Step 3. TopSecret Security Definition Samples

Step 3.1 Control-M Security Definitions

Select this step to edit the CTMSTSS2 member in the IOA INSTWORK library.

Perform the following steps to define the required permissions:

1. Define Control‑M in the TopSecret Facility Matrix.
   1. Modify USER2 in the Facility definition command to a free entry in the Facility Matrix, as follows:

      TSS MODIFY FAC(USER2=NAME=CTM)

      This command defines Control‑M in the Facility Matrix until the next IPL.

   2. Update the TopSecret parameter member (usually called TSSPARM0) to permanently define Control‑M.
2. Define Control‑M ACID in TopSecret.

   Change the DEPT parameter value from sec-administrator-dept to the appropriate ACID:

   TSS CRE(CONTROLM) NAME (...) DEPT(sec-administrator-dept)

3. Define Control‑M started tasks in TopSecret.

   Change the ACID definition in the following commands to the appropriate ACID:

   TSS ADD(STC) PROC(CONTROLM) ACID(CONTROLM)
   TSS ADD(STC) PROC(CONTDAY) ACID(CONTROLM)

4. Allow Control‑M ACID to access Control‑M datasets.

   Optionally, you can define authorizations to access Control‑M datasets during Control‑M installation. Complete this step before proceeding with security implementation. For information about how to grant users access to Control‑M datasets, see the IOA Installation chapter in the INCONTROL for z/OS Installation Guide: Installing.

   Connect the appropriate profile to the Control‑M ACID in the following command:

   TSS ADD(CONTROLM) PROF (profile-name)

   Note: Allow READ access authorization to any Control‑M JCL libraries used to submit jobs.

5. Authorize Control‑M ACID to submit jobs for other users, with the following command:

   TSS ADD(CONTROLM) NOSUBCHK

6. Define Control‑M entities and user authorizations to TopSecret.

   For information about how to define Control‑M entities and user authorizations to TopSecret, see Control-M Basic Definition Security Calls, and Control-M Extended Definition Security Calls.

   Modify the following command to establish ownership of the resources in TopSecret to the appropriate owner:

   TSS ADD(sec-administrator-dept) IBMFAC($$CTM)

   Note: For samples of user authorizations, see member CTMSTSS3 in the IOA INSTWORK library.

Entity names for Control‑M protected elements appear in Control-M Basic Definition Security Callsfor Basic Definition mode and in Control-M Extended Definition Security Calls for Extended Definition mode.

1. Associate users with Extended Definition modes.
   1. Modify the following TopSecret command to establish Extended Definition mode for the Control‑M installer.

      TSS PERMIT (USERA) IBMFAC($$CTMEDM.qname) ACC(READ)

   2. Change USERA to the UID of Control‑M installer.

      A user with access to this entity is set to work in Extended Definition mode. The user without access is set to work in Basic Definition mode.

   If the definition mode to a Control‑M security module was defined as COND, and does not have access to this entity, the user is set to work in Basic Definition mode. Otherwise, the user is set to work in Extended Definition mode.

2. Authorize the Control‑M installer to use Control‑M facilities.
   1. Customize the following command to authorize USERA access to Control‑M:

      TSS ADD(USERA) IBMFAC($$CTM)

   2. Change USERA to the user ID of the Control‑M installer.
   3. Customize the following command to authorize the Control‑M installer to use Control‑M facilities:

      TSS PERMIT(USERA) IBMFAC($$CTM) ACC(READ)

3. Submit the job.

   Run this job under the ACID of the general security administrator (SCA) who has authorization to enter TopSecret commands.

Step 3.2 Function Security Definitions (Optional)

The IOASRAC3 job in the IOA INSTWORK library is optional. It contains some definition samples for various entities. Customize this job according to your requirements and submit the job.

Define entities and user authorizations.

For information about defining IOA entities and user authorizations, see Control-M Basic Definition Security Calls, and Control-M Extended Definition Security Calls.

To control access to the IOA Online facility, specify the following command:

RDEFINE FACILITY $$IOAONLINE.qname

where qname is used to assign different authorizations to different IOA environments (such as Test and Production). This parameter is specified during IOA installation.

To define and authorize all conditions beginning with SYS, use the following command:

RDEFINE FACILITY $$IOARES.qname.SYS*
PERMIT $$IOARES.qname.SYS* CLASS(FACILITY) ID(USERA) ACCESS(READ)

To authorize USERA access to a given IOA entity, use the following command:

PERMIT $$IOAnnn.qname CLASS(FACILITY) ID(USERA) ACCESS(READ)

All entity names for each IOA protected element appear in Control-M Basic Definition Security Calls for Basic Definition mode and Control-M Extended Definition Security Calls, for Extended Definition mode.

Step 3.3 Control Program Access to Datasets (Optional)

BMC recommends that, before selecting this step, the security administrator first read Limiting Access to Specific Programs and the IBM Resource Access Control Facility Security Administrator's Guide.

Select this step to edit the CTMSTSS4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑M datasets. Review the definitions and modify to meet your site's requirements.

Step 3.4 Define CTM to TopSecret Facility Matrix (Optional)

Select this step to edit the CTMSTSS5 member in the IOA INSTWORK library.

Perform the following steps to define Control‑M in the TopSecret Facility Matrix:

1. Modify USER2 in the Facility definition command to a free entry in the Facility Matrix, with the following command:

   TSS MODIFY FAC(USER2=NAME=CTM)

2. Copy modified member CTMSTSS5 into TSSPARM0.