169 lines
11 KiB
HTML
169 lines
11 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Implement resource security" />
|
|||
|
<meta name="abstract" content="This information helps you establish resource security for workstations and printers by setting ownership and public authority to objects, as well as specific authority to applications." />
|
|||
|
<meta name="description" content="This information helps you establish resource security for workstations and printers by setting ownership and public authority to objects, as well as specific authority to applications." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvimplementsecstrat.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsetownerpubauth.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvcreateauthlist.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsetauthobjlib.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvmenusecurity.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsecureifs.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsecprintqueue.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsecstation.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresourcesec.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="setrscsec" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Implement resource security</title>
|
|||
|
</head>
|
|||
|
<body id="setrscsec"><a name="setrscsec"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Implement resource security</h1>
|
|||
|
<div><p>This information helps you establish resource security for workstations
|
|||
|
and printers by setting ownership and public authority to objects, as well
|
|||
|
as specific authority to applications.</p>
|
|||
|
<p>Your most important protection is resource security on your server. Resource
|
|||
|
security on the system allows you to define who can use objects and how those
|
|||
|
objects can be used. The ability to access an object is called authority.
|
|||
|
When you set up object authority, you can need to be careful to give your
|
|||
|
users enough authority to do their work without giving them the authority
|
|||
|
to browse and change the system. Object authority gives permissions to the
|
|||
|
user for a specific object and can specify what the user is allowed to do
|
|||
|
with the object. An object resource can be limited through specific detailed
|
|||
|
user authorities, such as adding records or changing records. </p>
|
|||
|
<p>System resources can be used to give the user access to specific system-defined
|
|||
|
subsets of authorities: *ALL, *CHANGE, *USE, and *EXCLUDE. Files, programs,
|
|||
|
libraries, and directories are the most common system objects that require
|
|||
|
resource security protection, but you can specify authority for any individual
|
|||
|
object on the system.</p>
|
|||
|
<p><strong>Defining Who Can Access Information </strong></p>
|
|||
|
<div class="p">You can give authority to individual users, groups of users, and the public. <div class="note"><span class="notetitle">Note:</span> In
|
|||
|
some environments, a user’s authority is referred to as a privilege. </div>
|
|||
|
You
|
|||
|
define who can use an object in several ways: <dl><dt class="dlterm">Public Authority</dt>
|
|||
|
<dd>The public consists of anyone who is authorized to sign on to your system.
|
|||
|
Public authority is defined for every object on the system, although the public
|
|||
|
authority for an object may be *EXCLUDE. Public authority to an object is
|
|||
|
used if no other specific authority is found for the object. </dd>
|
|||
|
<dt class="dlterm">Private Authority</dt>
|
|||
|
<dd>You can define specific authority to use (or not use) an object. You can
|
|||
|
grant authority to an individual user profile or to a group profile. An object
|
|||
|
has private authority if any authority other than public authority, object
|
|||
|
ownership, or primary group authority is defined for the object.</dd>
|
|||
|
<dt class="dlterm">User Authority</dt>
|
|||
|
<dd>Individual user profiles may be given authority to use objects on the
|
|||
|
system. This is one type of private authority. </dd>
|
|||
|
<dt class="dlterm">Group Authority</dt>
|
|||
|
<dd>Group profiles may be given authority to use objects on the system. A
|
|||
|
member of the group gets the group’s authority unless an authority is specifically
|
|||
|
defined for that user. Group authority is also considered private authority.</dd>
|
|||
|
<dt class="dlterm">Object Ownership</dt>
|
|||
|
<dd>Every object on the system has an owner. The owner has *ALL authority
|
|||
|
to the object by default. However, the owner’s authority to the object can
|
|||
|
be changed or removed. The owner’s authority to the object is not considered
|
|||
|
private authority.</dd>
|
|||
|
<dt class="dlterm">Primary Group Authority</dt>
|
|||
|
<dd>You can specify a primary group for an object and the authority the primary
|
|||
|
group has to the object. Primary group authority is stored with the object
|
|||
|
and may provide better performance than private authority granted to a group
|
|||
|
profile. Only a user profile with a group identification number (gid) may
|
|||
|
be the primary group for an object. Primary group authority is not considered
|
|||
|
private authority.</dd>
|
|||
|
</dl>
|
|||
|
</div>
|
|||
|
<p><strong>Defining How Information Can Be Accessed</strong></p>
|
|||
|
<div class="p">Authority means the type of access allowed to an object. Different operations
|
|||
|
require different types of authority. <div class="note"><span class="notetitle">Note:</span> In some environments, the authority
|
|||
|
associated with an object is called the object’s mode of access.</div>
|
|||
|
Authority
|
|||
|
to an object is divided into three categories: <ol><li>Object Authority defines what operations can be performed on the object
|
|||
|
as a whole.</li>
|
|||
|
<li>Data Authority defines what operations can be performed on the contents
|
|||
|
of the object.</li>
|
|||
|
<li>Field Authority defines what operations can be performed on the data fields.</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
<p><strong>Defining What Information Can Be Accessed</strong></p>
|
|||
|
<p> You can define resource security for individual objects on the system.
|
|||
|
You can also define security for groups of objects using either library security
|
|||
|
or an authorization list.</p>
|
|||
|
<p><strong>Library Security</strong></p>
|
|||
|
<p>Many objects on the system reside in libraries. To access an object, you
|
|||
|
need authority both to the object itself and the library in which the object
|
|||
|
resides. For most operations, including deleting an object, *USE authority
|
|||
|
to the object library is sufficient (in addition to the authority required
|
|||
|
for the object). Creating a new object requires *ADD authority to the object
|
|||
|
library. Special authority is required by some CL commands for objects and
|
|||
|
the object libraries. Using library security is one technique for protecting
|
|||
|
information while maintaining a simple security scheme.</p>
|
|||
|
<p>Although library security is a simple, effective method for protecting
|
|||
|
information, it may not be adequate for data with high security requirements.
|
|||
|
Many objects reside in directories. Highly sensitive objects should be secured
|
|||
|
individually or with an authorization list, rather than relying on library
|
|||
|
security.</p>
|
|||
|
<div class="p">You will need the following worksheets during this process:<ul><li>The Application Installation worksheet, prepared in "Planning your application
|
|||
|
installation."</li>
|
|||
|
<li>The Authorization List worksheet, prepared in "Grouping objects."</li>
|
|||
|
<li>The Library Description worksheet, prepared in "Determining ownership
|
|||
|
of libraries and objects."</li>
|
|||
|
<li>The Output Queue and Workstation Security worksheet, prepared in "Protecting
|
|||
|
printer output" and "Protecting workstations."</li>
|
|||
|
<li>The System Responsibilities worksheet, prepared in "Planning your overall
|
|||
|
security strategy."</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<div class="p">Complete the following tasks:<ul><li>Set up ownership and public authority</li>
|
|||
|
<li>Create authorization lists</li>
|
|||
|
<li>Secure objects with an authorization list</li>
|
|||
|
<li>Add users to the authorization lists</li>
|
|||
|
<li>Set up any specific authorities</li>
|
|||
|
<li>Secure workstations</li>
|
|||
|
<li>Secure printer output</li>
|
|||
|
<li>Restrict access to the system operator message queue</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<ul class="ullinks">
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvsetownerpubauth.htm">Set up ownership and public authority</a></strong><br />
|
|||
|
In this topic, you establish ownership and public authority for application libraries, group libraries, and personal libraries.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvcreateauthlist.htm">Create an authorization list</a></strong><br />
|
|||
|
This article describes the task, create an authorization list, explains why it is important, and provides step-by-step instructions.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvsetauthobjlib.htm">Set up specific authority for objects and libraries</a></strong><br />
|
|||
|
You can use the Edit Object Authority (EDTOBJAUT) command to set specific authority for the library and objects in the library.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvmenusecurity.htm">Set up menu security</a></strong><br />
|
|||
|
This article discusses the user profile parameters for setting up menu security.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvsecureifs.htm">Secure the integrated file system</a></strong><br />
|
|||
|
The integrated file system provides you with multiple ways to store and view information on the system.</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvsecprintqueue.htm">Secure your printer output queue</a></strong><br />
|
|||
|
This article describes the printer output queue setup tasks, explains why they are important, and provides step-by-step instructions for these tasks:</li>
|
|||
|
<li class="ulchildlink"><strong><a href="rzamvsecstation.htm">Secure your workstations</a></strong><br />
|
|||
|
After you secure printer output, you should secure your workstations. You authorize workstations just like you authorize other objects on the system. Use the EDTOBJAUT command to give users authority to workstations.</li>
|
|||
|
</ul>
|
|||
|
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvimplementsecstrat.htm" title="This topic describes the tasks for implementing your security strategy, explains why they are important, and provides links to the implementation topics.">Implement your security strategy</a></div>
|
|||
|
</div>
|
|||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|||
|
<div><a href="rzamvresourcesec.htm" title="You can use resource security on the system to control the actions of authorized users after successful authentication.">Resource security</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|