Top Secret

Expand all | Collapse all

? Possibility to Enforce commenting for TSS Commands ?

Jump to Best Answer
  • 1.  ? Possibility to Enforce commenting for TSS Commands ?

    Posted 12-18-2014 11:20 AM

    Hello Top Secret Community,

     

    Is there a possibility to enforce a comment for the TSS-Command?

     

    Background: about comment from Command functions guide:

    Comments are maintained on the command when logged to the Recovery File. This tool may be useful for documenting the reason the administration was performed.

     

    I'd like to exploit the comment-opportunity to "tie" my executed admin commands to the originating workflow- or incident-id - for auditing reasons. And I would like to enforce the specification of a comment in a command, so that I cannot forget it,

     

    Is there an option in TSS to achieve this out-of-the-box? Would this be a valuable enhancement idea for others?

     

    Many thanks in advance....

    Josef



  • 2.  Re: ? Possibility to Enforce commenting for TSS Commands ?

    Posted 12-18-2014 04:06 PM

    HI Jose,

     

    I understand what you are looking for.  In 2014 working in a SOX world, every command really needs a comment to know why it was issued.

     

    I am not sure if this helps, but there is an add-on product for Top Secret called TSS Admin Express.  When using this product to issue commands, it has the ability to prompt you that you have not issued a comment for the command.  The downside is that you can bypass admin express and issue the command nativley, but the functionality is there.

     

    I recommend this product a lot.

     

    TSSadmin Express - What's in your Mainframe?

     

    Kevin



  • 3.  Re: ? Possibility to Enforce commenting for TSS Commands ?
    Best Answer

    Posted 12-18-2014 03:30 PM

    I would suggest that an operand be provided on a command where a change identifier can be entered.

     

    This change identifier should be applicable to any command where that updates the security file or that updates the configuration (TSS MODIFY).

     

    This change identifier should not be applicable to a TSS LIST, TSS WHOHAS, or TSS WHOOWNS command.

     

    An exit point should be provided in the TSS installation exit where the change identifier can be validated.

     

    The change identifier should be recorded in the TSS recovery file and in the CA Compliance Manager z/OS logstream.

     

    John P. Baker



  • 4.  Re: ? Possibility to Enforce commenting for TSS Commands ?

    Posted 12-22-2014 10:05 AM

    John, Kevin,

    many thanks to both of you for your idea's and feedback ...

    Josef