General Resources

This chapter describes how to specify and use general resources.

1. Overview

General resources refer to all of the resources used in the OpenFrame system, excluding data sets. Resources are categorized into resource types depending on whether a resource is a transaction resource or a terminal resource. A resource type is called a CLASS.

A resource profile must be registered to protect a resource. The access level of the resource is determined by the access level of a previously registered resource. This is similar to how data sets function. Refer to Specifying Access Authorities for a Data Set for information about access level. The information of a resource profile will be the same as a data set, but the resource profile also requires a CLASS.

TACF uses two class categories to classify general resources: member classes and resource group classes. A member class and a resource group class can cross-reference each other. A resource type is categorized into a CLASS as follows:

  • Generic Resource

    Resources with the same class are managed by using a single profile. This type of resource belongs to a class called Member Class.

  • Group Resource

    Resources with the same class are managed using a one-grouped profile. This type of resource belongs to a class called Resource Group Class.

The following table shows the available member classes and resource group classes.

Member Class Resource Group Class Purpose

SURROGAT

None

Surrogate job submission

TERMINAL

GTERMINL

TSO/VM terminal

TCICSTRN

GCICSTRN

CICS transaction

FCICSFCT

HCICSFCT

CICS file

DCICSDCT

ECICSDCT

CICS TDQ

SCICSTST

UCICSTST

CICS TSQ

MCICSPPT

NCICSPPT

CICS program

ACICSPCT

BCICSPCT

CICS transaction that has been started

TJESMGR

GTJESMGR

tjesmgr command

UTILITY

GUTILITY

JCL Runner (all programs executable through JOBs)

UNIFYDS

GUNIFYDS

Manages authority by registering the volume of an unregistered data set as a resource.

JESJOBS

None

Job command

JESSPOOL

None

Spool data set

OFMANAGR

None

OpenFrame Manager login control

  1. For more information about CICS-related member classes such as TCICSTRN, FCICSFCT, DCICSDCT, SCICSTST, MCICSPPT and ACICSPCT, refer to "5.3.2 Resource Security" in OpenFrame OSC Administrator’s Guide.

  2. For more information about the tjesmgr command, refer to "Chapter 6. TJESMGR command" in OpenFrame TJES Guide.

2. Resource Profiles

There are three types of resource profiles supported by TACF, as follows:

  • Discrete resource profile

    The resource is managed with a single profile. A discrete profile exactly matches the name of the resource. Discrete profiles enable close management of individual profiles but entail managing a large number of profiles.

  • Generic resource profile

    This profile type supports managing a set of resources that use similar naming conventions and access permissions with a single profile. For example, in the case of a group of data sets whose high-level qualifier starts with TMAX, a generic profile named 'TMAX.**' can be created.By using generic resource profiles, the number of profiles needed to protect data sets can be reduced. However, each profile cannot be managed as detailed as in a discrete data set profile.

  • Group resource profile

    As with generic profiles, these profiles manage multiple general resources with a single profile. While the general resource managed with a generic profile have a naming convention, the members of a group resource profile do not..

Resource profiles and general profiles share the same features. However, special characters are available for the first qualifier and '***' is not supported in resource profiles.

When registering a new data set profile, the data set profile is generated and user information is stored in each field of the profile. CLASSNAME and PROFILENAME are required input values. The other fields are automatically set to default values.

The following table describes the fields of the resource profiles.

Field Description

CLASSNAME

Specifies the class that the resource belongs to. Required item.

PROFILENAME

Specifies the data sets to be protected. Required item. A profile name includes alphabets, numbers, and special characters including '%', '*', and '**'. The profiles containing all three types of characters are referred to as generic profiles.

OWNER

Specifies a user ID or group name as the owner of the data set profile. The owner of the data set profile can modify and delete the profile. Moreover, the owner is assigned the authority to access the data set. If not specified, the owner is set by default to the user ID of the current user.

MEMBERS

Specifies the discrete profiles that belong to the group resource profiles, or specifies the group resource profiles that contain the discrete profiles.

UACC

Specifies the universal access authority settings for the resource. If the not specified, the authority is set by default to NONE. For more information about access authorities, refer to Specifying Access Authorities for a Data Set.

AUDT

Specifies the audit level of resource access. For more information, refer to Data Set Profiles.

Although CATEGORY, SECLEVEL, SECLABEL, DATA, FLAGS, LTMODD, and NOTIFY are supported, their functionalities are not yet implemented. To prevent errors, only internal parameters are used for the fields.
Creating Group Resource Profiles

There are cases when a general profile cannot be used to manage group resources because it does not support a naming convention for them. In these cases, a group resource profile can be an alternative. A group resource profile does not use naming conventions and permits manually adding each resource to the group. As a result, group resources can be managed by a single profile.

The following describes how to register group resource profiles.

  1. Register discrete profiles for each general resource to be registered in the group resource profile.

  2. Add a resource to the group resource profile by using the RDEFINE or ADDMEM operand with the RALTER command.

  3. To delete a resource from a group resource profile, specify the profile name of the resource in the DELMEM operand with the RALTER command.

For more information about the commands used when registering group resource profiles in TACF, refer to TACF Commands.

3. Specifying General Resource Authorities

As with data set authorities, resource authorities can be configured using the following two methods.

  • Specifying UACC when creating discrete resource profiles.

    All users are granted the same access level.

  • Specifying individual access authorities using the access authority list.

    After specifying a user or group, the time, and the day to use the resource, use the PERMIT command to register them.

For more information about authority access levels for resources, refer to Specifying Access Authorities for a Data Set.

4. UNIFYDS

UNIFYDS checks the authority of a data set by using the volume that contains the data set, instead of registering each data set profile individually. When registering a volume as a resource of the UNIFYDS class, if the data set is not protected by the data set profile, the authority check is performed by using the volume information registered in UNIFYDS. You can use this function when the VALUE of the ENABLE_UNIFYDS key is set to YES, in the AUTH_OPTION section of the TACF subject, under OpenFrame Configuration.

The following example registers the volume in the UNIFYDS class, in the same way as the generic resource profile.

RDEFINE UNIFYDS DEFVOL UACC(EXECUTE)

For more information about how to configure the TACF subject, refer to OpenFrame Configuration Guide.

5. Surrogate Job Submission

Surrogate Job submission occurs when a job submitted by a TACF user is granted permission to run using another user’s account information. In general, when a user makes a job request, the user’s ID and password are specified in JCL, indicating the user’s authority to access the resources. However, during surrogate job submission, access to job resources is granted using the identity and privilege assigned to another user (who is responsible for executing the job).

If the user who submits the job has the authority to view JCL, the user is able to view the other user’s password. In this case, the surrogate job feature prevents password exposure by enabling surrogate job submission without entering the password.

The following example shows how to register a resource and authority for a surrogate job submission.

To register the resource, use the RDEFINE command as follows:

RDEFINE SURROGAT executor.SUBMIT UACC(NONE)

To assign the authority for surrogate job submission, enter the following command.

PERMIT executor.SUBMIT CLASS(SURROGAT) ID(submitter) ACCESS(READ)

In the previous example, the 'executor' refers to the user who executes the job. The 'submitter' refers to the user who submits the job.

6. TACF TJES

TACF TJES checks user’s authority to perform jobs such as SUBMIT, STOP, REMOVE, HOLD, START, CANCEL, SUSPEND, RESUME, and NICE. It also sets the authority to access the SPOOL data set.

To enable TACF protection of spool data sets, the VALUEs of the CHECK_JOBNAMEAUTH and CHECK_SPOOLAUTH keys must be both set to YES, in the TACF section of the tjes subject, under OpenFrame Configuration.

For more information about how to configure the tjes subject, refer to OpenFrame Configuration Guide.
Authority Check for SUBMIT

By setting the authority to execute a job with a specific jobname, TACF can prevent a user without the authority from manipulating the job.

The following describes how to prevent SUBMIT for a job with a specific jobname.

  1. Define a profile of the JESJOBS class with the RDEFINE command. If the UACC is specified with READ, the same authority to READ is given to all users. UACC must be set to NONE.

    Set a profile name as follows:

    SUBMIT.<jobname>
    Item Description

    jobname

    Specifies the name of the job to be controlled through TACF.

  2. Give authority to SUBMIT to a specific user or group with the PERMIT command. Set ACCESS to READ.

    PERMIT SUBMIT.<jobname> CLASS(JESJOBS) ID([userid | group]) ACCESS(READ)
    Item Description

    jobname

    Specifies the name of the job to be controlled through TACF.

    userid/group

    Specifies the user or group to whom to give SUBMIT authority for the jobname.
Authority Check for REMOVE and STOP

The following describes how to prevent REMOVE and STOP for a job with a specific jobname.

  1. Define a profile of the JESJOBS class with the RDEFINE command. A resource profile is registered in the same way as that of SUBMIT.

    Set a profile name as follows:

    REMOVE.<jobname> or STOP.<jobname>
    Item Description

    jobname

    Specifies the name of a job to be controlled through TACF.

  2. Give authority to REMOVE and STOP to a specific user or group with the PERMIT command. Set ACCESS to ALTER.

    PERMIT REMOVE|STOP.<jobname> CLASS(JESJOBS) ID([userid | group]) ACCESS(ALTER)
    Item Description

    jobname

    Specifies the name of a job to be controlled through TACF.

    userid/group

    Specifies a user or group to give REMOVE and STOP authority for a jobname.
Authority Check for HOLD, START, CANCEL, SUSPEND, RESUME, and NICE

The following describes how to restrict HOLD, START, CANCEL, SUSPEND, RESUME, and NICE for a job with a specific jobname.

  1. Define a profile for a JESJOBS class with the RDEFINE command.

    Set a profile name as follows:

    HOLD|START|CANCEL|SUSPEND|RESUME|NICE.<jobname>
    Item Description

    jobname

    Specifies the name of a job to be controlled through TACF.

  2. Give authority for the commands to a specific user or group with the PERMIT command. Set ACCESS to READ.

    PERMIT HOLD|START|CANCEL|SUSPEND|RESUME|NICE.<jobname> CLASS(JESJOBS) ID([userid | group]) ACCESS(READ)
    Item Description

    jobname

    Specifies the name of a job to be controlled through TACF.

    userid/group

    Specifies a user or group to give HOLD, START, CANCEL, SUSPEND, RESUME, and NICE authority for a jobname.
Authority for Accessing Spool Data Set

By giving authority to access the following spool data sets to a user, TACF can prevent a user without the authority from manipulating the data sets. Creating spool data sets is not restricted, only reading (searching) the data sets is controlled.

The following are spool data sets to be controlled.

  • INPJCL

  • JESMSG

  • JESJCL

  • SYSMSG

  • CATPROC

  • output dataset

The following describes to set the authority to access the SPOOL data sets.

  1. Define a profile for a SPOOL data set of the JESSPOOL class with the RDEFINE command. If the UACC is specified with READ, the same authority to READ is given to all users. UACC must be set to NONE.

    Set a profile name as follows:

    <jobname>.<spool dataset>
    Item Description

    jobname

    Specifies the jobname.

    spool dataset

    To set a name for the spool data set or a generic profile for all SPOOL data sets, specify an asterisk (*).

  2. Give authority to read the spool data set to a specific user or group with the PERMIT command.

    PERMIT <profile-name> CLASS(JESSPOOL) ID(<userid | group>) ACCESS(READ)
    Item Description

    profile-name

    Specifies the profile name set by the RDEFINE command.

    userid/group

    Specifies a user or group to whom to give the authority to read the SPOOL data set.