PTKTDATA resource class - unable to permit UPDATE access

Document ID : KB000113125
Last Modified Date : 05/09/2018
Show Technical Document Details
Issue:
When defining PTKTDATA to the TSS RDT last night as per the specification in the TSS manuals I was unable to PERMIT UPDATE access to a resource owned in this class, even though UPDATE was include in the ACLST parameter of the TSS ADD(RDT) command - TSS ADD(RDT) RESCLASS(PTKTDATA) ACLST(ALL,READ,UPDATE=6000) MAXLEN(37)ATTR(MASK) TSS0300I ADD FUNCTION SUCCESSFUL TSS ADDTO(SYS) PTKTDATA(IRRPTAUTH.FEKAPPL.UCDCPJ) TSS0300I ADD FUNCTION SUCCESSFUL TSS PER(UCDA) PTKTDATA(IRRPTAUTH.FEKAPPL.UCDCPJ) ACCESS(UPDATE) TSS0300I PERMIT FUNCTION SUCCESSFUL Even though all of the above commands were shown as "successful".. When listing out the target ID from the TSS PERMIT command, access to PTKTDATA(IRRPTAUTH.FEKAPPL.UCDCPJ) was showing as READ, not UPDATE. XA PTKTDATA= IRRPTAUTH.FEKAPPL.UCDCPJ OWNER(SYS ) ACCESS = READ Here is the listing of the class in the RDT - RESOURCE CLASS = PTKTDATA RESOURCE CODE = X'017' ATTRIBUTE = MASKABLE,MAXOWN(26),MAXPERMIT(037),ACCESS ACCESS = ALL(FFFF),READ(4000),UPDATE(6000) DEFACC = NONE Which also shows UPDATE is a valid access level.. Please could you explain why UPDATE was not accepted by TSS? 
Environment:
z/OS
Cause:
The acces list was not in the right order.
Resolution:
"Access levels within the ACLST should be unique and in descending hexadecimal order so that permits with multiple access levels display the highest possible access level. For example, if the list specifies READ,UPDATE=6000; the UPDATE implies READ and a permit is issued for UPDATE access. The TSS LIST command will show that the permit includes READ access and will display READ instead of UPDATE. The access level is displayed correctly if the ACLST is specified as UPDATE=6000,READ."

See le link below for some more details about the CA Top secret access list used in the CA Top secret RDT definition:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/aclst-keywordcontrol-the-resource-access-level