Top Secret

Hello, we have a question, with some masks to give permissions to some users.

We want users to be able to read files belonging to other users, but that they cannot be modified.

The problem we have is that we have two user nomenclatures: production -> TSOEXT * and development -> TSODSRx.

We have created a new profile, we have made two attempts to give permissions:

1st
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.TSO ++++.) ACC (READ)

With this option, we cannot modify the files generated by the user himself, so it is not valid for us.


2nd
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSOEXT +.) ACCESS (READ)

With this option now the groups cannot read the files of their own groups. In other words, the user TSODSR1 cannot read the files created by the user TSODSR2.



Is there a way to make masks to make this work? Without having to define each resource on each user?

Hi Daniel,

Try these permissions (in place of the ones you currently have that contain "%"):

TSS PER(PRUEPERF) DSN (DSR. ++++. TRA.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. EXP.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. MAE.%.*********) ACC (UPD, CREATE, SCRATCH)

Extending the length of the permission with the additional trailing "*" characters causes it to be a more specific match, from a permission length perspective.  This should provide the additional access levels to datasets which match the user ACID at the "%" placeholder, while still allowing the other permissions to provide the desired ACC(READ) access to datasets containing other similarly-named users.  This is a bit ugly ... but it should work.   (And be prepared to have to explain this as you encounter future review and certification of user access to anyone who isn't TSS-savvy LOL)

Also I am curious why you wouldn't be using ACCESS(ALL) vs. the more complex ACCESS(UPDATE,CREATE,SCRATCH) ... are you intentionally trying to restrict other available access levels or is this simply a practice you follow at your site?

------------------------------
Joe Denison
joe@tssadmin.com
------------------------------

Original Message:
Sent: 03-10-2021 04:05 AM
From: daniel moreno
Subject: mask Top SECRET

Hello, we have a question, with some masks to give permissions to some users.

We want users to be able to read files belonging to other users, but that they cannot be modified.

The problem we have is that we have two user nomenclatures: production -> TSOEXT * and development -> TSODSRx.

We have created a new profile, we have made two attempts to give permissions:

1st
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.TSO ++++.) ACC (READ)

With this option, we cannot modify the files generated by the user himself, so it is not valid for us.


2nd
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSOEXT +.) ACCESS (READ)

With this option now the groups cannot read the files of their own groups. In other words, the user TSODSR1 cannot read the files created by the user TSODSR2.



Is there a way to make masks to make this work? Without having to define each resource on each user?

Hello Joe

thanks for the support.
Well, access is not given ... by the facility where we work. full access is not usually given.

The problem we have is that we manage all the systems and all the products. As they say in Spain ... "master nits that you know about everyone and do not understand anything".

best regards
Original Message:
Sent: 03-10-2021 09:27 AM
From: Joe Denison
Subject: mask Top SECRET

Hi Daniel,

Try these permissions (in place of the ones you currently have that contain "%"):

TSS PER(PRUEPERF) DSN (DSR. ++++. TRA.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. EXP.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. MAE.%.*********) ACC (UPD, CREATE, SCRATCH)

Extending the length of the permission with the additional trailing "*" characters causes it to be a more specific match, from a permission length perspective.  This should provide the additional access levels to datasets which match the user ACID at the "%" placeholder, while still allowing the other permissions to provide the desired ACC(READ) access to datasets containing other similarly-named users.  This is a bit ugly ... but it should work.   (And be prepared to have to explain this as you encounter future review and certification of user access to anyone who isn't TSS-savvy LOL)

Also I am curious why you wouldn't be using ACCESS(ALL) vs. the more complex ACCESS(UPDATE,CREATE,SCRATCH) ... are you intentionally trying to restrict other available access levels or is this simply a practice you follow at your site?

------------------------------
Joe Denison
joe@tssadmin.com

Original Message:
Sent: 03-10-2021 04:05 AM
From: daniel moreno
Subject: mask Top SECRET

Hello, we have a question, with some masks to give permissions to some users.

We want users to be able to read files belonging to other users, but that they cannot be modified.

The problem we have is that we have two user nomenclatures: production -> TSOEXT * and development -> TSODSRx.

We have created a new profile, we have made two attempts to give permissions:

1st
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.TSO ++++.) ACC (READ)

With this option, we cannot modify the files generated by the user himself, so it is not valid for us.


2nd
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSOEXT +.) ACCESS (READ)

With this option now the groups cannot read the files of their own groups. In other words, the user TSODSR1 cannot read the files created by the user TSODSR2.



Is there a way to make masks to make this work? Without having to define each resource on each user?

Buenos dias, Denisson.
Just my two cents, ok ?
Pay attention to the vulnerabilities that the ++++ mask can bring to your mainframes.

For instance, when you ask your Top Secret colleague to protect 3 datasets (DSR.ZXCV, DSR.ASDF and DSR.QWER) and he comes with a kind of "TSS PERMIT(JonhSmith)DSN(DSR.++++)ACC(CREATE)" rule...
Your colleague is granting to JonhSmith the right to play with the dataset DSR.UIOP

Bonne journée,
Paulo





Original Message:
Sent: 03-10-2021 10:17 AM
From: daniel moreno
Subject: mask Top SECRET

Hello Joe

thanks for the support.
Well, access is not given ... by the facility where we work. full access is not usually given.

The problem we have is that we manage all the systems and all the products. As they say in Spain ... "master nits that you know about everyone and do not understand anything".

best regards
Original Message:
Sent: 03-10-2021 09:27 AM
From: Joe Denison
Subject: mask Top SECRET

Hi Daniel,

Try these permissions (in place of the ones you currently have that contain "%"):

TSS PER(PRUEPERF) DSN (DSR. ++++. TRA.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. EXP.%.*********) ACC (UPD, CREATE, SCRATCH)
TSS PER(PRUEPERF) DSN (DSR. ++++. MAE.%.*********) ACC (UPD, CREATE, SCRATCH)

Extending the length of the permission with the additional trailing "*" characters causes it to be a more specific match, from a permission length perspective.  This should provide the additional access levels to datasets which match the user ACID at the "%" placeholder, while still allowing the other permissions to provide the desired ACC(READ) access to datasets containing other similarly-named users.  This is a bit ugly ... but it should work.   (And be prepared to have to explain this as you encounter future review and certification of user access to anyone who isn't TSS-savvy LOL)

Also I am curious why you wouldn't be using ACCESS(ALL) vs. the more complex ACCESS(UPDATE,CREATE,SCRATCH) ... are you intentionally trying to restrict other available access levels or is this simply a practice you follow at your site?

------------------------------
Joe Denison
joe@tssadmin.com

Original Message:
Sent: 03-10-2021 04:05 AM
From: daniel moreno
Subject: mask Top SECRET

Hello, we have a question, with some masks to give permissions to some users.

We want users to be able to read files belonging to other users, but that they cannot be modified.

The problem we have is that we have two user nomenclatures: production -> TSOEXT * and development -> TSODSRx.

We have created a new profile, we have made two attempts to give permissions:

1st
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.%.) ACC (UPD, CREATE, SCRATCH)
TSS REV (PRUEPERF) DSN (DSR. ++++. TRA.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. MAE.TSO ++++.) ACC (READ)
TSS REV (PRUEPERF) DSN (DSR. ++++. EXP.TSO ++++.) ACC (READ)

With this option, we cannot modify the files generated by the user himself, so it is not valid for us.


2nd
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. EXP.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. MAE.TSOEXT +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.%. *) -
ACCESS (UPDATE, CREATE, SCRATCH)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSODSR +.) ACCESS (READ)
TSS PERMIT (PRUEPERF) DSNAME (DSR. ++++. TRA.TSOEXT +.) ACCESS (READ)

With this option now the groups cannot read the files of their own groups. In other words, the user TSODSR1 cannot read the files created by the user TSODSR2.



Is there a way to make masks to make this work? Without having to define each resource on each user?