179 lines
11 KiB
HTML
179 lines
11 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="User security" />
|
|
<meta name="abstract" content="From a user's point of view, security affects how they use and complete tasks on the system." />
|
|
<meta name="description" content="From a user's point of view, security affects how they use and complete tasks on the system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvconcepts.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvplanusersec.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvsetusersec.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvsavesecinfo.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="../books/sc415304.pdf" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="usersec" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>User security</title>
|
|
</head>
|
|
<body id="usersec"><a name="usersec"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">User security</h1>
|
|
<div><p>From a user's point of view, security affects how they use and
|
|
complete tasks on the system.</p>
|
|
<p>User security includes how users interact with the system to complete their
|
|
tasks. It is important to consider how a user will view security. For example,
|
|
setting passwords to expire every five days might frustrate and interfere
|
|
with a user's ability to complete his or her job. On the other hand, too lax
|
|
a password policy might cause security problems.</p>
|
|
<p> To provide the right security for your system, you need to divide security
|
|
into specific parts that you can plan, manage, and monitor. From a user's
|
|
point of view, you can divide your system security into several parts.</p>
|
|
<div class="p">User security includes all areas where security affects the users and where
|
|
users can affect the system. Key components of user security include: <ul><li><strong>Physical access to the system</strong><p>Physical security protects the
|
|
system unit and all system devices, including backup storage media, such as
|
|
diskettes, tapes, or CDs from accidental or intentional loss or damage. Most
|
|
measures you take to ensure the physical security of your system are external
|
|
to the system. However, the system ships with a keylock or electronic keystick
|
|
that prevents unauthorized use of functions at the system unit. </p>
|
|
</li>
|
|
<li><strong>How users signon</strong><p>Signon security prevents a person who is not
|
|
identified on the system from signing on. To sign on, an individual must present
|
|
valid credentials, such as entering a valid combination of user ID and password.
|
|
You can use both system values and individual user profiles to make sure that
|
|
your signon security is not violated. For example, you can require that passwords
|
|
be changed on a regular basis. You can also prevent the use of passwords that
|
|
are easy to guess.</p>
|
|
</li>
|
|
<li><strong>What users are allowed to do</strong><div class="p">An important role of security, and
|
|
of system customization, is to define what users can do. From a security perspective,
|
|
this is often a limiting function, such as preventing people from seeing certain
|
|
information. From a system customizing perspective, this is an empowering
|
|
function. A properly customized system makes it possible for people to do
|
|
their jobs well by eliminating unnecessary tasks and information. Some methods
|
|
for defining what users can do are appropriate for the security officer, while
|
|
others are the responsibility of programmers. This information focuses primarily
|
|
on those things that a security officer usually does. Parameters are available
|
|
in individual user profiles, job descriptions, and classes to control what
|
|
the user can do on the system. The list below briefly describes the techniques
|
|
available: <ul><li>Limiting users to a few functions. <p>You can limit users to a specific
|
|
program, menu or set of menus, and a few system commands based on their user
|
|
profile. Usually, the security officer creates and controls user profiles.</p>
|
|
</li>
|
|
<li>Restricting system functions. <p>System functions allow you to save and
|
|
restore information, manage printer output, and set up new system users. Each
|
|
user profile specifies which of the most common system functions that the
|
|
user can perform. You perform system functions by using control language
|
|
(CL) commands and APIs. Because every command and API is an object, you can
|
|
use object authorities to control who can use them and complete system functions.</p>
|
|
</li>
|
|
<li>Determining who can use files and programs. <p>Resource security provides
|
|
the capability to control the use of every object on the system. For any object,
|
|
you can specify who can use it and how they can use it. For example, you can
|
|
specify that one user can only look at the information in a file; another
|
|
user can change data in the file; a third user can change the file or delete
|
|
the entire file.</p>
|
|
</li>
|
|
<li>Preventing abuse of system resources. <p>The processing power on your
|
|
system can become just as important to your business as the data that you
|
|
store on it. The security officer helps to ensure that users do not misuse
|
|
system resources by running their jobs at a high priority, printing their
|
|
reports first, or using too much disk storage.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</li>
|
|
<li>How your system communicates with other computers.<p>Additional security
|
|
measures may be necessary if your system communicates with other computers
|
|
or with programmable workstations. If you do not have proper security controls,
|
|
someone on another computer in your network can start a job or access information
|
|
on your computer without going through the signon process. You can use both
|
|
system values and network attributes to control whether you allow remote jobs,
|
|
remote access of data, or remote PC access on your system. If you allow remote
|
|
access, you can specify what security to enforce. You can find descriptions
|
|
for all system values in Chapter 3, <span class="q">"Security System Values,"</span> of the <cite>iSeries™ Security
|
|
Reference</cite>. </p>
|
|
</li>
|
|
<li>How to save your security information.<p>You need to regularly back up
|
|
the information on your system. In addition to saving the data on your system,
|
|
you need to save security information. If a disaster occurs, you need to be
|
|
able to recover information about system users, authorization information,
|
|
and the information itself. </p>
|
|
</li>
|
|
<li>How to monitor your security plan.<div class="p">The system provides several tools
|
|
for monitoring security effectiveness: <ul><li>Messages are sent to the system operator when certain security violations
|
|
occur.</li>
|
|
<li>Various security-related transactions can be recorded in a special audit
|
|
journal.</li>
|
|
</ul>
|
|
<a href="rzamvmonitorsec.htm#monitorsec">Monitor security</a> discusses the use
|
|
of these tools in general terms. You can find more details on security auditing
|
|
in Chapter 9, "Auditing Security on the System," in the <cite>iSeries Security
|
|
Reference</cite>.</div>
|
|
</li>
|
|
<li>How to customize the security on your system.<div class="p">You can customize your
|
|
system to help your users accomplish their daily work. To best customize your
|
|
system for your users, think of what they need to accomplish their work successfully.
|
|
You can customize the system to show menus and applications in several ways: <ul><li>Show users what they want to see.<p>Most of us arrange our desks and our
|
|
offices so we can easily reach the things that we need most. Think of your
|
|
users' access to the system in the same way. After signing on to the system,
|
|
a user should first see the menu or display that person uses the most. You
|
|
can easily design user profiles to make this happen.</p>
|
|
</li>
|
|
<li>Eliminate unnecessary applications.<p>Most systems have many different
|
|
applications on them. Most users only want to see the things they need to
|
|
do their jobs. Limiting them to a few functions on the system makes their
|
|
jobs easier. With user profiles, job descriptions, and appropriate menus,
|
|
you can give each user a specific view of the system.</p>
|
|
</li>
|
|
<li>Send something to the right output location.<p>Users should not have to
|
|
worry about how to get their reports to the correct printer or how their batch
|
|
jobs should run. System values, user profiles, and job descriptions do these
|
|
things.</p>
|
|
</li>
|
|
<li>Provide assistance.<p>No matter how well you succeed in customizing
|
|
the system, users may still wonder <span class="q">"Where is my report?"</span> or <span class="q">"Has my
|
|
job run yet?"</span> Operational Assistant displays provide a simple interface
|
|
to system functions, which help users answer these questions. Different versions
|
|
of system displays, called assistance levels, provide help for users with
|
|
different levels of technical experience. When your system arrives, Operational
|
|
Assistant displays are automatically available for all users. However, the
|
|
design of your applications may require you to change the way users get access
|
|
to the Operational Assistant menu. The system provides tools which allow
|
|
you to customize your system security to protect your resources while allowing
|
|
users to access those resources.</p>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvconcepts.htm" title="To effectively create a security policy and plan security measures for your system, you need to understand the following security concepts, some of which are general concepts and some of which are specific to the hardware type.">Concepts</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzamvplanusersec.htm" title="Planning user security includes planning all areas where security affects the users on your system.">Plan user security</a></div>
|
|
<div><a href="rzamvsetusersec.htm" title="Setting up user security involves installing application libraries, and setting up user groups and profiles.">Set up user security</a></div>
|
|
<div><a href="rzamvsavesecinfo.htm" title="This topic presents an overview of how you save and restore security information.">Save security information</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="../books/sc415304.pdf" target="_blank">Backup and Recovery PDF</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |