What is the correct RDT-definition for resclass TSOAUTH ?

Document ID : KB000012611
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 

Here it is an excerpt of IBM RACF documentation about TSOAUTH class:

 

You can use RACF® to protect certain TSO resources. These resources include TSO logon procedures, account numbers, and performance groups.

In addition, you can protect resources called TSO user authorities, whose settings determine whether a user can issue certain authorized TSO commands. Examples of TSO user authorities include ACCT, JCL, MOUNT, OPER, RECOVER, PARMLIB, TESTAUTH, and CONSOLE. For detailed information about the TSO resources you can protect with RACF, see z/OS TSO/E Customization.

If you are defining TSO segments in user profiles, you must protect these TSO resources, using the following general resource classes:
  • TSOPROC (for protecting TSO logon procedures)
  • ACCTNUM (for protecting TSO account numbers)
  • PERFGRP (for protecting TSO performance groups)
  • TSOAUTH (for protecting TSO user authorities)
The following access authorities apply to these resources:
NONE
No access allowed.
READ
For TSOPROC, ACCTNUM, and PERFGRP, allows users to specify the logon procedure, account number, or performance group when logging on.

For TSOAUTH, gives the user the authority to issue the associated authorized TSO command.

For PARMLIB, allows the user to issue the PARMLIB LIST command.

For TESTAUTH, allows the user to invoke a program in authorized state.

UPDATE
For PARMLIB, allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ.
CONTROL
Same as READ.
ALTER
Allows users to change the profile, if the profile is discrete.
*** End Of Excerpt ***
Question:

 

What is the correct RDT-definition for resclass TSOAUTH ? 

Environment:
z/OS
Answer:

 

With CA Top Secret the Resource Descriptor Table (RDT) shows it like:

 

ACCESSORID = *RDT*     NAME       = RESOURCE DEFINITIONS                                                               

RESOURCE CLASS = TSOAUTH                                    

RESOURCE CODE = X'088'   POSIT =    124                        

ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(008),PRIVPGM

TSS0300I  LIST     FUNCTION SUCCESSFUL                      

 

There is no access list and it has always been supplied as it is.

There is no granularity as such with CA Top Secret. In fact, the only difference is with UPDATE For PARMLIB, it allows the user to issue the PARMLIB UPDATE command. For the other profiles, UPDATE is the same as READ. With CA Top Secret you can LIST and UPDATE the PARMLIB.

For pre-defined resource class, only attributes can be changed.

Additional Information:

 

You can access to the link below to have more details about TSOAUTH class with CA Top Secret.

 

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/resources/tsoauth-resource-classsecure-tso-user-attributes