Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

User-specific settings

In order to protect an object (file or job variable) effectively against TSOS, object owners must make two user-specific protection settings:

  1. They must withdraw co-administration rights for their objects from the user TSOS.

    For more information, refer to “Specifications for TSOS co-owner protection” below.

  2. They must withdraw access rights for their objects from the user TSOS. GUARDS access protection must be used for this because this is the only way to suppress TSOS accesses.

    This setting is necessary for the following reasons: The withdrawal of co-administration rights in the first step only prevents the user TSOS from modifying protection attributes. It does not prevent data accesses (e.g. the reading or encryption of a file).

    For more information, refer to “Specifications for TSOS access protection” below.

Specifications for TSOS co-owner protection

The restriction of TSOS co-ownership is based on co-owner protection. This means:

  • An active rule container must be created with the name SYS.UCF (or SYS.UCJ) (/CREATE-GUARD command).

  • Co-owner rules must be defined to specify which file the user TSOS may not coadminister (/ADD-COOWNER-PROTECTION-RULE command).

In a co-owner rule it is possible to specify an object to which the rule applies, co-owner conditions for normal users and the type of TSOS co-ownership. For this purpose, a coowner rule is divided up into three parts:

1st part of the rule:

This part of the rule specifies the file or job variable for which co-ownership is to be specified or restricted.

2nd part of the rule:

This part of the rule specifies which co-owner conditions normal users have to fulfill in order to be co-owners of the object specified in the first part of the rule.

The co-owner conditions themselves are defined in a separate guard (of the type STDAC); the 2nd part of the rule simply references this guard.

3rd part of the rule:

This part of the rule specifies whether the user TSOS has full or only restricted coadministration rights for the object specified in the first part of the rule.

The value *SYSTEM-STD or *RESTRICTED is possible.

Note the following:

  • In a rule it is possible to make specifications that apply to the co-ownership of both nonprivileged users and the user under the user ID TSOS, or to each separately.

  • If the co-ownership for nonprivileged users is specified in a rule, the reference to a guard must be entered in the 2nd part of the rule. This guard and the co-owner conditions defined there are not significant for TSOS co-ownership.

Example

/ show-coowner-protection-rule rule-container-guard=$customer.sys.ucf 

%-----------------------------------------------------------------------------%RULE
 CONTAINER :2OSC:$CUSTOMER.SYS.UCF              ACTIVE  COOWNER PROTECTION 
 %-----------------------------------------------------------------------------%RULE1
         OBJECT      = COOWNER.* 
 %              CONDITIONS  = $CUSTOMER.GUA 
 %              TSOS-ACCESS = SYSTEM-STD    *) 
 %-----------------------------------------------------------------------------%RULE
 CONTAINER SELECTED: 1                                      END OF DISPLAY


*) significant for TSOS co-ownership

/ show-access-conditions guard-name=$customer.gua


%:2OSC:$CUSTOMER.GUA
%   User   TSOS         has NO ADMISSION  **) 
 %-----------------------------------------------------------------------------%Guards
 selected: 1                                              End of display

**) not significant for TSOS co-ownership

  • If you only want to specify restricted TSOS co-ownership in a rule, you have to enter the value *NONE in the second part of the rule instead of a reference to a guard. The 3rd part of the rule must be set to *RESTRICTED. This restricts the co-ownership of the user TSOS of the object specified in the first part of the rule.

    Example

    /add-coowner-protection-rule rule-container-guard=sys.ucf, -
    / protection-rule=rule2, -
    / protect-object=*par(name=not-for-tsos, -
    / condition-guard=*none, -
    / tsos-access=*restricted)
    /show-coowner-protection-rule rule-container-guard=$customer.sys.ucf 


    %-----------------------------------------------------------------------------%RULE
 CONTAINER :2OSC:$CUSTOMER.SYS.UCF              ACTIVE  COOWNER PROTECTION 
 %-----------------------------------------------------------------------------%RULE1
         OBJECT      = COOWNER.* 
 %              CONDITIONS  = $CUSTOMER.GUA 
 %              TSOS-ACCESS = SYSTEM-STD 
 %RULE2         OBJECT      = NOT-FOR-TSOS 
 %              CONDITIONS  = *NONE 
 %              TSOS-ACCESS = RESTRICTED 
 %-----------------------------------------------------------------------------%RULE
 CONTAINER SELECTED: 1                                      END OF DISPLAY

You will find more information on co-owner protection in section "Co-owner protection".

Specifications for TSOS access protection

Protection against TSOS accesses is based on GUARDS access protection. This means:

  • An access condition guard (of the type STDAC) must be created
    (/CREATE-GUARD command).

  • It must be specified in this that the user TSOS (*SUBJECTS) does not have access rights (/ADD-ACCESS-CONDITIONS command).

  • The access condition guard must be linked to the object to be protected (/MODIFY-FILE-ATTRIBUTES command).

You will find more information on GUARDS access protection in section "Data access control and system access control".

TSOS accesses cannot be prevented by either the BACL or the ACCESS/USER-ACCESS protection mechanism.
Powered by Atlassian Confluence and Scroll Viewport.