ODBC Server Installation and Management Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

151

152

153

154

155

156

157

158

159

160

Managing the NonStop ODBC Server

HP NonStop ODBC Server Installation and Management Manual—429395-002

4-20

PROGID Security

Security for Utility Functions

Many of the utility functions, such as SYSCAT VALIDATE, REFRESH, CLEANUP, ADD

USER, and REMOVE USER, have their own set of authorization checks built in. For

example, SYSCAT REFRESH can only be performed by a super-group user. The best

way to impose additional security for the other statements is by restricting write access

to the NonStop ODBC Server system catalog tables ZNSALT, ZNSPROF, ZNSTRA,

and ZNSUS. For example, if the security of these tables is set to “NCNO,” only super-

group users can write to the tables, so only super-group users would be able to add

aliases and set up profile or trace records.

PROGID Security

PROGID is a Guardian file security parameter that allows you to designate a single

user ID for execution of a program regardless of the user ID of the calling process.

PROGID support satisfies a customer’s need to allow a set of users to be able to run

NOSCOM and perform administrative functions of adding and deleting users without

requiring the users to be first authenticated as super-group users or the super ID.

When PROGID is set for NOSUTIL, access should be limited either by setting the

security string to allow use by only a well-defined group of intended users or by using

the Safeguard product to explicitly define an allowed list of users. Additionally, this

NOSUTIL program should be separated from the NonStop ODBC Server system and

not be the executable when started by SCSOBJ or the NOS program.

Setting the PROGID Attribute

The syntax for setting the PROGID attribute for NOSUTIL is as follows:

The security-string value should be set according to the installation’s security

requirements for limiting access; the use of the Safeguard product is recommended for

a NOSUTIL program with PROGID security.

When NOSUTIL is run, the PROGID attribute sets the process accessor ID to the

program file owner’s ID, instead of the ID of the actual accessor.

To use the FUP SECURE command, you must be the file owner, the owner’s group

manager, or a super-group user.

Note. Do not use a SQLCI command of the form SECURE ZNS*... to set the security of the

preceding tables, because there are other NonStop ODBC Server system catalog tables whose

security should not be changed. Most notably, write access to ZNSDB is needed by other users

for them to be able to create and drop databases.

FUP SECURE NOSUTIL , ["] security-string ["] , PROGID