PERMIT search alogrithm questions in CA Top Secret

Document ID : KB000106832
Last Modified Date : 16/07/2018
Show Technical Document Details
Introduction:
PERMIT search alogrithm questions in CA Top Secret
Question:
1.
PROFA is before PROFB on a user.
PROFA gives read access to HLQ "CMNPPO".
PROFB gives update access to dataset "CMNPPO.TESTSHR".
Selection ends at PROFA, denying update access to DSN CMNPPO.TESTSHR.TEST, correct?

2.
PROFA has the following permits:
XA DATASET = CMNPPO
ACCESS = READ
XA DATASET = CMNPPO.TESTSHR
ACCESS = UPDATE
If a user tries to edit dataset "CMNPPO.TESTSHR", will they be allowed?
If a user tries to edit dataset "CMNPPO.TESTSHR1", will they be allowed?

3.
If I have the following 5 permissions:
DATASET(PD) ACCESS(READ)
DATASET(PDI) ACCESS(READ)
DATASET(PDP) ACCESS(READ)
DATASET(PDPP) ACCESS(READ)
DATASET(PDR) ACCESS(READ)

The first one (PD) is all that is needed, correct?
The last 4 are redundant/would all fall under the first?
Answer:
.1. 
PROFA is before PROFB on a user. 
PROFA gives read access to HLQ "CMNPPO". 
PROFB gives update access to dataset "CMNPPO.TESTSHR". 
Selection ends at PROFA, denying update access to DSN CMNPPO.TESTSHR.TEST, correct? 
Answer: 
You are correct. 
Once TSS find a match, it stops searching the rest of the PROFILES. So if PROFA is before PROFB, if a PERMIT is found that matches, it will stop in PROFA and not bother searching PROFB even though there is a more specific PERMIT in PROFB. 


2. 
PROFA has the following permits: 
XA DATASET = CMNPPO 
ACCESS = READ 
XA DATASET = CMNPPO.TESTSHR 
ACCESS = UPDATE 
If a user tries to edit dataset "CMNPPO.TESTSHR", will they be allowed? 
If a user tries to edit dataset "CMNPPO.TESTSHR1", will they be allowed? 
Answer: 
Yes, UPDATE access will be give for both. CA Top Secret will choose the more specific PERMIT over a more generic PERMIT from within the same PROFILE. 

3. 
If I have the following 5 permissions: 
DATASET(PD) ACCESS(READ) 
DATASET(PDI) ACCESS(READ) 
DATASET(PDP) ACCESS(READ) 
DATASET(PDPP) ACCESS(READ) 
DATASET(PDR) ACCESS(READ) 

The first one (PD) is all that is needed, correct? 
The last 4 are redundant/would all fall under the first? 

Answer: 
Yes you are correct.