Establishing and maintaining security: Difference between revisions
(Automatically generated page update) |
m (pdf now converted to wiki) |
||
Line 8: | Line 8: | ||
explains how to maintain the CCASTAT data set, which contains a password table of encrypted user and file security information. </p> | explains how to maintain the CCASTAT data set, which contains a password table of encrypted user and file security information. </p> | ||
<p> | <p> | ||
For information about <var class="product">Model 204</var> and standard commercial security interfaces, refer to | For information about <var class="product">Model 204</var> and standard commercial security interfaces, refer to [[:Category:Security interfaces|Security interfaces]]. </p> | ||
==File security== | ==File security== | ||
<p> | <p> |
Revision as of 16:20, 29 January 2015
Overview
Model 204 provides basic internal security features at all levels.
All security features are optional. Any combination of features is supported.
Storing security information (CCASTAT) explains how to maintain the CCASTAT data set, which contains a password table of encrypted user and file security information.
For information about Model 204 and standard commercial security interfaces, refer to Security interfaces.
File security
The file security feature limits access to particular files by requiring a password to open the file. The type of operation a particular user can perform on the file is also controlled by the file password.
OPENCTL parameter
The OPENCTL parameter, issued during creation of the file (or reset during a Model 204 run) determines whether a file is public (no password required) or is protected by one of several levels of file, group, and record security.
For OPENCTL settings that pertain to Parallel Query Option/204, see OPENCTL parameter.
PRIVDEF parameter
Access to a file is limited by the settings on the PRIVDEF parameter. The PRIVDEF parameter summarizes the default file privileges that are assigned when a public file is opened, or when a semipublic file is opened without a password or with an invalid password. User privileges are included in the PRIVDEF specification.
Set PRIVDEF to any combination of values listed below in PRIVDEF parameter settings.
If you must restrict the viewing of file-related parameters, reset the default value (X'BFFF') of PRIVDEF with the RESET PRIVDEF command. Otherwise, the odd setting of PRIVDEF allows a user to view file-related parameters through one of the following display commands or functions:
- DISPLAY FILE or DISPLAY VIEW
- $View
- IFDISP or IFPERM
PRIVDEF parameter settings
The following table lists PRIVDEF settings, which you can add in any combination.
Setting | User can... |
---|---|
X'8000' | Use privileged commands such as INITIALIZE, SECURE, and DESECURE. The user can also reset file parameters if ad hoc update privileges (X '2000') are obtained. |
X'4000' | Override record security. |
X'2000' | Update data with ad hoc requests or host language programs. |
X'1000' | Make changes to procedures defined in the same file as the data but cannot delete them. |
X'0800' | Update data with internal procedures. |
X'0400' | Retrieve data with ad hoc requests or host language programs. |
X'0200' | Display, echo, and copy internal procedures. |
X'0100' | Retrieve data with internal procedures. |
X'0080 | Update data with procedures defined in a different file from the data. |
X'0040' | Retrieve data with external procedures. |
X'0020' | Include internal procedures. |
X'0010' | Define internal procedures. |
X'0008' | Delete internal procedures. |
X'0001' | Access file related parameters. |
File password table maintenance
The password table contains one entry for each file password. These entries consist of the following information:
- File or group name
- Password that the user must specify in order to be granted the file or group privileges
- Two-byte representation of the user privileges that is granted when the user successfully opens the file or group (see the "PRIVDEF parameter values" table, above)
- User class for procedures
- Field-level security SELECT, READ, UPDATE, and ADD levels
Using LOGCTL to modify the file password table
The LOGCTL command allows you to add or delete file entries in the password table. For example, the following command adds a file to the password table:
LOGCTL A :filename
You can specify an index character, necessary to differentiate entries for future changes or deletions, when a file has more than one password.
If you change a file or group password entry and omit one or more specifications, the corresponding entries in the password table are preserved.
To list all the file entries in the password table, along with the associated privileges (but not the passwords), issue the LOGFILE command.
Sample dialogue using LOGCTL
The following dialogue illustrates the use of LOGCTL to add, change, and delete file entries in the password table:
LOGCTL A :CENSUS1 *** M204.0374: ENTER FILE/GROUP PASSWORD, PRIVILEGES, CLASS, SELECT, READ, UPDATE, ADD ACCESS,X'0900',60,20,30,30,40 *** M204.0379: ENTER TERMINAL LIST,ALL,NONE,ADD,DEL,OR RETURN 21,31 LOGCTL C :TCENSUS3 ***M204.0374:ENTER FILE/GROUP PASSWORD, PRIVILEGES, CLASS, SELECT, READ, UPDATE, ADD ,,70 *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN LOGCTL D :XCENSUSA
Adding and removing security from files
To secure a file, issue the SECURE FILE command, which ensures that a user cannot access a file illegally by running a Model 204 program with its own password table.
A special field in the password table serves as the key for securing files. When a secured file is opened, the key is compared with a copy placed in the file by the SECURE command. The file is accessed only if the two passwords match. The comparison with the key is performed even when the file is opened as part of a group.
To reverse the security placed upon a file by the SECURE command, issue the DESECURE command.
For additional information about the SECURE and DESECURE commands, see SECURE command, definition format.
To change the key in the password table, issue the LOGKEY command.
Group security
The group security feature restricts access to particular file groups to certain users. When the group is created, access is limited by parameter settings of the CREATE GROUP command. A group can be classified as:
Classification | Meaning |
---|---|
Public | When a public group is opened, default group privileges are defined on the PRIVDEF parameter in the group definition. |
Semipublic | When a semipublic group is opened without a password or with an invalid password, default group privileges are defined on the PRIVDEF parameter in the group definition. |
Private | A password is required to open the group. |
In addition to the file privileges discussed in the File security section, you can assign two additional classifications with the PRIVDEF parameter:
Classification | User can... |
---|---|
X'0004' | Update data via procedures from the procedure file. |
X'0002' | Retrieve data via procedures from the procedure file. |
Group entries have the same format as that shown for file entries earlier on this page.
LOGCTL and LOGGRP commands
The following considerations apply:
- Use the LOGCTL command to add or delete group entries in the password table. For example, the following command changes the entries in the password table for the group named
AREA
:LOGCTL C ,AREA
- You can specify an index character, necessary to differentiate entries for future changes or deletions, when a file has more than one password.
- To list all the group entries in the password table, along with the associated privileges (but not the passwords), issue the LOGGRP command.
Record security
The record security feature limits access to individual records in a file. Each user can retrieve and update only records that the user has stored in the file or that other users have agreed to share. The existence of other records is not apparent.
The following considerations apply:
- Record security can be in effect for one or more of the files in a group, but not for the group as a whole.
- Access to a single record depends only on the record security field defined for the record's file.
- Record security cannot be used unless login security is in effect.
- To initiate record security, set the OPENCTL parameter in the CREATE command for the file and describe the special record security field in the INITIALIZE command. For more information about these commands, see Creating files with file security and Initializing a record security file.
- Record security can be overridden if the user has been granted the record security override privilege at login time (the X'04' bit must be set) and the user's file password also contains the record security override privilege (X'4000').
- Record security can be overridden for a file in a permanent file group if login and group privileges (X '4000') allow it.
Field-level security
The field-level security feature (FLS) controls access to the individual fields of a Model 204 file, if access to a record is allowed by previous file-level and record-level security checks.
Every field definition (created by the DEFINE FIELD command) can have a security level from 0 to 255 associated with it.
A level of 0 implies no security for the field; 255 implies the highest security. Field access types are described in the following sections.
Scope of field-level security
Field-level security controls only explicit field references. Implicit references, such as retrieving a record security field with a FIND statement or adding a record security key value with STORE, are not controlled.
To include user field access levels to file and group passwords in the password table, use the LOGCTL command to add or delete access entries.
The way access levels are determined for files that are also members of groups is summarized in Determining user access levels.
Field access types
Each user is assigned access levels, ranging from 0 to 255, for each file and group opened. Access to a field is limited to any combination of the following access types:
Access type | Means the ability to... |
---|---|
ADD | Add new occurrences of a field, including those added by a Store Record statement. ADD access lets data entry clerks or other personnel add new field occurrences or records without being able to change existing occurrences, or possibly even to examine them. Add access can also provide a user with the ability to add occurrences of the record security field without altering existing occurrences. |
READ | Examine the value of a field (for example, in a SOUL Print or assignment statement). |
SELECT | Use the field in a SOUL Find statement or an IFFIND call. |
UPDATE |
Change the value of a previously stored occurrence of a field. UPDATE access can be granted without a corresponding READ access, which precludes updates of the form: CHANGE fieldname=value1 TO value2 |
When a user attempts to access a field in a particular way, Model 204 compares the user's access levels with the field level defined for the field. If the user's level for the desired type of access is greater than or equal to the field's FLS level, the particular type of field access is allowed.
For example, a user who has a READ level of 30 is permitted to display any field that has a READ level between 0 and 30, but cannot display a field that has a READ level of 40.
Sample dialogue using LOGCTL
The following example adds field security levels 50 (SELECT), 40 (READ), 10 (UPDATE), and 0 (ADD); no other information is changed:
LOGCTL C :CENSUS *** M204.0374:ENTER FILE/GROUP PASSWORD, PRIVILEGES, CLASS, SELECT, READ, UPDATE, ADD ,,,50,40,10,0 *** M204.0379: ENTER TERMINAL LIST,ALL,NONE,ADD,DEL,OR RETURN
Procedure security
The procedure security feature limits access to defined procedures.
The following considerations apply:
- You can specify privileges to enable a user to manipulate a procedure (display, define, or delete the procedure).
- You can limit access to a procedure to a particular class of users by assigning a user class number to the procedure being secured.
- Certain privileges (such as SECURE and DESECURE) associated with file and group passwords indicate the user privileges that pertain to the procedures for that file or group.
- To assign user class and procedure class mappings (see Procedure security) to file and group passwords, use the LOGCTL command to add the mappings to the password table.
Use LOGCTL to add, delete, or change the user class for procedures defined for a file or group.
Sample dialogue using LOGCTL
The following example adds a user class of 70 to an existing file entry; no other information is changed:
LOGCTL C :CENSUS *** M204.0374: ENTER FILE/GROUP PASSWORD, PRIVILEGES, CLASS, SELECT, READ, UPDATE, ADD ,,70 *** M204.0379: ENTER TERMINAL LIST,ALL,NONE,ADD,DEL,OR RETURN
Terminal security
The terminal security feature restricts access to certain login user IDs, files, or groups to users at identified terminals by associating a list of user numbers with each login, file, or group password. During Model 204 initialization, a terminal can be assigned a particular user number according to the order of the user parameter lines and the way in which they are assigned to specific telecommunications unit numbers in the JCL.
For example, a user at a particular terminal that has a specific number can log in to a specific user ID or open a specific file or group only if the terminal number is in the terminal list associated with the password for that user ID, file, or group. If it is not, Model 204 responds as if the user entered an invalid password.
Terminal security is generally used only with hard-wired terminals (terminals on leased lines). For dial-up terminals, the terminal can be connected to a number of similar telecommunications units and user parameter lines. Even though the location of a dial-up terminal is fixed, its terminal number can change every time it is dialed up.
The following considerations apply:
- To insert terminal lists into the appropriate password table entries and to change existing terminal assignments, use the LOGCTL command.
- To obtain listings of the login, file, or group entries in the password table, with legal terminal numbers included, issue a LOGLST, LOGFILE, or LOGGRP command.
- To update all terminal lists at once, use the TMASKUPDATE command.
TMASKUPDATE takes no arguments. It loops through the password table, displays each entry for which ALL has not been specified, and allows you to specify a new terminal list or a blank line (no change).
- All password table entries are treated as if terminal security were in effect, even if the terminal security feature is not used:
- Terminal lists are variable length, allowing you to add terminals even if you exceed the original number planned for.
- If you specify ALL for a password table entry, the terminal list takes up no space beyond the basic entry.
- A list representing NONE takes two bytes.
- To compute the length of a list containing numbers, divide the highest specified number by eight and rounding up to a multiple of two.