CA Top Secret Read Only attributes for an Administrator account

Document ID : KB000124186
Last Modified Date : 14/01/2019
Show Technical Document Details
Question:
What are the appropriate CA Top Secret administrative authorities for an SCA or LSCA to only be able to list ACIDs and run reports but not change ACIDs (via TSS ADD, PERMIT, etc)?
Answer:
Here are the CA Top Secret administrative authorities that allow listing of something or running a report. If that feature of the product is not being used (for example, Multi Level Security), that admin authority does not have to be granted.

ACID(INFO,REPORT) 
  • INFO is for the TSS WHOHAS command 
  • REPORT is for the reporting utilities. 

DATA(ALL,PROFILE,PASSWORD,SESSKEY,MFA) 
  • ALL is for listing all information pertaining to an ACID except for password, profile, session key, and MFA. 
  • PROFILE is for listing the profile(s) attached to the ACID. 
  • PASSWORD is for listing the password information (expiration date and interval but not the actual password). 
  • SESSKEY is for listing the session key used to verify that one LU is authorized to link to another LU for the purposes of APPC conversation processing. 
  • MFA is for listing the Advanced Authentication Mainframe data (for example, defined factors, factor authentication details, and data elements) for an ACID. 

MISC1(TSSSIM) to use the TSS simulator. 

MISC4(CERTLIST,CERTCHEK) 
  • CERTLIST is for listing digital certificate information. 
  • CERTCHEK is for displaying information about digital certificates. 
MISC5(DCLLIST,MLSADMIN,SGVLIST) 
  • DCLLIST is for listing the Data Classification (DATACLAS) record. 
  • MLSADMIN is for maintaining and listing the Multilevel Security (MLS) record. **NOTE: This allows changing the MLS record in addition to listing it. 
  • SGVLIST is for listing the SIGVER record. 

MISC8(LISTRDT,LISTSTC,LISTAPLU,LISTSDT) 
  • LISTRDT is for listing the RDT and FDT records but not changing them. 
  • LISTSTC is for listing the STC record, but not changing it. 
  • LISTAPLU is for listing the APPCLU record, but not changing it. 
  • LISTSDT is for listing the SDT record, but not changing it. 

MISC9(GENERIC) is for using the WHOOWNS function to obtain a list of all resources owned within his administrative scope. RESOURCE(INFO) authority allows an ACID to obtain data only on specific resources. 

RESOURCE(INFO,REPORT) 
  • INFO is for using TSS WHOOWNS and WHOHAS for any resource. 
  • REPORT is for running reports for all resources by employing the utilities TSSUTIL, TSSAUDIT, TSSCPR, and TSSCHART.

To give an administrative authority to an SCA or LSCA ACID, signon as the MSCA and issue:
TSS ADMIN(acid) xxxx(authority)

For example:
TSS ADMIN(SCA1) ACID(INFO,REPORT)