Read Only Access To the Security File?

Document ID : KB000018169
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Can you restrict read only access to the security file when accessing it through CA LDAP?

Solution:

Changes to ACIDs on the CA Top Secret security file do not require a permit for UPDATE access to the security file dataset, nor does accessing an ACID's information require a permit for READ access to the security file dataset. The TSS administrative authorities determine if the administrator is allowed to change an ACID or list information on the security file.

The LDAP commands issued to CA LDAP are translated to TSS commands and passed to CA Top Secret to retrieve/update information from the security file. So, the ability to read/update the security file from CA LDAP is dependent on the administrator's TSS administrative authorities. If the administrator's admin authorities do not allow it to update an ACID on the security file in CA Top Secret, then that administrator will not be able to update an ACID on the security file through CA LDAP. The same is true for listing information on the security file.

So, if the user is only allowed to read and not update the security file in TSS, they will also only be allowed to read and not update when going through CA LDAP.

Whatever administrative authorities the administrator has in CA Top Secret will be EXACTLY the same authorities they will have if they go through CA LDAP. If they can do it via a TSS command, they can do it through CA LDAP. If they can't do it through a TSS command, they won't be able to do it through CA LDAP either. Some examples of the CA Top Secret administrative authorities are:

TSS ADMIN(acid) MISC8(PWMAINT) allows a user to reset passwords and remove suspensions.

TSS ADMIN(acid) RESOURCE(REPORT) allows the administrator to obtain reports for all resources using TSSUTIL, TSSAUDIT, TSSCPR, and TSSCHART.

TSS ADMIN(acid) RESOURCE(INFO) allows the administrator to use TSS WHOOWNS and TSS WHOHAS for any resource.

TSS ADMIN(acid) ACID(MAINTAIN) allows the administrator make changes to acid. You don't want to give this privilege for read only administrators.

The CA Top Secret admin authorities are documented in the CA Top Secret Command Functions Guide and the CA Top Secret User Guide.