We are attempting to set up external Simplified Security with CA Top Secret. We have completed the five steps from the documentation, but TSS does not seem to be getting invoked in our testing.
We have added: FDTNAME(GSVUSER) with SEGMENT(BASE) and set Security-Validation USERDEF
Before we added TSS ADD(userid) GSVUSER(groupname) for any USERID, we expected to see a user attempt to enter SYSVIEW blocked with a TSS error message.
In fact there was no error message as if TSS was not called at all. We are missing something and could use some help. Thanks, Randy Williams
If you have set 'Security-Validation' to USERDEF in the System Configuration member, then you should be seeing a SAF call made when a user logs on to query the value of field GSVUSER.
The System Configration gets cached, so you may need to reload it if the SYSVIEW address space has not been cycled since making the change. (MVS MODIFY SYSVIEW,RELOAD SCFG).
When 'Security-Validation' is set to USERDEF, if the user doesn't have the GSVUSER field defined, we revert back processing the logon as if if 'Security-Validation' was set to USER. So, if the user's ID is not coded in any of the defined User Groups, it will get assigned to DEFAULT.
If you only want users to be able to access SYSVIEW if they have the GSVUSER field defined, the simplest way to do that would be to update the 'Miscellaneous Section' of the DEFAULT group and set 'Interfaces' to NONE.
This will prevent anyone falling through and logging on using the DEFAULT User Group.