authenticated by the server must have READ access to the APPLID in the APPL class:

PERMIT BBGZTST CLASS(APPL) ACCESS(READ) ID(UserID)

 

Answer:

Here are the commands converted to TSS: 

 

Example from IBM Liberty installation documentation: 

1. RDEFINE APPL BBGZTST UACC(NONE) 

TSS ADD(owningacid) APPL(BBGZTST) 

 

2. SETROPTS CLASSACT(APPL) 

No equivalent in TSS and not needed. TSS dynamically refreshes the resource class table when changes are made to any resource class.

 

3. PERMIT BBGZTST CLASS(APPL) ACCESS(READ) ID(UserID) 

TSS PERMIT(UserID) APPL(BBGZTST)