The scope and distribution of authorizations for user administration in a computer center depend on the system workload, the range of its applications and the security policy to be enforced. With this in mind, it is possible to summarize the most important factors influencing the organization of user administration as follows:
Global user administrators are authorized to manage all user IDs and user groups on all pubsets without any restrictions. They can overrule or ignore any (hierarchically graded) predefinitions and maximum values when defining a group potential.
User group structures are always defined for a specific pubset, i.e. user group structures on different pubsets may be different. The user group *UNIVERSAL exists on each pubset and is the root of each user group structure.
Unlike the authorization of a global user administrator, the authorization of the group administrator of the user group *UNIVERSAL is restricted to the management all user IDs and user groups of its own pubset, in accordance with the MANAGE-GROUPS variant of the group administrator privilege. Even though the user group *UNIVERSAL has unlimited resources, the group administrator of *UNIVERSAL must observe the rules for group administrators, i.e. he must ensure that any modifications do not jeopardize the existence of a self-contained and balanced user group structure. The option of management via direct access available to global user administrators is therefore not possible in this case.
A user group existing on more than one pubset may have a different group administrator on each of these pubsets, depending on the position of the user group in the pubset-specific user group structure or whether the user ID designated as the group administrator on one pubset also exists on the other pubsets.
A group administrator authorized to manage a user group is not necessarily a member of that user group: he may be the group administrator of a superordinate user group.
Group administrators can only act within the framework defined by the values laid down for their own or the superordinate user group. For instance, if a group administrator wishes to modify a group structure or the assignment of user IDs to user groups or the distribution of a group potential, he may have to carry out a series of adaptations to the superordinate or subordinate user group structure before the intended administrative measure can be implemented.
The group administrator privilege variant MANAGE-MEMBERS determines the system access control data, i.e. the access control measures applicable to user IDs. The group administrator privilege MANAGE-RESOURCES merely grants authorization to manage general user rights (use of resources etc.).
When defining the group potential, a hierarchy of predefined and maximum values for the general user rights on the pubset may be set up, similar to that for the user group structure. The definitions for the home pubset determine the resource utilization rights and the predefined and maximum values that will be assigned to a user ID at LOGON. Thus the MANAGE-RESOURCES variant of the group administrator privilege enables the group administrator to protect against the inappropriate use of system functions and system resources by way of systematically grading the assigned predefined and maximum values.
The basic aims of user administration are to organize user IDs and user groups in accordance with the prevailing requirements and to designate the associated group administrators. In view of the far-reaching influence of the global user administrators, it is advisable to restrict their interventions to absolutely essential and short-term corrections. Any measures intended to have a long-term effect should be implemented in the form of adjustments to the user group structure.
A central and well-organized user administration strategy can best be implemented by designating different pubset-specific group administrators for the user group *UNIVERSAL.
It may be useful, for organizational reasons, to enter a user ID as a global user administrator on several pubsets that are not currently being used as a home pubset. The administration authorization does not take effect until a given pubset becomes the home pubset.
The user administration privileges may be graded as follows:
Global user administrator. This privilege must be recorded on the home pubset.
Group administrator of the user group *UNIVERSAL with the same user IDs on all pubsets.
Group administrator of the user group *UNIVERSAL with pubset-specific user IDs, of which some may be identical and some different.
Group administrator for selected user groups on one or more pubsets (depending on the user group structure) as the central group administrator for a substructure of the user group structure, the group administrator in this case being assigned the privilege variant MANAGE-GROUPS.
Group administrator for selected user groups on one or more pubsets (depending on the user group structure) as the central group administrator for a substructure of the user group structure, the group administrator in this case being assigned the privilege variant MANAGE-MEMBERS.
Group administrator for selected user groups on one or more pubsets (depending on the user group structure) as the central group administrator for a substructure of the user group structure, the group administrator in this case being assigned the privilege variant MANAGE-RESOURCES.