IBMFAC rules for BPX.CAHFS.CHANGE.FILE.MODE

Document ID : KB000108123
Last Modified Date : 27/07/2018
Show Technical Document Details
Issue:
Per CA documentation on the IBMFAC resource:
• BPX.CAHFS.CHANGE.FILE.MODE Allows a user to change extended file attributes, such as APF authorization and program control We want to restrict ID's to specific MODE functions and attempted to use the following specific permissions instead:
• BPX.CAHFS.CHANGE.FILE.MODE.STICKY
• BPX.CAHFS.CHANGE.FILE.MODE.EUID
• BPX.CAHFS.CHANGE.FILE.MODE.EGID
However, we get security call for BPX.CAHFS.CHANGE.FILE.MODE which fails but no subsequent call for the more specific permissions.
Resolution:
The security checks are done in IBMFAC class. The first check is for general file mode - BPX.CAHFS.CHANGE.FILE.MODE.  If one has permission to BPX.CAHFS.CHANGE.FILE.MODE then the code fall thru and issues a more specific security check depending on the command that is entered.
The other security checks can be for the following:
BPX.CAHFS.CHANGE.FILE.MODE.STICKY
BPX.CAHFS.CHANGE.FILE.MODE.EUID
BPX.CAHFS.CHANGE.FILE.MODE.EGID
If one has permission to BPX.CAHFS.CHANGE.FILE.MODE then they would most likely have permission to any longer resource that beginning with BPX.CAHFS.CHANGE.FILE.MODE. Such as the three resource above, STICKY, EUID and EGID. Since you have the IBMFAC class maskable at your site, in order to distinguish these permissions one needs to permit the least restrictive permit with quotes.  These will force the TSS Algorithm not to match on BPX.CAHFS.CHANGE.FILE.MODE when checking for the more restrictive permissions.
TSS ADD(DEPT) IBMFAC(BPX.CAHFS)
TSS PERMIT(USERA) IBMFAC(‘BPX.CAHFS.CHANGE.FILE.MODE’) ACC(ALL) - (in quotes)
TSS PERMIT(USERA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.STICKY) ACC(NONE)
If the request came in for ....STICKY The first check issued is for BPX.CAHFS.CHANGE.FILE.MODE which will be successful since the user has 'BPX.CAHFS.CHANGE.FILE.MODE' in quotes.  The next check is for BPX.CAHFS.CHANGE.FILE.MODE.STICKY, since the first permission is in quotes the security algorithm will not match on 'BPX.CAHFS.CHANGE.FILE.MODE' (in quotes) and fall thru to the next permission which is BPX.CAHFS.CHANGE.FILE.MODE.STICKY. Since the access level is none for BPX.CAHFS.CHANGE.FILE.MODE.STICKY the request will fail. Placing quotes around the resource forces TSS to match exactly on the permission, instead of using it as a prefix.