Hi Bob,
Knowledge document KB000027201 explains how to implementing SPI and secondary resource checking in CA-Top Secret. Below is a snippet from the document for SPI resource checking.
**
To implement SPI resource checking:
1. For CEMT commands, define OTRAN(CEMT) and permit ACCESS(EXECUTE) to the users that should be allowed to use CEMT. NOTE: Most users will not need access to CEMT.
a. Own OTRAN(CEMT) via TSS ADD(dept) OTRAN(CEMT). To see if this is already owned, issue TSS WHOOWNS OTRAN(CEMT).
b. Permit access to OTRAN(CEMT) via TSS PERMIT(acid) OTRAN(CEMT) ACCESS(EXECUTE).
2. Turn on SPI resource checking:
a. If FACMATRX=YES is set on the CICS facility in CA-Top Secret, set XCMD=YES on the facility. No recycle of CICS should be required to pick up this change.
b. If FACMATRX=NO is set on the CICS facility in CA-Top Secret, set XCMD=YES in the CICS System Initialization Table (SIT). A recycle of the CICS region is required to pick up this change.
3. Own and permit the SPI resources to be protected. (KB000027201 has a list of SPI resources that can be protected.)
a. TSS ADD(dept) SPI(xxxxxxxx)
b. TSS PERMIT(acid) SPI(xxxxxxx) ACCESS(yyyyyyyyy)
**
So for example, if you want CEMT SET TRANSACT(xxxx) protected, follow steps 1 and 2 above and step 3 would look like this:
a. TSS ADD(dept) SPI(TRANSACT)
b. TSS PERMIT(acid) SPI(TRANSACT) ACCESS(INQUIRE) for the acids that should be allowed to INQUIRE on transactions.
TSS PERMIT(acid) SPI(TRANSACT) ACCESS(ALL) to the CICS administrator.
On a side note, the SPI resource class is distributed as non maskable, so when owning and permitting SPI(**) ACC(ALL), the '**' is a literal and not a mask. You can issue TSS LIST(RDT) RESCLASS(SPI) to see if the resource is maskable or not. Even if the SPI resource class is maskable, doing a TSS ADD(dept) SPI(**) does not protect every SPI resource. It only allows you to permit SPI(**), which will allow access to all SPI resources. You will still have to own each SPI resource you want protected.
Best regards,
Bob Boerum