Protecting Environments

This section covers the following topics:


About Environment Protection

Natural Security allows you to make users' access to a library environment-specific. A Natural environment is determined by the combination of the system files FNAT, FUSER, FSEC and FDIC. You define a security profile for each environment (that is, for each system-file combination) you wish to protect, and control users' access to it. You can also make a library accessible in some environments, but not in others.

A logon to another environment occurs when a users logs onto a library located on another FUSER system file (as specified by the Library File DBID/FNR in the library security profile).

Whenever a user logs on to a library in another environment, Natural Security will check whether:

  • access to the library is allowed in that environment, and

  • the user is authorized to access that environment.

Such a check is performed not only when a user explicitly logs on to a library, but also when the user invokes a function which implicitly accesses another library or processes the contents of another library.

Activating Environment Protection

Environment protection is activated by setting the general option Environment Protection to Y.

If environment protection is active, the following applies:

  • Access to undefined environments is not possible.

  • For every environment to be accessed, an environment security profile has to be defined.

  • By default, access to a library is allowed in any defined environment.

  • By default, access to a defined environment is allowed for all users.

  • For individual defined environments, you can disallow access to a library.

  • For individual users, you can disallow access to a defined environment.

To deactivate environment protection, you set the general option Environment Protection option to N.

Note
If environment protection is active, the user ID DBA may be used to log on to the library SYSSEC, even if the environment is undefined. This makes it possible to define new environments.

Defining Environment Profiles

The Administrator Services function Environment Profiles is used to define environment profiles, that is, security profiles for the individual system-file combinations.

Start of instruction setTo invoke this function:

  1. On the Main Menu, select Administrator Services.

    If you are allowed access to Administrator Services, the Administrator Services Menu 1 will be displayed.

  2. Press PF8.

  3. On the Administrator Services Menu 2, select Environment Profiles.

    The Environment Maintenance selection list will be invoked.

Environment Maintenance Selection List

The Environment Maintenance selection list displays a list of all environment profiles which have been defined.

The list can be scrolled as described in the section Finding Your Way In Natural Security.

For each environment profile, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. In addition, each environment profile's alias (AL) and protection status (P) are displayed.

Protection Status

The protection status can be:

I The environment profile is inactive (both NSC Protection = N and NSF Protection = N in the environment profile).
N Access to the environment is evaluated by Natural Security (NSC Protection = Y in the environment profile).
S Access to the environment is evaluated by the SAF server (NSF Protection = Y in the environment profile).

Available Functions

The following functions are available:

Code Function
AD Add a new environment profile. (You can also invoke this function by entering AD in the Command line.)
CO Copy environment profile.
MO Modify environment profile.
RE Rename environment profile.
DE Delete environment profile.
DI Display environment profile.
EP Protect environment.

To invoke a function for an environment, you mark the environment with the appropriate function code in column Co.

You may select various environments for various functions at the same time; that is, you can mark several environments on the screen with a function code. For each environment marked, the selected functions will then be executed one after another.

Components of an Environment Profile

When you add a new environment or modify an existing one, the Define Environment Profile screen will be displayed. The items you can define as part of an environment profile on this screen and any subsequent screens/windows are:

Field Explanation
Environment ID

You specify a descriptive name for the environment profile.

Alias

You can specify a one-character alias for the environment profile. An alias can be shared by multiple environment profiles. By specifying the same alias in several environment profiles, you can form groups of environments.

For example, you can use aliases like: D - for all development environments, T - for all test environments, P - for all production environments.

This will make the maintenance of environment profiles easier, because you can use the alias as selection criterion on the Environment Maintenance selection list to list all profiles which have the same alias.

For Natural SAF Security the following applies: The alias is used in the external security system to define the resources related to the system-file combination of this environment. The rules defined for an alias in the external security system apply to all system-file combinations in whose environment profiles this alias is specified.

General Options

You specify by which system the environment is to be protected:

  • NSC Protection:
    If set to Y, this activates the environment for validation by Natural Security, as described in this documentation.

  • NSF Protection:
    If set to Y, this activates the environment for validation by the SAF server, as described in the Natural SAF Security documentation. This validation requires that the option Protect Environment in the General NSF Options is set to Y (see Natural SAF Security documentation).

If both are set to N, the environment profile is not active, that is, it is treated as if it were not defined.

System Files

You define the environment by specifying the database IDs and file number of each system file (FUSER, FDIC, FSEC, FNAT). This combination of system files identifies the environment, and must be unique.

Once entered, the values of these fields cannot be changed.

If you press PF9 on the main environment profile screen, a window will be displayed showing the system-file combination of your current Natural session. In the window, you can mark with any character the system files you wish to be part of the environment whose profile you are creating.

Additional Options

If you either mark the field Additional Options with Y or press PF4, a window will be displayed from which you can select the following options:

  • Maintenance Information

  • Security Notes

  • Owners

  • Session Options

The options for which something has already been specified or defined are marked with a plus sign (+).

You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:

Additional Option Explanation
Maintenance Information (display only) The following information is displayed:
  • the date and time when the security profile was created, the ID of the administrator who created it, and (if applicable) the IDs of the co-owners who countersigned for the creation;

  • the date and time when the security profile was last modified, the ID of the administrator who made the last modification, and (if applicable) the IDs of the co-owners who countersigned for the modification.

Security Notes   You may enter your notes on the security profile.
Owners   You may enter up to eight IDs of administrators. Only the administrators specified here will be allowed to maintain this environment security profile or allow/disallow users' access to it. If no owner is specified, any user of type "Administrator" may do so.

For each owner, the number of co-owners whose countersignatures will be required for maintenance/link permission may optionally be specified in the field after the ID.

For an explanation of owners and co-owners, see the section Countersignatures.

Session Options
TEST Command With this option, you can control the use of the Natural system command TEST in the environment. Possible values are:
  • Y = The TEST command can be used without any restrictions.

  • P = The TEST command can be used with the following restrictions: the debugger commands MODIFY VARIABLE, ESCAPE ROUTINE, ESCAPE BOTTOM and STOP cannot be used.

  • N = The use of the TEST command is disallowed altogether.

This option only applies to environments on z/OS computers.

Allowing and Disallowing Access to Libraries in Environments

By default, when environment protection is active, access to a library is allowed in any environment. For individual environments, you can disallow access to a library.

When access to a library is disallowed in at least one environment, the fact that the library is "environment-protected" will be indicated in the library's security profile.

Two functions are available to disallow/allow environment-specific access to libraries:

  • an Environment Maintenance function to disallow/allow access to one or more libraries for one environment,

  • a Library Maintenance function to disallow/allow access to one library for one or more environments.

Both functions are described below.

Protecting a Single Environment for Multiple Libraries

Start of instruction setTo allow/disallow access to one more libraries for one environment:

  1. On the Environment Maintenance selection list, mark the environment you wish to protect with EP.

  2. A window will be displayed with the following fields:

    • Protect for users/libraries: Enter an L.

    • Start value: You can enter a start value for the list of libraries to be displayed (as described in the section Finding Your Way in Natural Security)

    • Select only disallowed ones: If you select this option, the list of libraries to be displayed will only include those libraries for which access in the environment is currently disallowed.

  3. The Disallow/Allow Libraries screen will be displayed, showing the list of libraries. The list can be scrolled as described in the section Finding Your Way In Natural Security.

    On the list, you mark the libraries for which you wish to disallow/allow access in the environment. In the Co column, you may mark each library with one of the following function codes:

    Code Function
    ED Disallow - The library cannot be accessed in that environment.
    EA   Allow - The library can be accessed in that environment.

    You can mark one or more libraries on the screen with a function code.

  4. For each library marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each library.

Protecting Multiple Environments for a Single Library

Start of instruction setTo allow/disallow access to one library for one or more environments:

  1. On the Library Maintenance selection list, mark the desired library with function code EP.

  2. A window will be displayed in which you have the following options:

    Option Explanation
    Disallow/allow

    D = Access to the library is initially allowed for all environments, and you can disallow it for individual ones.

    A = Access to the library is initially disallowed for all environments, and you can allow it for individual ones.

    When you later invoke this function and change the value of this option, the "allowed/disallowed" status of all environments will be changed for this library.

    Sorted by environment ID / Sorted by alias

    By marking one of these two fields with a character, you can choose to have the list of environments to be displayed sorted by environment IDs or by aliases. The latter allows you to simultaneously allow/disallow access for all environments which have the same alias (see below).

    Start value

    In one of these two fields, you can enter a start value (as described in the section Finding Your Way in Natural Security) for the list of environments to be displayed. Depending on how the list is to be sorted, you can specify either the database ID / file number of the environments' FNAT system file or a one-character alias as start value.

    Select only disallowed/allowed ones If you select this option, the list of environments to be displayed will only include - depending on the above option Disallow/allow - either those for which access is allowed or those for which it is disallowed.
  3. The Disallow/Allow Environments screen will be displayed, showing the list of environments. For each environment, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. It addition, each environment profile's alias (AL) and protection status (P) are displayed.

    The list can be scrolled as described in the section Finding Your Way In Natural Security.

    On the list, you mark the environments for which you wish disallow/allow access to the library. In the Co column, you may mark each environment with one of the following function codes:

    Code Function
    ED Disallow - The library cannot be accessed in that environment.
    EA   Allow - The library can be accessed in that environment.

    You can mark one or more environments with a function code.

  4. For each environment marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each environment.

If the list is sorted by alias, you do not mark individual environments. Instead, you mark an alias, and the selected function will be applied to all environments which have that alias.

Allowing and Disallowing Users Access to Environments

By default, when environment protection is active, access to an environment is allowed for all users. For individual users you can disallow access to an environment.

Access to an environment can only be allowed/disallowed for users of types "Group", "Administrator" and "Person". For users of types "Administrator" and "Person" it can be allowed/disallowed either directly or via a "Group". For users of types "Member" and "Terminal", it can only be allowed/disallowed for the "Group" to which they are assigned.

When access to at least one environment is disallowed for a user, the session option Environment Protection in the user's security profile is automatically to Y.

Two functions are available to disallow/allow users' access to environments:

  • an Environment Maintenance function to disallow/allow access of one or more users to one environment,

  • a User Maintenance function to disallow/allow access of one user to one or more environments.

Both functions are described below.

Protecting a Single Environment for Multiple Users

Start of instruction setTo protect an environment for one or more users:

  1. On the Environment Maintenance selection list, mark the environment you wish to protect with EP.

  2. A window will be displayed with the following fields:

    • Protect for users/libraries: Enter a U.

    • Start value: You can enter a start value for the list of users to be displayed (as described in the section Finding Your Way in Natural Security).

    • Select only disallowed ones: If you select this option, the list of users to be displayed will only include those users for whom access to the environment is currently disallowed.

  3. The Disallow/Allow Users screen will be displayed, showing the list of users.

    By default, it contains only users of type Group. To switch between a list of Groups and a list of all three user types, you press PF5.

    The list can be scrolled as described in the section Finding Your Way In Natural Security.

    On the list, you mark the users for whom you wish to disallow/allow access to the environment. In the Co column, you may mark each user with one of the following function codes:

    Code Function
    ED Disallow - The user cannot access the environment.
    EA   Allow - The user may access the environment.

    You can mark one or more users on the screen with a function code.

  4. For each user marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each user.

Protecting Multiple Environments for a Single User

Start of instruction setTo protect one or more environments for a user:

  1. On the User Maintenance selection list, mark the user for whom you wish to protect environments with function code EP.

  2. A window will be displayed providing the following options:

    • Start value: You can enter a start value for the list of environments to be displayed (as described in the section Finding Your Way in Natural Security); as start value, you use the database ID / file number of the environments' FNAT system file.

    • Select only disallowed environments: If you select this option, the list of environments to be displayed will only include those environments to which access is currently disallowed for the user.

  3. The Disallow/Allow Environments screen will be displayed, showing the list of environments. For each environment, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. It addition, each environment profile's alias (AL) and protection status (P) are displayed.

    The list can be scrolled as described in the section Finding Your Way In Natural Security.

    On the list, you mark the environments the access to which you wish to disallow/allow for the user. In the Co column, you may mark each environment with one of the following function codes:

    Code Function
    ED Disallow - The user cannot access the environment.
    EA Allow - The user may access the environment.

    You can mark one or more environments on the screen with a function code.

  4. For each environment marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each environment.