from Lenn Thompson (CA) to Everyone:
@Everyone: Good morning and thank you for joining our first-ever askCA session for Mainframe Security. We have a team of experts here today. What questions do you have?
from Tom Breuer to Everyone:
We use TSS essentially as a stand-alone product. Our GUIs are TSS WebAdmin and a home grown set of screens. Is CA considering supporting or creating another TSS GUI? Or is there one that I don't know about?
from Tom Breuer to Everyone:
The reason I ask is that when we perform certain actions (e.g. create ACIDs), we'd like to run some custom scripts to add things like TSOACCT, etc.. Our current green screen GUI does this for us... of course the current, homegrown green screen GUI is about 40 years old... nuff said! :)
from John Pinkowski to Everyone:
@Tom with the constant updating and changing of web technologies, keeping current has been a difficult task...we are looking at options for interfaces to serve our customer base going forward.
from John Pinkowski to Everyone:
@tom I would be happy to have a detailed discussion with you as we move forward.
from John Pinkowski to Everyone:
@tom - Just in case how about you reach out to me at john.pinkowski@ca.com
from Lenn Thompson (CA) to Everyone:
@K Harris: Welcome to the chat. Do you have any questions for our team of MF security experts?
from K Harris to Everyone:
Thanks for the welcome. I do have a question regarding the CSFKEYS SYMCPACFWRAP(YES) option
from John Pinkowski to Everyone:
@K Harris - Can you you be a little more specific?
from K Harris to Everyone:
yes, I am typing my question now
from K Harris to Everyone:
it's a bit lengthy
from Lenn Thompson (CA) to Everyone:
@Hunny: Welcome to our chat. Do you have any questions for the team?
from K Harris to Everyone:
I have also noticed when attempting to investigate these access issues that TSS does not seem to recognize SYMCPACFWRAP when using TSSSIM.
from K Harris to Everyone:
we are currently on TSS 16 AUTH(MERGE,ALLMERGE)
from K Harris to Everyone:
We are seeing access issues when granting CSFKEYS with option SYMCPACFWRAP(YES)
from K Harris to Everyone:
For some users, when granting the access, it works fine. But for others, I have to re-order profiles in order to resolve the issue
from Joseph Porto to Everyone:
Please open a ticket with support so we can pursue further..we will need additional information.
from K Harris to Everyone:
this is a bit confusing since we are using AUTH(MERGE,ALLMERGE)
from K Harris to Everyone:
okay...I apologize if this was not the correct platform for addressing this...thanks
from Joseph Porto to Everyone:
Will need to look at listings....and look at SECTRACE...
from Hunny Sachdeva to Everyone:
@Lenn, thank you. I do not have anything specific, but I may have in future as I will be working on MF security projects. I just joined to see if I can learn something from other user's questions/response.
from Lenn Thompson (CA) to Everyone:
@Hunny: Well thanks for joining us. You did miss a couple questions that may not be showing up in yoru chat, but you'll be able to see them when I post the transcript in the community later today/tomorrow.
from Joseph Porto to Everyone:
Not a problem all....we are happy to answer the question. But since this is a open forum we really dont want to be revealing information about your security environment..
from K Harris to Everyone:
@Joseph agreed and appreciated
from Lenn Thompson (CA) to Everyone:
@Joseph: Thank you, sir.
from Lenn Thompson (CA) to Everyone:
@Everyone: Do we have any other questions for our team today?
from K Harris to Everyone:
not at this time
from Tom Breuer to Everyone:
Does CA recommend having naming standards for ACIDs and profiles? Is there a list of best practices recommended by CA?
from Joseph Porto to Everyone:
The naming of acid varies from site to site and based on clients needs.
from Tom Breuer to Everyone:
Agreed. Do most CA clients have naming standards?
from Tom Breuer to Everyone:
In your experience, does having naming standards help with the implementation of further CA products like the Identity Suite, etc.?
from Joseph Porto to Everyone:
PROFILE however are generally name by the of activity
from Joseph Porto to Everyone:
related to that profiles.
from John Pinkowski to Everyone:
@tom - One interesting new enhancement that was just delivered for TSS/ACF2 is the ability to map email addresses to ACIDs. With more workloads coming in from other platforms the ability to map an email to an ACID seems to be the directlon we are going.
from Joseph Porto to Everyone:
Example. systems programmer would have a SYSPROGS profile
from Tom Breuer to Everyone:
I didn't know about that ability. That sound good. Is that part of TSS v16?
from Joseph Porto to Everyone:
You may want to check your security site standards...they may help you with the naming convention you use at your site..
from Joseph Porto to Everyone:
You may also have site standards that may require you to name things a certain way..
from Tom Breuer to Everyone:
@Joseph - We are moving to a process where each utility has it's own naming convention (covered by a global standard). We're spending a lot of time on it because we see future benefit, I just want to see what others have / are / will do.
from Tom Breuer to Everyone:
@Joseph - I wrote the standard! :)
from John Pinkowski to Everyone:
@tom - With our continuous delivery model we delivered that in PTF SO00816. The first IBM component to exploit the use of the new support was JES2.
from Joseph Porto to Everyone:
A good place to discuss this would be at the support.ca.com Mainframe Community Board...to see what others are doing.
from Tom Breuer to Everyone:
@joseph - I tried that. No response.
from Joseph Porto to Everyone:
I have seen acids name constructed from a user’s real name..
from Tom Breuer to Everyone:
@John - I will follow up with our TSS team about that and how we can use that.
from Joseph Porto to Everyone:
I ve seen some use initial and some identifying number as the next 6 characters
from Tom Breuer to Everyone:
@joseph - two of the keys we use for profiles system name and state (e.g. test state). So far, it seems to help us, but I want to see if it will help us as we implement further CA IDM tools.
from Tom Breuer to Everyone:
@everyone - anyone else have a naming standard? (I am not looking for details on it).
from Joseph Porto to Everyone:
Some use the first 6 characters of the last name...and then 2 digits....
from Joseph Porto to Everyone:
The NAME field for acids and PROFILES allows for a lot more characters...can be used to store more useful information about the acid or profile..
from Joseph Porto to Everyone:
you can also create custom fields to store information...like a social security number field or phone number...
from K Harris to Everyone:
we use custom fields to store additional descriptive info about ACIDS
from K Harris to Everyone:
we also use naming conventions for ACIDs based on type and environment (Prod, DEV, etc.)
from Tom Breuer to Everyone:
@Joseph - we can create custom fields in TSS? Do you have a link to the TSS DOCOPS page where it shows how to do that? That too would be helpful.
from Lenn Thompson (CA) to Everyone:
@Everyone: Do we have any last-minute questions? We're almost at the end of our time.
from John Pinkowski to Everyone:
@tom - One item to keep in mind with PCI and GDPR rules you have to ensure you control the information you store in your TSS database. People tend to forget to ensure backups and CIA databases as secured as your TSS databases.
from Kris to Everyone:
One DocOps link for the NAME item that Mr. Porto mentioned: https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/name-keywordassociate-an-acid-with-a-name
from Tom Breuer to Everyone:
@John. Agreed. But to have a searchable field in TSS would be helpful for some of what we think we want to do.
from Tom Breuer to Everyone:
@Kris - Thanks
from Lenn Thompson (CA) to Everyone:
@Everyone: Okay folks, let's wrap it up for this month. Thank you SO much for joining our first askCA in this community. See you next time!