CA Top Secret for z/OSControl Options Guider15Ninth Edition

This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to asthe “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. ThisDocumentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified orduplicated, in whole or in part, without the prior written consent of CA.If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise makeavailable a reasonable number of copies of the Documentation for internal use by you and your employees in connection withthat software, provided that all CA copyright notices and legends are affixed to each reproduced copy.The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicablelicense for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility tocertify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANYKIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE,DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THEPOSSIBILITY OF SUCH LOSS OR DAMAGE.The use of any software product referenced in the Documentation is governed by the applicable license agreement and suchlicense agreement is not modified in any way by the terms of this notice.The manufacturer of this Documentation is CA.Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictionsset forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, ortheir successors.Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong totheir respective companies.

CA Technologies Product ReferencesThis documentation set references the following CA products: CA ACF2 for z/OS (CA ACF2) CA Common Services for z/OS (CA Common Services) CA Distributed Security Integration Server for z/OS (CA DSI Server) CA LDAP Server for z/OS (CA LDAP Server) CA Top Secret for z/OS (CA Top Secret)Contact CA TechnologiesContact CA SupportFor your convenience, CA Technologies provides one site where you can access theinformation that you need for your Home Office, Small Business, and Enterprise CATechnologies products. At, you can access the followingresources: Online and telephone contact information for technical assistance and customerservices Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your productProviding Feedback About Product DocumentationIf you have comments or questions about CA Technologies product documentation, youcan send a message to [email protected] provide feedback about CA Technologies product documentation, complete ourshort customer survey which is available on the CA Support website at

Documentation ChangesThe following changes have been made in this release of this documentation: CICS-Related FACILITY Suboptions (see page 93)—Added CISP, CIS1, CJSL, CRST, andCPCT to the default Bypass and Protect List information. Options for Invoking Predefined Facilities (see page 107)—Added CISP, CIS1, CJSL,CRST, and CPCT to the bypass list information. INACTIVE—Deny Use of Unused ACIDs (see page 119)—Modified the maximumvalue for the number of days after which the product prohibits signon for anunused ACID that is connected to an expired password. NEWPW—Restrict Password Alterations (see page 157)—Added { and } to the list ofcharacters that passwords can contain by default; indicated that MINDAYS isapplicable to password changes made with the TSS ADDTO/REPLACE command,except when the PWADMIN(YES) control option is specified; noted thatPWADMIN(YES) is not applicable to the NU or RN setting. PWADMIN—Enforce NEWPW Rules for Administrative Password Changes (seepage 186)—Added this section, describing control option that enforces NEWPWcontrol option rules and password interval specification when an administrator oruser with MISC8(PWMAINT) or ACID(MAINTAIN) authority performs a passwordchange through a TSS command.The following changes were made in the the last release of this documentation: Options for Invoking Predefined Facilities (see page 107). Provided an introductoryexplanation for the section; updated the default settings for the CICSPROD andCICSTEST facilities. CPFAUTOGID—Insert a Specific USS GID During CPF Command Processing (seepage 49). Added this section for a new control option that transmits a TSScommand with an assigned GID value, instead of the '?' value, when you are usingthe Command Propagation Facility (CPF) feature. CPFAUTOUID—Insert a Specific USS UID During CPF Command Processing (seepage 50). Added this section for a new control option that transmits a TSScommand with an assigned UID value, instead of the '?' value, when you are usingthe Command Propagation Facility (CPF) feature FSACCESS—Enable or Disable FSACCESS Resource Class Checks (see page 114).Clarified that all entry methods are accepted. MODLUSER—Identify an OMVS Model User (see page 150). Removed UID from thelist of fields that is provided to ACID. Announced variable specification for HOMEfield; which the current user ID value replaces when MODLUSER information isadded to a user’s ACID record. Added DFLTGRP to the list of fields that is providedto the ACID.

OMVSGRP—Assign an OMVSGRP Segment and Default Group (see page 166).Clarified that OMVSGRP is not supported in z/OS 2.1 and above, in which case youcan use UNIQUSR and MODLUSER instead. OMVSUSR—Assign an OMVS Segment for Extract (see page 167). Clarified thatOMVSUSR is not supported in z/OS 2.1 and above, in which case you can useUNIQUSR and MODLUSER instead. OPTIONS—Specify Configuration Options (see page 168). Added description foroption value 79, which specifies to write an SMF record when control optionOMVSUSR or OMVSGRP is used to provide a default UID or GID, respectively.Updated description for option 72, which allows a MASTFAC (Master Facility) on allACID types capable of signon. UNIQUSER—Assign a UID Automatically During OMVS Logon (see page 236).Corrected the example syntax.

ContentsChapter 1: Introduction15About Control Options . 15Control Option Entry Methods . 16The O/S START Command . 16The Started Task Procedure . 17The Parameter File . 18MODIFY Command for Manipulating Options from an Online Terminal . 20The Console MODIFY Command . 21Hierarchy of Entry Methods . 21Stopping the CA Top Secret Started Task . 22Authority to Enter Options . 22Restricted and Unrestricted Options. 23Chapter 2: Specific Control Options25ADABAS—Control SVC Numbers . 25Example: ADABAS control option . 25ADMINBY—Record Administration Information . 25ADSP—Security Indicator . 27Examples: ADSP control option . 28AUDIT(SWITCH)—Switch to Alternate Audit Tracking File . 28Example: AUDIT(SWITCH) control option . 28AUTH—Merge Records for Search . 29AUTOEDSN—Edit AUTOERASE Data . 30Examples: AUTOEDSN control option . 31AUTOERASE—Control Automatic Data Erase . 31Examples: AUTOERASE control option . 32BACKUP—Backup the Security File . 32Use of BACKUP Option . 33When CA Top Secret Will Not Perform BACKUP . 33Multiple CPUs . 33D37 Abends . 33Recommended Use . 34Examples: BACKUP control option . 34BYPASS—Bypass Resource Checking . 34Examples: BYPASS Control Option . 35CACHE—Reserve Memory. 35Contents 7

CANCEL—Allow Operating System CANCEL . 37CATADELPROT—Prevent Dataset Deletion . 38CHORUSSTATG—Enable CA Chorus Statistics Gathering . 38CHORUSSTATI—Specify CA Chorus Statistics Gathering Time Interval . 39CHORUSTSFDB—Specify CA Chorus Time Series Facility (TSF) Debug Option . 39CHORUSTSFSX—Specify CA Chorus Time Series Facility (TSF) Suffix Indicator . 40CIAAUTO—Automatically Start the CIA Real-Time Processing Component Started Task . 41Example: CIAAUTO Control Option . 41CIAHOST-Host Name . 41Example: CIAHOST Control Option. 42CIALOGNAME-Log Name . 42Example: CIALOGNAME Control Option . 43CIAMAXSTOR—Maximum Storage Size. 43Example: CIAMAXSTOR Control Option . 43CIAPORT—Port Number . 43Example: CIAPORT Control Option . 44CIAPROCNAME—Started Procedure Name . 44Example: CIAPROCNAME Control Option . 44CIART—CIA Real-Time Updates . 44Example: CIART Control Option . 45CIASYSID—Customize the System ID Assigned to LPAR Security Information . 46CMDNUM—Number of Command Processors . 46Example: CMDNUM control option . 47CPF—Activate Command Propagation Facility at Startup. 48Example: CPF control option . 49CPFAUTOGID—Insert a Specific USS GID During CPF Command Processing . 49CPFAUTOUID—Insert a Specific USS UID During CPF Command Processing . 50CPFLISTMULT—Propagate LIST/WHOHAS commands . 50CPFNODE—CPF Node Changes . 51Examples: CPFNODE control option . 52CPFNODES—Identify Remote Nodes for CPF . 52Examples: CPFNODES control option . 54CPFRCVUND—Receive Commands from Undefined Nodes . 55CPFTARGET—TARGET Keyword Default . 55Example: CPFTARGET control option . 56CPFWAIT—WAIT Keyword Default. 56Example: CPFWAIT control option . 57DATE—Date Format . 57Examples: DATE control option . 58DB2FAC—Group and Protect DB2 Subsystems . 59Examples: DB2FAC control option . 60DEBUG—Produce Dumps . 618 Control Options Guide

DFLTRNGG—GID Default Range . 61DFLTRNGU—UID Default Range . 62DIAGTRAP—Produce Diagnostic Dump . 63Examples: DIAGTRAP control option . 65DISPMASK—Display Attribute of MASK . 66Examples: DISPMASK control option . 67DL1B—PSB and DBD Security . 68DOWN—Inactive Characteristics. 69Examples: DOWN control option . 70DRC—Detailed Error Reason Code Characteristics .