Define a new SAF Profile.

Document ID : KB000021381
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

What is the procedure to define a new SAF Profile, that controls Access to the SYSLOG?

This Resource is READ Access to Resource 'nodeid.+MASTER+.SYSLOG.SYSTEM.sysid', in the JESSPOOL Class.

 

Resolution:

===============================================================================
TSS ADD(dept) JESSPOOL(nodeid.) TSS PER(acid) JESSPOOL(nodeid.+BYPASS+.SYSLOG.SYSTEM.sysid) ACC(READ)
===============================================================================

The reason the second qualifier is BYPASS and not MASTER is as follows:

The second qualifier in a JESSPOOL Resource is the ACID that owns the SYSOUT data being protected. So, in CA Top Secret, it's normally an ACID Name.

CA Top Secret usually doesn't allow ACEEs to be created for Undefined Users ('+MASTER+' is undefined in RACF, but RACF does allow ACEEs to be created for Undefined Users).

We make a specific exception for ACIDs starting with '+' in a handful of FACILITYs, but we treat these as 'Bypass Users', and use an ACID of *BYPASS* in the ACEE that's created.

When a JESSPOOL Resource Name is constructed, it uses the ACID from the ACEE (actually, from the TOKEN associated with the ACEE, but that ACID is a copy of the one in the ACEE).

So a *BYPASS* ACEE will result in a JESSPOOL Resource owned by*BYPASS*.

You can use *BYPASS* in the PERMIT command, but CA Top Secret will interpret the "*'s" as masking characters. For that reason, it's probably better to use '+BYPASS+' in the PERMIT.

There are still masking characters, but there are fewer Resource Names that will match.