Step 3.1 Control-D Security Definitions
Select this step to edit member CTDSTSS2 in the IOA INSTWORK library
CTDSTSS2 contains the necessary command to dynamically define Control‑D in TopSecret Facility Matrix.
TSS MODIFY FAC(USER3=NAME=CTD)
This command defines Control‑D in the Facility Matrix until the next IPL.
Change the value of parameter DEPT from sec-administrator-dept to the appropriate ACID:
TSS CRE (CTD) NAME (...) DEPT(sec-administrator-dept)
Change the ACID definition in the following commands to the appropriate ACID:
TSS ADD(STC) PROC(CONTROLD) ACID(CTD)
TSS ADD(STC) PROC(CTDPRINT) ACID(CTD)
TSS ADD(STC) PROC(CTDNDAY) ACID(CTD)
Authorizations to access Control‑D datasets are defined during the Control‑D installation process. This step must be completed before proceeding with security implementation. For information about how to grant users access to Control‑D datasets, see the Control‑D chapter in the INCONTROL for z/OS Installation Guide: Installing.
Connect the appropriate profile to the Control‑D ACID in the following command:
TSS ADD (CTD) PROF (profile-name)
For more information about how to define Control‑D entities and user authorizations to TopSecret, see Control-D and Control-V Basic Definition Security Calls, and Control-D and Control-V Extended Definition Security Calls.
Modify the following command to establish ownership of the resources in TopSecret to the appropriate owner:
TSS ADD(sec-administrator-dept) IBMFAC($$CTD)
For samples of user authorizations, review member CTDSTSS3 in the IOA INSTWORK library.
All entity names for each Control‑D protected element appear in Control-D and Control-V Basic Definition Security Calls for Basic Definition mode and Control-D and Control-V Extended Definition Security Calls for Extended Definition mode.
Customize the following TopSecret command to establish Extended Definition mode for the Control‑D installer.
TSS PERMIT (USERA) IBMFAC($$CTDEDM.qname) ACC(NONE)
Modify USERA to the UID of Control‑D installer.
Do not define the $$CTDEDM entity to operate in warning mode since this causes all users to operate in Extended Definition mode.
Customize the following command to authorize USERA access Control‑D as follows:
TSS ADD(USERA) IBMFAC($$CTD)
Modify USERA to the user ID of the Control‑D installer.
Customize the following command to authorize the Control‑D installer to use Control‑D facilities:
TSS PERMIT(USERA) IBMFAC($$CTD) ACC(READ)
This job must be run under the ACID of the general security administrator (SCA) who has authorization to enter these TopSecret commands.
All job steps must end with a condition code of 0.
Step 3.2 Function Security Definitions
Select this step to edit the CTDSTSS3 member in the IOA INSTWORK library. This job contains various definitions for Control‑D. Review the definitions and modify according to your site's requirements.
Step 3.3 Control Program Access to Datasets
Select this step to edit the CTDSTSS4 member in the IOA INSTWORK library. This member contains a sample of the definitions required to define Program Pathing access authorizations to Control‑D datasets.
Review the definitions and modify according to your site’s requirements.
WARNING: BMC recommends that the security administrator first read Limiting Access to Specific Programs and the TopSecret Implementation Guide before submitting this job.
Step 3.4 Define CTD to TopSecret Facility Matrix (Optional)
Select this step to edit the CTDSTSS5 member in the IOA INSTWORK library. Perform the following steps to define Control-D in the TopSecret Facility Matrix:
TSS MODIFY FAC(USER3=NAME=CTD)
Parent Topic |