The security administrator has the right to manage privileges, to manage the operator roles and Kerberos keys and to activate and deactivate logging (see the “SECOS - SecurityControl System - Audit” manual [1]). Note, however, that SAT logging is always activated for the owner of this privilege and cannot be deactivated.
Upon delivery, the privilege SECURITY-ADMINISTRATION is assigned to the user ID SYSPRIV. During normal system operation it cannot be assigned to any other user ID by means of the SET-PRIVILEGE command nor withdrawn by means of the /RESET-PRIVILEGE command; nor is it possible to assign this privilege to a privilege set.
Due to the extreme importance of security administration, the user ID which is to receive the security administrator rights can be specified only with the aid of the startup parameter service (see also "Entities authorized to perform user administration").
On any pubset, no other privileges or privilege sets can be assigned to or withdrawn from a user ID which possesses the privilege SECURITY-ADMINISTRATION on this pubset. This means, in particular, that the security administrator cannot assign a privilege to his/her own user ID on the home pubset, since this user ID possesses the privilege SECURITY-ADMINISTRATION on this pubset. However, the security administrator can assign privileges to his/her user ID on another pubset where it does not possess the privilege SECURITY-ADMINISTRATION.
The restrictions regarding the nomination of the security administrator and SAT file manager with regard to the user IDs and co-existing privileges and rights may be canceled if required (see section "Centralized administration").
Privilege management
Privilege management is permitted to manage the global privileges and privilege sets, i.e.
to assign system privileges and privilege sets to user IDs on all pubsets
to withdraw system privileges and privilege sets from user IDs on all pubsets
to request information about the current distribution of the system privileges and privilege sets
to define, modify and delete privilege sets on all pubsets
to request information about the current definitions of the privilege sets
The following commands are available to privilege management:
CREATE-PRIVILEGE-SET
DELETE-PRIVILEGE-SET
MODIFY-PRIVILEGE-SET
RESET-PRIVILEGE
SET-PRIVILEGE
SHOW-PRIVILEGE
SHOW-PRIVILEGE-SET
Activating and deactivating logging
The security administrator may
activate and deactivate SAT logging
activate and deactivate logging for user IDs and for loggable events (see the “SECOS
Administration of operator roles
The security administrator may
define, modify and delete operator roles
assign operator roles to and withdraw operator roles from user IDs
request information about the current definition and distribution of operator roles
The following commands are available to the security administrator for the administration of operator roles:
CREATE-OPERATOR-ROLE
DELETE-OPERATOR-ROLE
MODIFY-OPERATOR-ROLE
SHOW-OPERATOR-ROLE
MODIFY-OPERATOR-ATTRIBUTES
SHOW-OPERATOR-ATTRIBUTES
Administration of Kerberos keys
The security administrator administers the keys for Kerberos authentication which are stored in BS2000. The following commands are available to do this:
ADD-KEYTAB-ENTRY
MODIFY-KEYTAB-ENTRY
REMOVE-KEYTAB-ENTRY
SHOW-KEYTAB-ENTRY
The security administrator privilege is referred to as SECURITY-ADMINISTRATION in commands and messages and as SECADM in macros.