How To Protect ISHELL When User Has Got an OMVS Segment?

Document ID : KB000046213
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

 

-We have users that use USS via TWS connections but we don't want them to enter into ISHELL 
 
  How can we prevent this with CA Top Secret?
 

 

Instructions: 

 

 

-There is no obvious way to protect "ishell", because no security call is made from the OS for user who are allowed to use OMVS and be defined as unix user.
 
Nevertheless an alternative exists:
 
You can use the PDS member level protection in the following way:
 
TSS MODI PDSPROT(ON) 
TSS MODI PDSPROT(ADD,DSN(your.CLIST),CLASS(PDSMEM2)) 
 
TSS ADD(owner#) PDSMEM(BPXWIRAC) 
 
"your.CLIST" must contains the TSSWIRAC renamed BPXWIRAC.
PDSMEM2 is intentionally used to distinguish to PDSMEM1 if it is already in use. But, there is no restriction to use PDSMEM1 class as well.
 
Any user not permitted to read BPXWIRAC won't be able to use "ishell" 
 
you can do TSS PER(ALL) PDSMEM2(BPXWIRAC) ACCESS(READ) and TSS PER(acid#) PDSMEM2(BPXWIRAC) ACCESS(NONE). 
acid# could be a user type or profile type acid. If it is a profile you have to add it to any unix user not allowed to use ishell.
This way any unix user will access to ishell, only the specific ones or the ones connected to the permitted profile won't be allow to use ishell. 

 

Additional Information:

 

-For TSS r15.0 refer to: CA Top Secret for z/OS User Guide; Chapter #12: Protecting resources --> PDS Member Protection.
 
-For TSS r16.0 go to our web site: docops.ca.com and select a space CA Top Secret for z/OS - r16.0; click on "Using" on the left pan --> click on "Protecting Resources"
 --> click on PDS Member Protection.