The following access protection mechanisms form part of the BS2000 basic configuration:
Restricted pubset access (system administration measure)
The distribution of user IDs to different pubsets makes it possible to protect objects (e.g. files) in one pubset against access by users in another pubset.The protection attributes ACCESS and USER-ACCESS
With the ACCESS and USER-ACCESS operands of the /CREATE-FILE and /MODIFY-FILE-ATTRIBUTES commands, users are able to define access rights for themselves and access rights that apply system-wide (see "Access protection with ACCESS/USER-ACCESS").Basic Access Control List (Basic Access Control List, BACL)
With the BACL access protection mechanism, users are able to define object (e.g. file) access rights for a differentiated set of subjects. The read, write and execute access rights can be assigned separately for each of the user classes Owner, Group and Others (see "Basic Access Control List (BACL)").Password
Users can declare passwords (read, write and execute passwords) for each of their files. The appropriate password must be entered before a password-protected file can be processed. Passwords may be encrypted.Retention period
Users can assign their files a retention period during which the corresponding file cannot be modified (see “Commands” manual [4]).File encryption
It is possible to store files in encrypted format. Detailed information on this is provided in the “Introductory Guide to DMS” [6].
Of these protection mechanisms present in the BS2000 basic configuration, only ACCESS/USER-ACCESS and the Basic Access Control List (BACL) will be considered in greater detail here.
SECOS also offers access protection with GUARDS
GUARDS make it possible to assign access conditions for a wide variety of objects which can then be evaluated when an attempt is made to access these objects. In this case, access protection is performed by so-called guards in which the access conditions are entered.
The main difference between this and other protection mechanisms is the removal of the 1:1 relationship between object and subject. The access conditions specified in a guard do not necessarily apply only to one specific object. A single guard can be used to provide identical protection to any number of objects, even if they are of different types. For more information on GUARDS, refer to "GUARDS - protection for objects".
Uses for the protection mechanisms
The following table indicates which object types can be protected by which protection mechanisms:
Object | Protection mechanism | ||||||
Restricted | ACCESS/ | BACL | Password | Retension | GUARDS | ||
File1 | Public | + | + | + | + | + | + |
Temporary | - | - | - | - | - | - | |
Private | - | + | + | + | + | - | |
Tape | - | + | - | + | + | - | |
File | Index public, FGen public | - | + | + | + | + | + |
Index public, FGen tape | - | + | + | + | + | + | |
Index private, FGen private | - | + | + | + | + | - | |
Job variable | Permanent | + | + | + | + | + | + |
Temporary | - | - | - | - | - | - | |
Library member2 | - | - | + | - | - | + | |
FITC port | - | - | - | - | - | + | |
Storage classes | - | - | - | - | - | + | |
HSMS management classes | - | - | - | - | - | + | |
+: Protection mechanism applicable, -: Protection mechanism not applicable
1If the file is a library, see “Special considerations concerning library access”
2See "Special considerations concerning library access"
Table 7: Object protection mechanisms
As the table shows, various objects can be protected using a number of different protection mechanisms. Only one of the ACCESS/USER-ACCESS, BACL and GUARDS protection mechanisms can be used for any one object (see "Hierarchy of the protection mechanisms ACCESS/USER-ACCESS - BACL - GUARDS"). The other protection mechanisms are additionally available.
Hierarchy of the protection mechanisms ACCESS/USER-ACCESS - BACL - GUARDS
Conflicts may arise if the protection mechanisms ACCESS/USER-ACCESS, BACL and GUARDS are simultaneously used for the same object. To avoid such situations, the following hierarchy applies:
If the protection of an object is defined via guards:
only the access conditions defined in the guards apply. Any BACL specified for the object is ignored along with the ACCESS/USER-ACCESS protection attributes.If there is no guard protection for an object but a BACL has been defined: the protection settings specified in the BACL apply. The ACCESS and USER-ACCESS protection attributes are ignored.
If the protection of an object is not performed using either guards or a BACL: the ACCESS and USER-ACCESS protection attributes are used as the protection mechanism.
The password protection and retention period continue to apply in all cases.
Special considerations concerning library access
PLAM library files can be protected as a single entity in the same way as a file. Independently of this, it is possible to protect library elements using the LMS statement //MODIFY-ELEMENT-PROTECTION.
When regulating access to libraries and library elements, you should therefore remember the following:
Access to individual library elements is regulated by means of the protection mechanisms defined in //MODIFY-ELEMENT-PROTECTION. Independently of this element protection, access is only possible if read access to the library file as a whole is permitted.
When a library is accessed as a whole (via ARCHIVE, file transfer or the DMS command /COPY-FILE), the following applies:
If the library is not protected by BACL or by guards then it can be accessed in the same way as a normal file.
The following table presents the access conditions for a library which is protected by a BACL or a guard:
Library contains at least one
element that is protected by a
BACL or a guardLibrary contains no elements
that are protected by a BACL
or a guardAccess
byOwner
*
*
Co-owner
*
*
Others
Access prohibited
*
* Access depends on the access conditions for the entire library
Table 8: Conditions regulating library access