Security Management Guide (G06.29+, H06.08+, J06.03+)
Concerns for the System Administration Team
Security Management Guide — 522283-021
6 - 18
Restricting Access to System Software
Does the software require privileges for an obscure or unnecessary function?
Also include other questions appropriate to your environment.
Restricting Access to System Software
Not all organizations allow the entire user community access to the standard system
software. Depending on your organization’s security policy, you might be required to
restrict access so that only selected users or user groups can execute the software.
You can use standard Guardian protection to limit access to simple groups. However,
Safeguard access control lists can limit access to a very specific set of users.
For example, the following SAFECOM commands create a Safeguard access control
list that allows only the super ID (255,255) and the operators who have user IDs 255,1
and 255,2 to execute the PUP utility. (Although the super ID implicitly has execute
access to the file regardless of the access control list, it is included here to illustrate
that all three IDs can access the program.) Suppose $SYSTEM.SYS13 is the current
system subvolume.
=VOLUME $system.sys13
=ADD DISKFILE pup
=ALTER DISKFILE pup, LICENSE ON
=ALTER DISKFILE pup, ACCESS (255,1, 255,2, 255,255) E
The following command displays the access control list:
=INFO DISKFILE PUP
LAST-MODIFIED OWNER STATUS
$SYSTEM.SYS13
PUP 6JUL90, 9:29 255,0 THAWED
255,001 E
255,002 E
255,255 E
If you perform a system load from a dif
ferent subvolume, you would need to repeat the
procedure, substituting that subvolume name in the VOLUME command.
Operators and Privileges
Take into account the privileges the operators need to handle both routine and
emergency situations.
For your environment, construct a table similar to Table 6-1 that identifies the type of
access needed for a variety of tasks. Then u
se that table to determine how to give the
operators their needed access.