Step 3. TopSecret Security Definition Samples

Step 3.1 Control-O Security Definitions

Step 3.2 Function Security Definitions

Step 3.3 Control Program Access to Datasets

Step 3.4 Define CTO to TopSecret Facility Matrix

Select these steps to edit members CTOSTSS2, CTOSTSS3, CTOSTSS4, and CTOSTSS5.

Perform the following steps to define the required permissions.

1. Define Control‑O to the TopSecret Facility Matrix

   The Control‑O monitor must be defined in the TopSecret Facility Matrix. The CTOSTSS2 member in the IOA INSTWORK library contains the necessary command to dynamically define Control‑O in the TopSecret Facility Matrix.

   1. Modify USER4 in the Facility definition command to a free entry in the Facility Matrix, as follows:

      TSS MODIFY FAC(USER4=NAME=CTO)

      This command defines Control‑O in the Facility Matrix until the next IPL.

   2. To permanently define the facility, update the TopSecret parameter member. This member is usually called TSSPARM0.
   3. Copy the Control‑O facility definition from member CTOSTSS5 in the IOA INSTWORK library to member TSSPARM0.
   4. Update the Facility Matrix entry name with the same name that is specified in the TSS MODIFY command above.
2. Define Control‑O ACID to TopSecret by changing the value of parameter DEPT from sec-administrator-dept to the appropriate ACID: as follows:

   TSS CRE(CONTROLO) NAME (...) DEPT(sec-administrator-dept)

3. Define Control‑O started tasks to TopSecret by changing the ACID definition in the following commands to the appropriate ACID:

   TSS ADD(STC) PROC(CONTROLO) ACID(CONTROLO)

4. Allow Control‑O ACID to Control‑O datasets.

   Authorizations to access Control‑O datasets are defined during the Control‑O installation process. This step must be completed before proceeding with security implementation. For information about how to grant users access to Control‑O datasets, see the Control‑O chapter of the INCONTROL for z/OS Installation Guide: Installing.

5. Connect the appropriate profile to the Control‑O ACID with the following command:

   TSS ADD(CTO) PROF (profile-name)

6. Define entities and user authorizations in TopSecret

   For information about entities and user authorizations, see Control-O Basic Definition Security Calls and Control-O Extended Definition Security Calls.

   1. Modify the following command to establish ownership of the resources in TopSecret to the appropriate owner:

      TSS ADD(sec-administrator-dept) IBMFAC($$CTO)

   For samples of user authorizations, review member CTOSTSS3 in the IOA INSTWORK library.

   All entity names for each Control‑O protected element appear in Control-O Basic Definition Security Calls for Basic Definition mode and in Control-O Extended Definition Security Calls for Extended Definition mode.

7. Associate users with Extended Definition Modes
   1. Customize the following TopSecret command to establish Extended Definition mode for the Control‑O installer.

      TSS PERMIT(USERA) IBMFAC($$CTOEDM.qname) ACC(READ)

   2. Modify USERA to the UID of Control‑O installer.

   Do not define the $$CTOEDM entity to operate in warning mode because this causes all users to operate in Extended Definition mode.

8. Authorize the Control‑O installer to use Control‑O facilities.
   1. Customize the following command to authorize USERA access Control‑O:

      TSS ADD(USERA) IBMFAC($$CTO)

   2. Modify USERA to the user ID of the Control‑O installer.
   3. Customize the following command to authorize the Control‑O installer to use Control‑O facilities:

      TSS PERMIT(USERA) IBMFAC($$CTO) ACC(READ)

9. Submit the job.

   This job must be run under the ACID of the general security administrator (SCA) who has authorization to enter these TopSecret commands.

   All job steps must end with a condition code of 0.