113 lines
13 KiB
HTML
113 lines
13 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Plan application security" />
|
|||
|
<meta name="abstract" content="This topic provides on overview for creating an application security plan for your company." />
|
|||
|
<meta name="description" content="This topic provides on overview for creating an application security plan for your company." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvplanrscsec.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvplanobjauth.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvdetermineobjowner.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvappdescworksheet.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvplanappinstall.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="planappsec" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Plan application security</title>
|
|||
|
</head>
|
|||
|
<body id="planappsec"><a name="planappsec"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Plan application security</h1>
|
|||
|
<div><p>This topic provides on overview for creating an application security plan for your company.</p>
|
|||
|
<div class="p">To plan the right security for your applications, you need to know:<ul><li>What information do you plan to store on the system?</li>
|
|||
|
<li>Who needs access to that information?</li>
|
|||
|
<li>What kind of access do people need? Do they need to change information or only view it?</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<p>As you go through these application planning topics, you answer the first question about what information you plan to store on your system. In subsequent topics, you decide who needs that information and what kind of access people need. You do not enter the application planning information into the system; however, you will need it when you set up users and resource security.</p>
|
|||
|
<p><span class="uicontrol">What is an application?</span></p>
|
|||
|
<div class="p">In the first planning step for application security, you need to describe the applications you plan to run on your system. An application is a group of functions that logically belong together. Usually, two different types of applications can run on your server:<ul><li><dfn class="term">Business applications</dfn>: Applications you buy or develop to perform specific business functions, such as order processing or inventory management.</li>
|
|||
|
<li><dfn class="term">Special applications</dfn>: Applications you provide that are used throughout your company to perform a variety of activities that are not specific to a business process.</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<div class="p"> <span class="uicontrol">What forms do you need?</span><ul><li><a href="rzamvappdescworksheet.htm#rzamvappdescworksheet">Application description form</a></li>
|
|||
|
<li><a href="rzamvlibdescworksheet.htm#rzamvlibdescworksheet">Library description form</a></li>
|
|||
|
<li><a href="rzamvnamingworksheet.htm#rzamvnamingworksheet">Naming conventions form</a></li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<p><em>Describing your applications</em></p>
|
|||
|
<div class="p">At this point, you need to gather some general information about each of your business applications. Add information about your application to the appropriate fields on the Application Description form as described below. Later you can use this information to help you plan user groups and application security:<dl><dt class="dlterm">Application name and abbreviation</dt>
|
|||
|
<dd>Give the application a short name and an abbreviation that you can use as shorthand on forms and for naming objects that the application uses.</dd>
|
|||
|
<dt class="dlterm">Descriptive information</dt>
|
|||
|
<dd>Briefly describe what the application does.</dd>
|
|||
|
<dt class="dlterm">Primary menu and library</dt>
|
|||
|
<dd>Identify which menu is the primary menu for accessing the application. Indicate the library in which the menu is. Usually the primary menu leads to other menus with specific application functions. Users like to see the primary menu for their main application immediately after signing on the system.</dd>
|
|||
|
<dt class="dlterm">Initial program and library</dt>
|
|||
|
<dd>Sometimes applications run an initial program that sets up background information for the user or does security checking. If an application has an initial program or setup program, list it on the form.</dd>
|
|||
|
<dt class="dlterm">Application libraries</dt>
|
|||
|
<dd>Each application usually has a main library for its files. Include all libraries that the application uses, including program libraries and libraries that other applications own. For example, the JKL Toy Company’s customer order application uses the inventory library to get item balances and descriptions. You can use the relationship between libraries and applications to determine who needs access to each library.</dd>
|
|||
|
</dl>
|
|||
|
</div>
|
|||
|
<p><em>Finding information about your applications</em></p>
|
|||
|
<div class="p">If you do not already know the information you need about your applications, you may need to contact your programmer or application provider. Here are some methods for gathering the information yourself, if you do not have access to this information about an application that runs on your system:<ul><li>Users of the application can probably tell you the name of the primary menu and library, or you can watch them sign on the system.</li>
|
|||
|
<li>If users see the application immediately after signing on, look at the Initial program field in their user profiles. This field contains the initial program to the application. You can use the <span class="cmdname">DSPUSRPRF</span> command to view the initial program.</li>
|
|||
|
<li>You can list the names and descriptions of all the libraries on your system. Use the <span class="cmdname">DSPOBJD *ALL *LIB</span>. This displays all libraries on your system.</li>
|
|||
|
<li>You can observe active jobs while users are running the application. Use the Work with Active Jobs (WRKACTJOB) command with intermediate assistance level to get detailed information about interactive jobs. Display jobs and look at both library lists and their object locks to find out which libraries are being used.</li>
|
|||
|
<li>You can display batch jobs in an application using the <span class="cmdname">Work with User Jobs (WRKUSRJOB)</span> command.</li>
|
|||
|
</ul>
|
|||
|
To ensure that you gather all the information you need to plan your application security, you should complete these tasks before continuing:<ul><li>Complete an Application description form for each of your business applications. Fill out the entire form, except the security requirements section. You will use that section to plan resource security for the application as described in the topic <a href="rzamvresourcesec.htm#rzamvresourcesec">Resource security</a>.</li>
|
|||
|
<li>Prepare an <a href="rzamvappdescworksheet.htm#rzamvappdescworksheet">Application description form</a> for each special application, if applicable. Using the form helps you determine how to provide access to the application.</li>
|
|||
|
</ul>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> Preparing Application description forms for special applications from IBM<sup>®</sup>, such as IBM Query for iSeries™ is optional. Access to the libraries used by these applications does not require any special planning. However, you may find it useful to gather the information and prepare the forms.</div>
|
|||
|
</div>
|
|||
|
<p><em>Drawing an application diagram</em></p>
|
|||
|
<p>As you prepare your Application description and Library description forms, you may find it useful to draw a diagram showing the relationship between applications and libraries. A diagram will help you to plan both user groups and resource security.</p>
|
|||
|
<div class="p">Collecting some information about your applications and libraries now will help you with many security decisions you need to make. Look at this as a chance to become more knowledgeable about your system and applications. To ensure that you have gathered the application information that you need, you should:<ul><li>Complete an Application description form for each business application on your system.</li>
|
|||
|
<li>Prepare an Application description form for each special application on your system.</li>
|
|||
|
<li>Fill in the library and file sections of the Naming conventions form.</li>
|
|||
|
<li>Prepare a Library description form for each application library.</li>
|
|||
|
<li>Draw a diagram of the relationship between your applications and libraries.</li>
|
|||
|
</ul>
|
|||
|
When you have completed these forms, you can begin planning your overall security strategy.</div>
|
|||
|
<p><em>Planning Applications to Prevent Large Profiles</em></p>
|
|||
|
<div class="p">Because of the potential impacts to performance and security, IBM strongly recommends the following to avoid profiles from becoming too full:<ul><li>Do not have one profile own everything on your system. <p>Create special user profiles to own applications. Owner profiles that are specific to an application make it easier to recover applications and to move applications between systems. Also, information about private authorities is spread among several profiles, which improves performance. By using several owner profiles, you can prevent a profile from becoming too large because of too many objects. Owner profiles also allow you to adopt the authority of the owner profile rather than a more powerful profile that provides unnecessary authority.</p>
|
|||
|
</li>
|
|||
|
<li>Avoid having applications owned by IBM-supplied user profiles, such as QSECOFR or QPGMR. <p>These profiles own a large number of IBM-supplied objects and can become difficult to manage. Having applications owned by IBM-supplied user profiles can also cause security problems when moving applications from one system to another. Applications owned by IBM-supplied user profiles can also impact performance for commands, such as <span class="cmdname">CHKOBJITG</span> and <span class="cmdname">WRKOBJOWN</span>.</p>
|
|||
|
</li>
|
|||
|
<li>Use authorization lists to secure objects. <p>If you are granting private authorities to many objects for several users, you should consider using an authorization list to secure the objects. Authorization lists will cause one private authority entry for the authorization list in the user’s profile rather than one private authority entry for each object. In the object owner’s profile, authorization lists cause an authorized object entry for every user granted authority to the authorization list rather than an authorized object entry for every object multiplied by the number of users that are granted the private authority.</p>
|
|||
|
</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<ul class="ullinks">
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvplanobjauth.htm">Plan object authority</a></strong><br />
|
|||
|
This information is helpful when planning object authority.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvdetermineobjowner.htm">Determine object ownership</a></strong><br />
|
|||
|
Every object on the system has an owner. The owner has *ALL authority to the object by default.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvappdescworksheet.htm">Application description worksheet</a></strong><br />
|
|||
|
This worksheet should be completed for each application on your system.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvplanappinstall.htm">Plan application installation</a></strong><br />
|
|||
|
To finish planning resource security, you need to prepare for your application installation.</li>
|
|||
|
</ul>
|
|||
|
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplanrscsec.htm" title="This topic describes each of the components of resource security and how they all work together to protect information on your system. It also explains how to use CL commands and displays to set up resource security on your system.">Plan resource security</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|