This information helps you establish resource security for workstations
and printers by setting ownership and public authority to objects, as well
as specific authority to applications.
Your most important protection is resource security on your server. Resource
security on the system allows you to define who can use objects and how those
objects can be used. The ability to access an object is called authority.
When you set up object authority, you can need to be careful to give your
users enough authority to do their work without giving them the authority
to browse and change the system. Object authority gives permissions to the
user for a specific object and can specify what the user is allowed to do
with the object. An object resource can be limited through specific detailed
user authorities, such as adding records or changing records.
System resources can be used to give the user access to specific system-defined
subsets of authorities: *ALL, *CHANGE, *USE, and *EXCLUDE. Files, programs,
libraries, and directories are the most common system objects that require
resource security protection, but you can specify authority for any individual
object on the system.
Defining Who Can Access Information
You can give authority to individual users, groups of users, and the public.
Note: In
some environments, a user’s authority is referred to as a privilege.
You
define who can use an object in several ways:
- Public Authority
- The public consists of anyone who is authorized to sign on to your system.
Public authority is defined for every object on the system, although the public
authority for an object may be *EXCLUDE. Public authority to an object is
used if no other specific authority is found for the object.
- Private Authority
- You can define specific authority to use (or not use) an object. You can
grant authority to an individual user profile or to a group profile. An object
has private authority if any authority other than public authority, object
ownership, or primary group authority is defined for the object.
- User Authority
- Individual user profiles may be given authority to use objects on the
system. This is one type of private authority.
- Group Authority
- Group profiles may be given authority to use objects on the system. A
member of the group gets the group’s authority unless an authority is specifically
defined for that user. Group authority is also considered private authority.
- Object Ownership
- Every object on the system has an owner. The owner has *ALL authority
to the object by default. However, the owner’s authority to the object can
be changed or removed. The owner’s authority to the object is not considered
private authority.
- Primary Group Authority
- You can specify a primary group for an object and the authority the primary
group has to the object. Primary group authority is stored with the object
and may provide better performance than private authority granted to a group
profile. Only a user profile with a group identification number (gid) may
be the primary group for an object. Primary group authority is not considered
private authority.
Defining How Information Can Be Accessed
Authority means the type of access allowed to an object. Different operations
require different types of authority.
Note: In some environments, the authority
associated with an object is called the object’s mode of access.
Authority
to an object is divided into three categories:
- Object Authority defines what operations can be performed on the object
as a whole.
- Data Authority defines what operations can be performed on the contents
of the object.
- Field Authority defines what operations can be performed on the data fields.
Defining What Information Can Be Accessed
You can define resource security for individual objects on the system.
You can also define security for groups of objects using either library security
or an authorization list.
Library Security
Many objects on the system reside in libraries. To access an object, you
need authority both to the object itself and the library in which the object
resides. For most operations, including deleting an object, *USE authority
to the object library is sufficient (in addition to the authority required
for the object). Creating a new object requires *ADD authority to the object
library. Special authority is required by some CL commands for objects and
the object libraries. Using library security is one technique for protecting
information while maintaining a simple security scheme.
Although library security is a simple, effective method for protecting
information, it may not be adequate for data with high security requirements.
Many objects reside in directories. Highly sensitive objects should be secured
individually or with an authorization list, rather than relying on library
security.
You will need the following worksheets during this process:
- The Application Installation worksheet, prepared in "Planning your application
installation."
- The Authorization List worksheet, prepared in "Grouping objects."
- The Library Description worksheet, prepared in "Determining ownership
of libraries and objects."
- The Output Queue and Workstation Security worksheet, prepared in "Protecting
printer output" and "Protecting workstations."
- The System Responsibilities worksheet, prepared in "Planning your overall
security strategy."
Complete the following tasks:
- Set up ownership and public authority
- Create authorization lists
- Secure objects with an authorization list
- Add users to the authorization lists
- Set up any specific authorities
- Secure workstations
- Secure printer output
- Restrict access to the system operator message queue