APSYSEC parameter: Difference between revisions
mNo edit summary |
|||
| Line 9: | Line 9: | ||
<dd>User 0 CCAIN parameters | <dd>User 0 CCAIN parameters | ||
<dt>Related products | <dt>Related products | ||
<dd>Prior to Version 7.5 of Model | <dd>Prior to Version 7.5 of [[Model 204]], this parameter required the <var class="product">SirSafe</var> product. | ||
<dt>Introduced | <dt>Introduced | ||
<dd><var class="product">[[Sirius Mods]]</var> 6.7 | <dd><var class="product">[[Sirius Mods]]</var> 6.7 | ||
| Line 18: | Line 18: | ||
manager to START, STOP, DEBUG, or TEST any subsystem, without have to | manager to START, STOP, DEBUG, or TEST any subsystem, without have to | ||
add the system manager to the sclass authorized to do these things. | add the system manager to the sclass authorized to do these things. | ||
Setting this parameter has no effect at sites not authorized for | Setting this parameter has no effect at sites not authorized for [http://m204wiki.rocketsoftware.com/images/4/4d/SafrNew.pdf SirSafe]. | ||
The APSYSEC parameter is a bitmask parameter where the bits mean: | The APSYSEC parameter is a bitmask parameter where the bits mean: | ||
| Line 28: | Line 28: | ||
at least start and stop the subsystems — a common thing for system | at least start and stop the subsystems — a common thing for system | ||
managers to need to do. | managers to need to do. | ||
<p> | |||
In fact, if no users other than system managers need to start or stop | In fact, if no users other than system managers need to start or stop | ||
subsystems, this can eliminate the need to even have sclasses in a subsystem | subsystems, this can eliminate the need to even have sclasses in a subsystem | ||
| Line 35: | Line 35: | ||
a single default sclass, which has performance benefits — no sclass | a single default sclass, which has performance benefits — no sclass | ||
lookup is required when a user enters a subsystem, and no sclass-specific | lookup is required when a user enters a subsystem, and no sclass-specific | ||
compiles are done for the procedures in the subsystem. | compiles are done for the procedures in the subsystem.</p> | ||
<p> | |||
Because of the overhead associated with multiple sclasses in a | Because of the overhead associated with multiple sclasses in a | ||
subsystem (not huge, but possibly measurable), some sites take the risk | subsystem (not huge, but possibly measurable), some sites take the risk | ||
| Line 42: | Line 42: | ||
to the one and only sclass for a subsystem. | to the one and only sclass for a subsystem. | ||
This, of course, means that any user can start and stop the subsystem, which | This, of course, means that any user can start and stop the subsystem, which | ||
might not be ideal from a control or security perspective. | might not be ideal from a control or security perspective. </p> | ||
<p> | |||
The APSYSEC parameter allows such a site to keep one sclass but remove the risk. | The APSYSEC parameter allows such a site to keep one sclass but remove the risk. | ||
START and STOP privileges can be removed from the default/only sclass for a | START and STOP privileges can be removed from the default/only sclass for a | ||
subsystem, and only system managers (or users running subsystems that give | subsystem, and only system managers (or users running subsystems that give | ||
them system manager privileges) can start or stop subsystems. | them system manager privileges) can start or stop subsystems.</p> | ||
<p> | |||
To continue using | To continue using Model 204's traditional fine-grained | ||
control of START, STOP, TEST, and DEBUG privileges, the APSYSEC X'01' bit | control of START, STOP, TEST, and DEBUG privileges, the APSYSEC X'01' bit | ||
should ''not'' be set. | should ''not'' be set.</p> | ||
</dl> | </dl> | ||
Revision as of 18:42, 14 July 2014
Sirius APSY security flags
Summary
- Default value
- X'00'
- Parameter type
- System
- Where set
- User 0 CCAIN parameters
- Related products
- Prior to Version 7.5 of Model 204, this parameter required the SirSafe product.
- Introduced
- Sirius Mods 6.7
Description
The APSYSEC parameter makes it possible for a system manager to START, STOP, DEBUG, or TEST any subsystem, without have to add the system manager to the sclass authorized to do these things. Setting this parameter has no effect at sites not authorized for SirSafe.
The APSYSEC parameter is a bitmask parameter where the bits mean:
- X'01'
- System managers are allowed to START, STOP, DEBUG, or TEST any subsystem.
This saves the effort of adding a system manager to a privileged
sclass in every subsystem in an Online so that the system manager could
at least start and stop the subsystems — a common thing for system
managers to need to do.
In fact, if no users other than system managers need to start or stop subsystems, this can eliminate the need to even have sclasses in a subsystem to allow starting or stopping of the subsystem. In some cases, eliminating this need can reduce the subsystem definition to a single default sclass, which has performance benefits — no sclass lookup is required when a user enters a subsystem, and no sclass-specific compiles are done for the procedures in the subsystem.
Because of the overhead associated with multiple sclasses in a subsystem (not huge, but possibly measurable), some sites take the risk of adding START and STOP privileges (and perhaps TEST and DEBUG) to the one and only sclass for a subsystem. This, of course, means that any user can start and stop the subsystem, which might not be ideal from a control or security perspective.
The APSYSEC parameter allows such a site to keep one sclass but remove the risk. START and STOP privileges can be removed from the default/only sclass for a subsystem, and only system managers (or users running subsystems that give them system manager privileges) can start or stop subsystems.
To continue using Model 204's traditional fine-grained control of START, STOP, TEST, and DEBUG privileges, the APSYSEC X'01' bit should not be set.