By default, the TSOS user ID possesses an unrestricted co-administration right for files and job variables throughout the system. However, the use of SECOS makes it possible for all users to restrict this right provided that certain system-specific preconditions have been fulfilled by systems support.
The restriction to TSOS file co-ownership applies to certain commands and macros and, in some cases, to only certain of the involved operands. These commands and macros are listed in the table below:
.
Commands | Macros |
|---|---|
MODIFY-FILE-ATTRIBUTES | CATAL (STATE=*UPDATE) |
MODIFY-FILE-GENERATION-SUPPORT | CATAL (STATE=*UPDATE) |
MODIFY-FILE-GROUP-ATTRIBUTES | CATAL (STATE=*UPDATE) |
DELETE-FILE | ERASE |
COPY-FILE | COPFILE |
To provide effective protection against TSOS access, the owner of the object must make two user-specific protection settings:
First of all the owner must withdraw the co-administration right for his/her objects from the user TSOS.
Then the owner must withdraw the access right for his/her objects from the user TSOS. To do this, it is necessary to use GUARDS access protection since this is the only way to prevent TSOS access.
Both steps must be performed since withdrawing the co-administration right in step 1 simply prevents the modification of protection attributes. It does not prevent file accesses, for example attempts to read the file. To do this, it is necessary to perform step 2.
For more detailed information on the required steps and the system-specific settings to be made by systems support, refer to the “SECOS” manual [8 (Related publications)].
Another way to hide the file content from TSOS users is file encryption with a crypto password (see "File encryption").