Top Secret

We have many resource types without DEFPROT.

We have a plan to add but want to know if there is a list of specific resource types that shouldn't have DEFPROT.

This question was posted on the CA Security Community.

I have transferred it to the CA Mainframe Security Community and category CA Top Secret, as this is the correct one where it should have been posted initially.

Hi Jenny,

We do not have a list of resource classes that should not have DEFPROT set. It is up to each site what, if any, resources classes they want protected by default.

You must be very careful when setting DEFPROT on a resource class. With DEFPROT set on a resource class, any resource that is not defined in that class will be failed assuming the acid is in FAIL mode. This could lead to acids becoming suspended because VTHRESH was exceeded.

Best regards,

Bob Boerum

Thank you!

Jenny A. Loos

zSeries Security, Info Security Engineer

(850) 542-7103 (w)

(972) 955-1871  (c)

Jenny.Loos@wellsfargo.com

Hi Jenny,

as a supplement to Bob's post:

you can add ressource prefixes to the AUDIT-record, even when the prefixes don't have [yet] an owner. So you can detect references to [yet] unprotected ressources and can plan the necessary admin (establish ownership and permissions) before you finally activate DEFPROT for that resclass.

Best regards,

Josef 

I've been told that the DATASET class is automatically default protected and doesn't need DEFPROT in the resource definition.

Is that true?  I can't find any documentation to indicate it is.

Thanks much!

Jen

Hi Jen,

DATASETs are protected by default in FAIL mode.

Chapter 10 of the CA Top Secret r15 User Guide, section 'Default Resource Protection' states the following:

(In FAIL MODE default protection exists for data sets and volumes only.)

For CA Top Secret r16, the following link is where the same statement can be found.

Default Resource Protection - CA Top Secret® for z/OS - 16.0 - CA Technologies Documentation

Best regards,

Bob Boerum