Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Security principles for the user

System access control (identification, authentication)

Natural persons must have a user ID in order to be granted access to BS2000 and to work with the operating system:

  • Any one person may have more than one user ID. BS2000, however, will treat such a person as if he/she were a number of different persons.

  • By the same token, several persons can have the same user ID. However, BS2000 will not differentiate between such persons with regard to the handling of their activities. A distinction between the individuals sharing the same user ID is made only by the audit function in conjunction with the use of personal identification (see "Personal identification") or the use of Single Sign On (see "Single Sign On with Kerberos").

Each time system access is requested, identification and authentication mechanisms check whether a user is authorized to use a particular ID. After successful identification, verification of the identity is carried out with the aid of, for example, a password.

BS2000 differentiates between the following system access classes:

  • DIALOG

  • BATCH

  • OPERATOR-ACCESS-TERMINAL

  • OPERATOR-ACCESS-PROGRAM

  • OPERATOR-ACCESS-CONS

  • POSIX-RLOGIN-ACCESS

  • POSIX-REMOTE-ACCESS

  • NET-DIALOG-ACCESS

Each system access class can be protected by a password mechanism. Access to the system can be further restricted for a particular user ID by locking individual system access classes.

The facilities for operator verification are described in detail in the “Introduction to System Administration” [2].

The facilities for POSIX authentication are described in detail in the “POSIX Basics for Users and System Administrators” manual [25].

By using the ENCRYPT system parameter, the passwords used for authentication can be non-reversibly encrypted and stored in the system.

Abortive attempts to enter a password are penalized by a delay before another attempt can be made (temporary retry lockout) or disconnection.

Data access control (administration of rights, verification of rights)

Data access control, i.e. the protection of objects against access, is determined by the owner or by a co-owner of the object involved. The owner of an object is always a user ID. The TSOS user ID is a co-owner by default. In the case of files (including libraries) and job variables, further user IDs can be specified as co-owners. Furthermore, co-ownership of the TSOS user ID can be restricted for these objects. The rights granting user IDs access to an object can only be defined or modified by jobs created under the user ID of the owner or coowner.

The following objects are subject to data access control:

  • files (public disk files, files on private volumes, file generations)

  • job variables

  • volumes (private disks, magnetic tapes)

  • memory pools

  • FITC ports

  • library members

  • user serialization items

  • user event items

Access to files, library members and FTIC ports is controlled down to the granularity of the individual user. Depending on the type of object, access rights are defined by means of access control lists, passwords or other access control mechanisms. Again depending on the type of object, the access rights are checked when opening or accessing the object.

Job descriptions for batch or output jobs as well as started batch or output jobs are always associated with a particular user ID. Jobs belonging to that user ID - and system operation, if necessary - can modify or influence such jobs.

The right of ownership with respect to objects, job descriptions and started jobs can additionally be exercised by a user ID belonging to system administration.

The right of ownership of files (including libraries) and job variables can also be granted to other co-owners.

Reprocessing of memory objects

Memory objects are objects whose information is stored in a memory area. When such objects are assigned to a new user, BS2000 ensures that this new user cannot access the previous contents of these objects. These reprocessing mechanisms delete the old contents of the memory object to ensure that no flow of information is possible if the same object is used sequentially by two users.

Objects subject to reprocessing by BS2000 are:

  • files

  • job variables

  • memory pages in the address space

  • memory pools

  • magnetic tapes and magnetic tape cartridges

  • user serialization items

  • user event items.

Depending on the type of object, deletion of the contents is carried out by an automatic, system-controlled, user-controlled or organizational procedure.

Auditing

To make it possible to trace a user’s actions, it is possible to generate system logs which are controlled by the security administrator (see the “SECOS - Security Control System -Audit” manual [1]) or logs of job execution which can be controlled by users themselves:

  • User logs of job execution in interactive mode contain all inputs and outputs at a data display terminal. User logs of job execution in batch mode contain all commands and resulting events. In both cases any passwords that occur are represented by dummy characters.

  • Users can complement the logging of user- and operation-specific accounting data by their own accounting records.

  • The logging of security-relevant events for auditing is determined by the security administrator. If granted the required authorization, a user can control the logging of operations involving access to objects of which he or she is the owner.

Users with special authorization can be requested to log their actions as a meaningful addition to the system logs.

Powered by Atlassian Confluence and Scroll Viewport.