Security Management Guide (G06.24+, H06.03+)
Guardian System Security
Security Management Guide—522283-008
2-26
PROGID Programs
SYS00.CMPLIB 100L
SYS00.DEFAULT 100L
SYS00.DELUSER 100L
SYS00.DSAP 100L
SYS00.FUP 100L
SYS00.PASSWORD 100L
SYS00.PUP 100L
SYS00.RESTORE 100L
SYS00.RPASSWRD 100L
SYS00.USERS 100L
PROGID Programs
This subsection discusses the PROGID attribute and its implications for security.
When a user executes an ordinary program, the program operates using the privileges
of the user and accesses only resources to which the user has access.
When a user executes a PROGID program, the program operates using the privileges
of the program owner and accesses only resources to which the program owner has
access.
PROGID programs allow one user to temporarily gain a controlled subset of another
user’s privileges.
Uses of PROGID Programs
The two main reasons for using PROGID programs are controlling access to system
programs and controlling access to a database.
Controlling Access to System Programs
Certain operations that are easily performed using the super ID might have to be
performed by users other than the super ID; for example, when a system operator
backs up a tape of files to which that operator does not have access. If the system
operator cannot use the super ID, a PROGID program provides a convenient and
secure solution.
To use PROGID in this example, the system manager creates a program that invokes
the system BACKUP utility with a predetermined argument list. The argument list
defines the files to be backed up. The system manager then provides the program as a
PROGID program owned by the super ID and accessible to only the system operators.
An operator can run this program as needed, thus obtaining the privilege of the super
ID, but only to perform the predefined backup operation.
Controlling Access to a Database
PROGID programs can provide controlled access to a database. Typical uses might
include:
•
Allowing operations on the system within predefined access hours