friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvplanrscsec.htm

237 lines
17 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Plan resource security" />
<meta name="abstract" content="This topic describes each of the components of resource security and how they all work together to protect information on your system. It also explains how to use CL commands and displays to set up resource security on your system." />
<meta name="description" content="This topic describes each of the components of resource security and how they all work together to protect information on your system. It also explains how to use CL commands and displays to set up resource security on your system." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecstrat.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanlibsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanappsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanauthlists.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplandbfilesec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanifssec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanprintsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplanstationsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecprogrammers.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvresourcesec.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="planrscsec" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Plan resource security</title>
</head>
<body id="planrscsec"><a name="planrscsec"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Plan resource security</h1>
<div><p>This topic describes each of the components of resource security
and how they all work together to protect information on your system. It also
explains how to use CL commands and displays to set up resource security on
your system.</p>
<p>Resource security defines which users are allowed to use objects on the
system and what operations they are allowed to perform on those objects. </p>
<p><span class="uicontrol">Defining Who Can Access Information</span></p>
<div class="p">You can give authority to individual users, groups of users, and the public. <div class="note"><span class="notetitle">Note:</span> In
some environments, a users authority is referred to as a privilege.</div>
</div>
<div class="p"> You define who can use an object in several ways: <ul><li><dfn class="term">Public Authority</dfn>: The public consists of anyone who is authorized
to sign on to your system. Public authority is defined for every object on
the system, although the public authority for an object may be *EXCLUDE. Public
authority to an object is used if no other specific authority is found for
the object.</li>
<li><dfn class="term">Private Authority</dfn>: You can define specific authority to use,
or not use, an object. You can grant authority to an individual user profile
or to a group profile. An object has private authority if any authority other
than public authority, object ownership, or primary group authority is defined
for the object. </li>
<li><dfn class="term">User Authority</dfn>: Individual user profiles may be given authority
to use objects on the system. This is one type of private authority. </li>
<li><dfn class="term">Group Authority</dfn>: Group profiles may be given authority to
use objects on the system. A member of the group gets the groups authority
unless an authority is specifically defined for that user. Group authority
is also considered private authority.</li>
<li><dfn class="term">Object Ownership</dfn>: Every object on the system has an owner.
The owner has *ALL authority to the object by default. However, the owners
authority to the object can be changed or removed. The owners authority to
the object is not considered private authority.</li>
<li><dfn class="term">Primary Group Authority</dfn>: You can specify a primary group
for an object and the authority the primary group has to the object. Primary
group authority is stored with the object and may provide better performance
than private authority granted to a group profile. Only a user profile with
a group identification number (<var class="varname">gid</var>) may be the primary
group for an object. Primary group authority is not considered private authority.</li>
</ul>
See <a href="rzamvplanobjauth.htm#rzamvplanobjauth">Plan object authority</a> for more object authority information.</div>
<p><span class="uicontrol">Planning resource security</span></p>
<p>Now that you have completed the process for planning users on your system,
you can plan the resource security which protects objects on the system. In
Resource security you learn how to set up resource security on your system. </p>
<div class="p">System values and user profiles control who has access to your system and
prevent unauthorized users from signing on. Resource security controls the
actions that authorized system users can perform after they have signed on
successfully. Resource security supports the main goals of security on your
system to protect:<ul><li>Confidentiality of information</li>
<li>Accuracy of information to prevent unauthorized changes</li>
<li>Availability of information to prevent accidental or deliberate damage</li>
</ul>
You may plan resource security differently, depending on whether your
company develops applications or purchases them. For applications you develop,
you should communicate the requirements for security of the information to
the programmer during the application design process. When you purchase applications,
you need to determine your security needs and match those needs with the way
your provider has designed your applications. The techniques described here
should help you in both cases.</div>
<p>This information provides a basic approach to planning resource security.
It introduces the main techniques and shows how you can use them. The methods
described here will not necessarily work for every company and every application.
Consult your programmer or application provider as you plan resource security.</p>
<div class="p">The following sections are provided to help you plan resource security:
[list of active links to children]<ul><li>Resource security</li>
<li>Understanding <a href="rzamvauthtypes.htm#rzamvauthtypes">types of authority</a> </li>
<li>Planning security for <a href="rzamvinstallapplib.htm#rzamvinstallapplib">application libraries</a></li>
<li>Determining <a href="rzamvcreateownerprofresource.htm#rzamvcreateownerprofresource">ownership</a> of libraries and objects</li>
<li>Grouping <a href="rzamvsetpubauthobjlib.htm#rzamvsetpubauthobjlib">objects</a></li>
<li>Protecting <a href="rzamvsecprintqueue.htm#rzamvsecprintqueue">printer
output</a></li>
<li>Protecting <a href="rzamvsecstation.htm#rzamvsecstation">workstations</a></li>
<li><a href="rzamvsetrscsec.htm#rzamvsetrscsec">Implementing
resource security</a></li>
<li>Planning your <a href="rzamvplanappinstall.htm#rzamvplanappinstall">application installation</a></li>
</ul>
</div>
<div class="p">The following planning forms are helpful when planning system level security: <ul><li>Complete an <a href="rzamvappdescworksheet.htm#rzamvappdescworksheet">Application description</a> worksheet for each application
on your system.</li>
<li>Reference <a href="rzamvplanobjauth.htm#rzamvplanobjauth">Plan
object authority</a> to plan how you will establish ownership and public
authority to your applications after you load them.</li>
<li>Use the <a href="rzamvauthlistworksheet.htm#rzamvauthlistworksheet">Authorization list</a> worksheet to list the objects that
the list and the groups and individuals who have access to the list secure.</li>
<li>Use the <a href="rzamvprintersecworksheet.htm#rzamvprintersecworksheet">Printer Output Queue and Workstation Security</a> worksheet
to list any workstation or output queue that requires special protection.</li>
</ul>
</div>
<div class="p"><span class="uicontrol">Determining your objectives for your resource security:</span> To
begin to plan resource security, you must first understand your objectives.
The system provides flexible implementation of resource security. It gives
you the power to protect critical resources exactly the way you want. But
resource security also introduces additional overhead to your applications.
For example, whenever an application needs an object, the system must check
the users authority to that object. You must balance your need for confidentiality
against the cost of performance. As you make resource security decisions,
weigh the value of security against its cost. To prevent resource security
from degrading the performance of your applications, follow these guidelines:<ul><li>Keep your resource security scheme simple.</li>
<li>Secure only those objects that you need to secure.</li>
<li>Use resource security to supplement, not replace, the other tools for
protecting information, such as:<ul><li>Limiting users to specific menus and applications.</li>
<li>Preventing users from entering commands by limiting capabilities in user
profiles.</li>
</ul>
</li>
</ul>
Begin your resource security planning by defining your objectives. You
can define your security objectives on either the Application Description
form or the Library Description form. The form that you use depends on how
your information is organized in libraries.</div>
<p><span class="uicontrol">Planning security for workstations:</span> After planning
resource security for printers and printer output, you can begin planning
workstation security. On your Physical Security Plan, you listed workstations
that represent a security risk because of their location. Use this information
to determine which workstations you need to restrict.</p>
<p>You can encourage the people who use these workstations to be particularly
aware of security. They should sign off whenever they leave their workstations.
You may want to record your decision about sign off procedures for vulnerable
workstations in your security policy. You can also limit which functions can
be performed at those workstations to minimize the risks.</p>
<p>The easiest method for limiting function at a workstation is to restrict
it to user profiles with limited function. You may choose to prevent people
with security officer or service authority from signing on at every workstation.
If you use the QLMTSECOFR system value to do this, people with security officer
authority can sign on only at specifically authorized workstations. Prepare
the workstation portion of the Output Queue and Workstation Security form.</p>
<div class="p"><span class="uicontrol">Summary of resource security recommendations:</span> After
you finish planning workstation security, you can review the following resource
security recommendations. The system offers many options for protecting the
information on your system. This gives you the flexibility to design the resource
security plan that is best for your company. But this wealth of options can
also be confusing. This information demonstrated a basic approach to planning
resource security that uses these guidelines:<ul><li>Move from the general to the specific:<ul><li>Plan security for libraries. Deal with individual objects only when necessary.</li>
<li>Plan public authority first, followed by group authority, and individual
authority.</li>
</ul>
</li>
<li>Make the public authority for new objects in a library (CRTAUT) the same
as the public authority you defined for the majority of existing objects in
the library.</li>
<li>Try not to give groups or individuals less authority than the public has.
This diminishes performance, may lead to mistakes later, and makes auditing
difficult. If you know that everyone has at least the same authority to an
object that the public has, it makes planning and auditing security easier.</li>
<li>Use authorization lists to group objects with the same security requirements.
Authorization lists are simpler to manage than individual authorities and
aid in recovery of security information.</li>
<li>Create special user profiles as application owners. Set the owner password
to *NONE.</li>
<li>Avoid having applications owned by IBM-supplied profiles, such as QSECOFR
or QPGMR.</li>
<li>Use special output queues for confidential reports. Put the output queue
in the same library as the confidential information.</li>
<li>Limit the number of people who have security officer authority.</li>
<li>Be careful when granting *ALL authority to objects or libraries. People
with *ALL authority can accidentally delete things.</li>
</ul>
To ensure that you have planned successfully for setting up resource
security, you should have gathered the following information:<ul><li>Fill in Part 1 and Part 2 of the Library description forms for all your
application libraries. </li>
<li>On your Individual user profile forms fill in the Owner of objects created
and Group authority over objects created fields.</li>
<li>On your Naming conventions form describe how you plan to name authorization
lists.</li>
<li>Prepare Authorization List forms.</li>
<li>Add authorization list information to your Library description forms.</li>
<li>Prepare an Output queue and workstation security form.</li>
</ul>
Now you are ready to plan your <a href="rzamvplanappinstall.htm#rzamvplanappinstall">application installation</a>.</div>
<p>End of Step 3 for planning a security strategy; provide link to next step: <a href="rzamvplannetsec.htm#plannetsec">Plan network security</a></p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzamvplanlibsec.htm">Plan library security</a></strong><br />
This topic describes how to plan security for the libraries on your system.</li>
<li class="ulchildlink"><strong><a href="rzamvplanappsec.htm">Plan application security</a></strong><br />
This topic provides on overview for creating an application security plan for your company.</li>
<li class="ulchildlink"><strong><a href="rzamvplanauthlists.htm">Plan authorization lists</a></strong><br />
You can group objects with similar security requirements by using an authorization list.</li>
<li class="ulchildlink"><strong><a href="rzamvplandbfilesec.htm">Plan database file security</a></strong><br />
This topic discusses the steps necessary to create a security plan for your database files.</li>
<li class="ulchildlink"><strong><a href="rzamvplanifssec.htm">Plan integrated file system security</a></strong><br />
The integrated file system provides you with multiple ways to store and view information on the server.</li>
<li class="ulchildlink"><strong><a href="rzamvplanprintsec.htm">Plan printer and printer output queue security</a></strong><br />
This topic describes the key points in planning security for the printer and printer output queue, the importance of the planning tasks, and recommendations for completing the tasks.</li>
<li class="ulchildlink"><strong><a href="rzamvplanstationsec.htm">Plan workstation resource security</a></strong><br />
After planning resource security for printers and printer output, use this topic to begin planning workstation security.</li>
<li class="ulchildlink"><strong><a href="rzamvplansecprogrammers.htm">Plan security for programmers</a></strong><br />
Programmers pose a problem for the security officer. Their knowledge makes it possible for them to bypass security procedures that are not carefully designed.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecstrat.htm" title="This topic describes various aspects of planning a security strategy.">Plan your security strategy</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzamvresourcesec.htm" title="You can use resource security on the system to control the actions of authorized users after successful authentication.">Resource security</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink