Natural-Adabas

Tuesday, June 20, 2006

Adabas Security


ADABAS SECURITY
ADABAS provides the following facilities to prevent unauthorized access to and/or updating of ADABAS database files:
ADABAS Data Encryption (ciphering) which provides data security;
ADABAS Multiclient Files to control access to records in a file;
ADABAS SECURITY and the related security utility ADASCR, a selectable unit, which provides selective user access/update protection at a file, field, and field value level; and
ADABAS EXTERNAL SECURITY INTERFACE (ADAESI), a selectable unit, which
provides control of ADABAS resources at a database/utility, command, or file level through the widely used non-Software AG security packages RACF, CA–ACF2 and CA–TOP–SECRET.
ADAESI is available for MVS/ESA and OS IV/F4 (FACOM) only.
Security is accomplished by comparing passwords and authorization levels.
Data Encryption
Data encryption is an integral feature of ADABAS and requires no options or extra modules.
Data may be enciphered before being placed in the database. The user must provide the cipher key at the time records are stored. This key is not stored and must be available to request or decipher the data. This minimizes the chances that data encryption can be compromised if unauthorized access to the system occurs.
To retain maximum control over cipher codes, an ADABAS user exit program can be created to insert the currently valid cipher code into user applications; this removes the need to make the codes known to users, and protects the file from corruption that can occur by adding data that is encrypted with the wrong cipher code.
Multiclient Files
Also available as an integral feature of ADABAS that requires no options or special modules is the multiclient file.
A single ADABAS physical file defined as “multiclient” can store records for multiple users or groups of users. The multiclient feature divides the physical file into multiple logical files by attaching an internal owner ID to each record.
The owner ID is assigned to a user ID. A user ID can have only one owner ID, but an owner ID can belong to more than one user. Each user can access only the subset of records that is associated with the user’s owner ID.
Note:
For any installed external security package such as RACF or CA-TOP SECRET, a user is still identified by either NATURAL ETID or LOGON ID.
All database requests to multiclient files are handled by the ADABAS nucleus.
ADABAS SECURITY and ADASCR
Access/update control is available only with ADABAS SECURITY and the related security utility ADASCR that defines and controls ADABAS SECURITY functions.
ADABAS SECURITY provides two types of access/update protection:
􀀀 “Access-/update-level” protection applies a basic level of security on a file-by-file basis.
Access/update protection can be defined for some files and not for others. It restricts use of a file or field within the file to those having an appropriate access/update profile definition and a password specified by the user of the file.
Access/update permission values ranging from 0 to 14 are defined for each user and attached to that user’s password, and each protected file (and selected field or fields, if desired) has equivalent access/update “threshold” protection values of the same range. Only a user whose permission value equals or is greater than the protection level of the specified file (and, when applicable, field) is permitted to perform that operation type (access or update) on the file or field. An access/update permission level of 0 only allows access/update of unprotected files or fields with protection level 0 or no defined protection password.
ADABAS Security
􀀀 “Value-level” protection applies restrictions on the type and range of values that can be accessed or updated in specific fields. The restrictions are applied according to user password (files with fields using value-level protection must be password-protected), can be for specific values or for value ranges, and can be either “accept” or “reject” criteria.
ADABAS EXTERNAL SECURITY INTERFACE
(ADAESI)
ADAESI allows the definition and protection of ADABAS resources using standard external (i.e., non-Software AG) security packages such as CA-ACF2, CA-TOP SECRET, and RACF installed on ADABAS systems running under MVS/ESA and OS IV/F4 (FACOM).
Generally, a security package allows the system administrator to authorize a user’s access to system resources. The security package then monitors all users and their resource usage to ensure that no unauthorized access or change occurs. Attempts by unauthorized users to use either the system or specific system resources are recorded and reported.
A user profile, which can be for a single user or a group of users, defines which system hardware and software resources a user is allowed to use. A resource profile defines access/update privileges for one or more devices, volumes, and/or programs (resources that must be used together to perform certain functions can be defined together in the same profile). When a user logs on to the system, the security package uses the user’s logon ID to identify that user’s profile. Each time the user attempts to perform a task or access information, the security package uses information in its resource profiles to allow or deny access. Using the profile
concept, the security package expands the single point of authorization—the logon ID—to provide extensive control over all system resources. ADAESI extends the ability of the related security packages to include the ADABAS database and users. Using ADAESI, the security packages can define and control access to the following
ADABAS resources: database nucleus; database files; database commands; utilities
(MODE=MULTI only); and ADABAS operator commands issued from an MVS console.

Related Security Options
ADABAS ONLINE SYSTEM/Basic Services Security
The DBA facility ADABAS ONLINE SYSTEM/Basic Services also provides a security facility for restricting access to the ADABAS online facilities. Basic Services Security requires NATURAL SECURITY as a prerequisite.
The NATURAL SECURITY system provides extensive security for ADABAS/NATURAL
users. See the NATURAL SECURITY Manual for additional information.

0 Comments:

Post a Comment

<< Home