Import/Export From IBM Mainframe Top Secrete
Overview
TSS is a security component for IBM mainframe computers that works together with the existing operating system to provide system security, resource access control, auditability, accountability and administrative control. As such, it is the main repository for users, roles and resources data on mainframe computers.
The main input to the Sage TSS import option requires downloading access data from TSS using the by generating a TSS List File, and transferring the generated text file to a location on the Windows system to which Sage has access. There is also a possibility to add enriched data about users attributes (for example, from the human resources department database).
The output is a Sage configuration, with TSS profiles appearing as Sage roles and with TSS groups appearing as Sage resources.
Import data from TSS into Sage
1. Create a TSS List File on the mainframe and transfer the file to a location that can be accessed by your Windows system.
JOB TSSUTIL
TSS LIST(ACIDS) DATA(ALL)
2. From within Sage DNA Data Management, from the Import menu on the menu bar, select Import from TSS.
The following window shows the TSS import window already completed:
The following are instructions for filling in the fields:
Field
Description
Sage Files
Sage Configuration File
Enter the name and folder of the target Sage configuration. A Browse button is provided for convenience.
Users Database
Enter the name and folder of the target Sage users database. A Browse button is provided for convenience.
Resources Database
Enter the name and folder of the target Sage resources database. A Browse button is provided for convenience.
Options
TSS List File
Record the RACF platform name.
Profiles as Roles radio button
Activate radio button if Sage is to convert TSS Profiles to Sage roles.
Do not activate radio button if Sage is to not convert TSS Profiles to Sage roles.
Groups as Resources radio button
Activate radio button if Sage is to convert groups to resources.
Do not activate radio button if Sage is to not convert groups to resources.
TSS List File
Enter the path to the TSS list file copied to your Windows system.
Add ACL Entities check box
Mark Process Audit Cards check box to process Application Control Language (ACL) scripts.
Unmark Process Audit Cards check box not to process Application Control Language (ACL) scripts.
Supplementary HR file
Record the name of the file containing supplementary users data, if any.
1. Fill in the fields in the Importing
2. Click Convert to import.
If any errors result from the import process, then a Sage message appears. Check any errors in the SageTSSConverterXXX.log file located in the Sage Logs folder.
The configuration is created in the target folder but is not automatically opened by Sage.
Types of reports that Sage ERM can generate
Note: all "suspected" objects are generated from a cross analysis of the access rights with the provided users' HR attributes.
Suspected issues are potentially a risk and should be reviewed and evaluated by the user.
Suspected Entities Reports
- Suspect Group Definition (Groups that are connected to users with no common HR attributes)
- Suspected User Collector (User that collected access rights from previous positions)
- Suspected Dataset Collectible – Datasets that are linked to users with common no HR attributes
- Suspect User-Dataset Connection – Links between users and dataset that are suspected base on the user’s HR attribute and other users that have access to the same dataset.
- Suspect User-Group Connection - Links between users and Groups that are suspected base on the user’s HR attribute and other users that have access to the same Group.
- Suspect Group-Resource Connection
- Dual User-Dataset Link - User linked to a Dataset via a Group and directly
- Dual Group-Dataset Link - Groups linked to a Dataset via 2 different groups (hierarchies)
- Dual Group-Group Link - Groups linked to a Group via 2 different groups (hierarchies)
- Similar Group & Group Hierarchy – Groups that can be subgroups of other groups
- Groups For Almost Same Datasets - Groups that are connected to the same datasets where some % of the datasets are the same
- Groups For Almost Same Users - Groups that are connected to the same sets within a % of # of users.
- Group Subsumed By Another (Same Datasets)
- Group Subsumed By Another (Same Users)
- Hierarchy Opportunity (Parent, Child)
Similar Datasets Reports
- Overlapping Datasets (to users)
- Datasets Hierarchy Opportunity (Full, Partial)
In/Out of pattern Reports
- User Almost Matches a Group – based on % of matching
- Dataset Almost Matches a Group – based on % of matching
- New Group Proposal to users
- New Dataset Proposal to users
Entities with many/few connections Reports
(note – this would also include orphan accounts, groups, resources)
- User with Many Direct Datasets
- User with Many Total Datasets
- User is a Member of Many Groups
- User with Few Direct Datasets
- User with Few Total Datasets
- User is Member of Few Groups
- Dataset with Many Direct Users
- Dataset with Many Total Users
- Dataset Used by Many Groups
- Dataset with Few Direct Users
- Dataset with Few Total Users
- Dataset Used by Few Groups
- Group with Many Users
- Group with Many Total Users
- Group with Many Datasets
- Group with Many Total Datasets
- Group with Many Sub Groups
- Group with Many Parent Groups
- Group with Few Users
- Group with Few Total Users
- Group with Few Datasets
- Group with Few Total Datasets
- Group with Few Sub Groups
- Group with Few Parent Groups
- Dual Group-Group Link
Business Policies Process
- Segregation of duty report - Restrictions between Group to Group
- Segregation of duty report - Restrictions between Dataset to Dataset
- Segregation of duty report - Restrictions between Group to Dataset
- Segregation of duty report - Restrictions between HR data to Group
- Segregation of duty report - Restrictions between HR data to Dataset
- Counter for User access limits reports on Groups
- Counter for User access limits reports on Datasets
