Top Secret

Hello, i can't seem to find much doc on the TSS  ALL profile.   I surmise similar to RACF's GLOBAL table where entries affect all users, near the top of the access list checks?   i see many inappropriate entries in ALL therefore wanted a better understanding of its purpose...thanks again, bobby   

TSS list(all)
ACCESSORID = *ALL* NAME = GLOBAL-RESOURCES
#TopSecret

Hi Bobby,

The ALL record makes a resource available to all users. All the standard access restrictions can be specified for globally accessible resources.

How the ALL record is used depends on your AUTH control option setting in Top Secret. (You can issue TSS MODIFY to see the current Top Secret control option settings, including AUTH.) The options for AUTH are:

1) AUTH(OVERRIDE,ALLOVER)   (This is the most common setting. It is also the default.)
With this setting, Top Secret searches the user record first.
- If any matches are found, these are used to allow or deny access and the search stops (ie the profiles and ALL record are not searched).
- If no matches are found, each profile is searched in sequence. If any matches are found, these are used to allow or deny access and the search stops (ie the next profiles and ALL record are not searched).
- If no matches are found in any of the profiles, the ALL record is searched.

2) AUTH(MERGE,ALLOVER)
With this setting, Top Secret merges user and profile records and searches this merged record for the requested authorization.
- If any matches are found, these are used to allow or deny access and the search stops (ie the ALL record is not searched).
- If no matches are found, the ALL record is searched.

3) AUTH(MERGE,ALLMERGE)
With this setting, Top Secret merges user, profile, and the ALL records and searches this merged record for the requested authorization.

More information can be found here:
Creating Globally Accessible Resources

AUTH-Merge Records for Search

Best regards,
Bob
Original Message:
Sent: Mar 01, 2022 05:15 PM
From: bobby sagami
Subject: TSS ALL PROFILE

Hello, i can't seem to find much doc on the TSS  ALL profile.   I surmise similar to RACF's GLOBAL table where entries affect all users, near the top of the access list checks?   i see many inappropriate entries in ALL therefore wanted a better understanding of its purpose...thanks again, bobby

TSS list(all)
ACCESSORID = *ALL* NAME = GLOBAL-RESOURCES
#TopSecret

Hi Bobby.

The All record is used in conjunction with the AUTH setting in Top Secret.  Depending on the AUTH setting you have selected during Top Secret Startup, the access in the ALL record might be used to determine if a user has access to a resource.  I think the section of the Documentation that will help you is found here:

AUTH-Merge Records for Search

 One thing to keep in mind is, regardless of the value you use for your AUTH setting, if a user has no other permissions or profiles on their ACID, then the ALL record access will be all the access they have by default.

Feel free to contact me at Kevin.Segreti@broadcom.com if you have any further questions that you would not like to make public.

Kind Regards,

Kevin
Original Message:
Sent: Mar 01, 2022 05:15 PM
From: bobby sagami
Subject: TSS ALL PROFILE

Hello, i can't seem to find much doc on the TSS  ALL profile.   I surmise similar to RACF's GLOBAL table where entries affect all users, near the top of the access list checks?   i see many inappropriate entries in ALL therefore wanted a better understanding of its purpose...thanks again, bobby

TSS list(all)
ACCESSORID = *ALL* NAME = GLOBAL-RESOURCES
#TopSecret

Bobby,

In comparison with RACF, the TSS ALL record is equivalent to "ID(*)" within RACF profiles, that is granting access to all Users.  The ALL record is not like RACF's Global Access Table.  How it works, is dependent upon the TSS AUTH control setting.

Here is the link on the AUTH Control option:  https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/specifying-control-options-to-modify-your-security-environment/auth-merge-records-for-search.html 

Broadcom STIG (Security technical implementation guide) for AUTH Control setting: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/using-stig-articles/stig-id-btss0031-set-the-auth-control-option.html 

Here is a link to the TSS "algorithm" works:  https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/resource-access-security-validation-algorithm/how-the-algorithm-works.html 

Here is a link to how the TSS algorithm determines the best fit:  https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/administrating/resource-access-security-validation-algorithm/how-the-algorithm-determines-best-fit.html 

Yes, it is possible to inherit systems where the ALL record may have many inappropriate entries.

If you would like to discuss more on this, please feel free to reach out to me at: steven.hosie@broadcom.com

Thank you

------------------------------
--
V/R,
Steve

Steve Hosie, CISM, CISSP-ISSAP, CRISC, CISA, CGEIT, CDPSE, ITIL v4 NSA-IAM, CSM
Cybersecurity Executive Advisor | Cybersecurity Evangelist | Mainframe Software Division
office: 303.517.8645 | mobile: 303.517.8645 |Steven.Hosie@Broadcom.com | broadcom.comBroadcom Software Group
https://www.linkedin.com/in/stevehosie/ 

Cybersecurity touches everything!
------------------------------

Original Message:
Sent: Mar 01, 2022 05:15 PM
From: bobby sagami
Subject: TSS ALL PROFILE

Hello, i can't seem to find much doc on the TSS  ALL profile.   I surmise similar to RACF's GLOBAL table where entries affect all users, near the top of the access list checks?   i see many inappropriate entries in ALL therefore wanted a better understanding of its purpose...thanks again, bobby

TSS list(all)
ACCESSORID = *ALL* NAME = GLOBAL-RESOURCES
#TopSecret