I need detailed explanation for FSACCESS. What records will be written and what records will not be written if we swtich from control option "FSACCESS(ENABLE)" to "FSACCESS(DISABLE) ?
We don't have any FSACCESS resources protected. I need details about,which records are written what type of SAF calls are done and effects on performance.
The following link points to the IBM documentation about FSACCESS class.
From this description and the way it works, it's the way TSS acts.
And from that link to can go to other documentation which I hope sheds some lights on FSACCESS..
Is there any list of PTFs/documentations related with fsaccess and its performance issues, so that we can check in our environment, if we have them?
Here it is a list of PTFs related to FSACCESS or so for TSS r15.0. There is no additional PTF for TSS r16.0
and all necessary prerequisites.
For TSS r15.0 the CA Top secret Control Options Guide contains information about FSACCESS settings.
For TSS r16.0 go to docops.ca.com site.
If you're looking for the Top Secret-specific content surrounding FSACCESS, you'll find some information as follows:
Thank you all for your quick responses and answers.
All I want to know is:
I will set FSACCESS control option to DISABLE. What type of data / checks will we lose after disabling fsaccess checks?
We have SMF logging and SMF231 records are collected.
FSACCESS being disable you will "lose" the security check for the FSACCESS resource class to verify user authority to access the file system objects on z/OS UNIX zFS.
But, disabling that security checks can help to reduce overhead.
And, in any case the access to any unix file is controlled by the UID/GID and security bits.
Salut Jacques, hello Erdem,
just for a proper comprehension of the question and the answers ...
Is it correct, that when reclass FSACCESS is defined with NODEFPROT and there are no ownerships for this reclass, some uss-cpu-cycles (overhead) can be saved by setting control option FSACCESS to disabled, without any loss of security-related functionality/checks?
That's what FSACCESS TSS control option is all about. When FSACCESS is DISABLE cpu-cycles is saved.
DEFPROT/NODEFPROT comes into play when FSACCESS is ENABLE. With DEFPROT set any acid in FAIL mode has to be explicitly permitted to access to FSACCESS resources. This is valid whatever the resource class is.
Except DATASET which are protected by default.