Authorization of the FTAC administrator
It is recommended that the position of administrator for openFT-AC be given to a user in the system who is responsible for data protection in a BS2000 system, since he will know where what protection measures are required .
The FTAC administrator function is assigned by means of the SECOS privilege FTAC-ADMINISTRATION. It may also be assigned to several user IDs at once.For BS2000 installations without SECOS, the administration attribute has a fixed assignment to the user ID TSOS.
FTAC administrators who possess both the FTAC administration and TSOS privilege have the following additional rights:
If they import profiles (for any user ID), they can select whether the profiles will be immediately available and unrestricted, or whether they will be locked.
If they create profiles for external IDs then these are also immediately available. This means that they can create valid transfer admissions even if they do not know the LOGON password of the target ID. This method can be used to set up profiles that remain valid after the LOGON password is modified.
They can therefore also modify the transfer admissions of existing profiles with external IDs without knowing the profile owner’s password.
Adapting the default admission set
After the installation of openFT-AC, all values of the default admission set are set at 0!
This means that it is not yet possible to execute a file transfer with the local system. This is because as long as no other admission sets are made with MODIFY-FT-ADMISSION-SET, the default admission set is valid for all user IDs. The maximum security level 0 for the basic functions (inbound send, inbound receive, inbound follow-up processing, inbound file management, outbound send, outbound receive) means that these basic functions may not be used. The FTAC administrator must therefore use the command MODIFY-FT-ADMISSION-SET to raise the values of the default admission set.
Default security levels for partners
The FT administrator can use the MODIFY-FT-OPTIONS command (SECURITY-LEVEL operand) to define default security levels for all the partner systems entered in the partner list. The administrator can either enter a fixed value or specify *BY-PARTNER-ATTRI-
BUTES to indicate that the security level is set automatically: partners which are authenticated by openFT are assigned security level 10. Partners which are known in BCAM (i.e. they are addressed via their BCAM name) are assigned security level 90. All other partners are assigned security level 100.
This automatic assignment can also be activated on a partner-specific basis using the operands of the same name:
ADD-FT-PARTNER and MODIFY-FT-PARTNER...,SEC-LEV=*BY-PART-ATTR
This automatic assignment always applies to partners that are not in the partner list.
Examples
All partner systems should be accessible for file transfer for all FTAC users. This is achieved by setting all the values of the default admission set to100. The following command is used:
/MOD-FT-AD *STD,MAX-LEV=100More information on the command MODIFY-FT-ADMISSION-SET can be found in the manual "openFT (BS2000) - Command Interface ".
A differentiated setting of the default admission set might look as follows:
/MODIFY-FT-ADMISSION-SET USER-IDENTIFICATION=*STD - MAX-LEVELS=(OUTBOUND-SEND=50, - OUTBOUND-RECEIVE=50, - INBOUND-SEND=20, - INBOUND-RECEIVE=20, - INBOUND-PROCESSING=10, - INBOUND-MANAGEMENT=0)The different security levels are assigned selectively. For example, the function “inbound management” can be fully blocked by setting the security level to 0.
WARNING!Note that openFT-AC is only effective for connected products such as openFT or FTP. If other file transfer products without an openFT-AC connection are also being used, a more comprehensive and coordinated security concept would be advisable.