For security reasons, system administration and system supervision are two areas of activity that should be kept separate. With this in mind, the following roles have been introduced in conjunction with privilege management:

1. The security administrator, the user ID with the SECURITY-ADMINISTRATION privilege. The security administrator is responsible for

   • the selection of events (preselection) that are to be stored in the SATLOG files (USER, EVENT, PRESELECTION-RULE, definition of SAT support parameters)

   • the availability of SAT functions (suspending and continuing SAT logging)

   • the definition of events that are to be monitored by the SAT alarm function

   • the definition of filter conditions for refining preselection

   • the assignment of privileges for SAT administration, including the system privileges SAT-FILE-MANAGEMENT and SAT-FILE-EVALUATION

   As delivered, the SECURITY-ADMINISTRATION privilege is permanently assigned to the user ID SYSPRIV. The only possible means of changing this assignment is with the startup parameter service.

2. The SAT file manager, the user ID with the
   SAT-FILE-MANAGEMENT privilege. The file manager is responsible for

   • the management of SAT files, including switching SATLOG files

   • editing events (postselection) that are stored in the SATLOG files with the aid of the SAT evaluation routine SATUT

   As delivered, the SAT-FILE-MANAGEMENT privilege is assigned to the user ID SYSAUDIT. The security administrator can transfer this privilege to any other user ID (except his or her own and TSOS).

3. The SAT file evaluator, the user ID with the SAT-FILE-EVALUATION privilege. The file evaluator is allowed to

   • evaluate SATLOG files that have been made available by the SAT file manager.

   As delivered, the SAT-FILE-EVALUATION privilege is assigned to the user ID SYSAUDIT. The security administrator can assign this privilege to a number of different user IDs (apart from his/her own).

   The facility for having reduced SAT logging files evaluated by several user IDs makes it possible to ensure that only specific information about a specific subject (e.g. UTM, file transfer) is evaluated by the administrator of the related product. The security functions of SAT remain the responsibility of the security administrator and the SAT file manager.