Mainframe Cybersecurity & Compliance

I've been looking around in the manuals for this one, and I haven't hit the right combination of search terms yet.  When MVS sends a query about access to a resource, how does TSS map that query to its own internal class list?  A lot of classes are the same, of course, but FACILITY in MVS is IBMFAC in TSS, and I've just noticed a bunch of DB2-related classes that aren't what DSNXRXAC uses, either.

In ACF2 it's the CLASMAP.  How does it work in TSS?  I'm sure it's documented, and I won't mind a bit if you point me to a manual and chapter instead of explaining it yourself (in fact it'd do me good), but I haven't found it yet and seem to need a hint.

Bob,

               The resource class names are translated automatically internal to CA Top Secret.  Thus, if you issue a call for any resource class supported by IBM then you will see the same results.  For administrative purposes the only class name that should be different would be IBMFAC (IBM’s FACILITY) or DB2 (IBM’s DSNR).  The DB2 resource classes you talked about are related to the CA Top Secret Option for DB2, NOT the DSNX@XAC exit as supplied by IBM.  If you were to choose to implement that exit then you would need to define whatever class names you decide upon into the CA Top Secret RDT.  The RDT is a dynamic table where the TSS resource class names are defined.  Most standard class names are pre-defined but you may also add your own resource classes to support in-house applications or OEM products.

               You can read about the RDT if the CA Top Secret User Guide under the Heading “RDT RECORD” in Chapter 14: Maintaining Special Security Records.  There is also an additional section in the same guide regarding resource checking.  I would recommend becoming familiar with each of these sections. 

               If you have any further questions please let me know.

Regards,

Frank

Thanks, Frank.

I have indeed been looking at the RDT quite a lot, in the past month or two.  My question was borne of a different ignorance:  I've worked extensively with RACF/DB2, but only a little with ACF2/DB2 and not at all with TSS/DBD2.  I didn't realize that the DB2 exit I installed for RACF/DB2 was only for RACF; I was perfectly willing to assume (note the critical word, there) that it was to be used for each product.  So when I saw the DB2-related classes in the RDT, I thought there must be some extra translation going on somewhere, to get from, say, GDSNDB/MDSNDB to DB2DBASE.

Another question down, twenty thousand to go.  Thanks again.

Bob,

   Just to be clear.  The DB2 exit is not RACF specific.  You are free to use that exit if you would like though there are advantages to using TSS/DB2 or ACF2/DB2.  The IBM exit is supplied as source and so is maintained by the site.  If you choose to use that exit then you need to perform the steps documented by IBM as well as define the resource class names in our RDT.

Regards,

Frank

And they are steps that I am already familiar with, which is an advantage.  On the other hand, if I keep on doing what I'm used to, I'll never learn the other ways, will I?  But it probably won't be up to me anyway; when the question comes up again, it's the client who'll decide.