Version 4.2.6 for Mainframes
 —  Natural SAF Security - Overview  —

Introducing Natural SAF Security

This section provides an overview of Natural SAF Security. It covers the following topics:


What is Natural SAF Security?

Natural SAF Security (NSF) is an add-on product to Natural Security. It allows you to control users' access to Natural based on user and resource definitions made in an external security system. With Natural SAF Security, you can thus protect your Natural sessions by combining security definitions made in Natural Security and security definitions made in the external security system.

This external security system must be an SAF-compliant security system. At present, Natural SAF Security supports the following external security systems:

When you use Natural SAF Security, you need not define users both in Natural Security and in an external security system; it is sufficient to define them in the external security system. In Natural Security, only user groups are defined. When Natural SAF Security is active and a user logs on to Natural, the user authorization checks will be done using the user ID and user password from the external security system. After the authorization, further security checks - particularly concerning the use of Natural libraries and utilities - will be based on the user group definitions in Natural Security. Although library protection via an external security system is possible, the Natural Security library security profiles provide more sophisticated and more adequate mechanisms for protecting Natural libraries.

In addition, access to Natural can be made environment-specific. A Natural environment is determined by the combination of the system files FNAT, FUSER, FDIC and FSEC. Natural environments can be defined in the external security system. By defining environments and controlling their accessibility, it is possible, for example, to fully separate the protection of a Natural development environment from that of a Natural production environment. At the same time, this avoids system-file mix-ups (for example, a test-environment FSEC file in conjunction with a production-environment FUSER file).

Also, instead of the end of transaction IDs (ETIDs) from Natural Security user profiles, Natural SAF Security provides various possibilities of generating unique ETIDs.

Moreover, Natural SAF Security allows you to protect user-defined resources which are defined in the external security system against unauthorized use.

Top of page

Configuring Your Security Environment - an Example

This section is an example of the usage of Natural SAF Security. It does not cover all aspects or possibilities offered by Natural SAF Security. In particular, it does not cover all Natural SAF Security options (NSF options). Instead, a few selected options are introduced to show you how you can set up your security environment step by step:

Although the following explanations are based on certain assumptions, some of which may not apply to your security environment, this approach may be helpful to make yourself familiar with Natural SAF Security.

If you are not yet familiar with Natural SAF Security, it is recommended that you deal with the NSF options step by step as indicated in the explanations below, and only change those options mentioned below.

Generally, please bear in mind that before you set any NSF options, you have to make sure that the corresponding resources are defined in the external security system being used. For resource definitions, see the section Defining Resources in the External Security System and Activating Them.

User Security

The desired security setup is assumed to be as follows:

The necessary connection between the external security system and Natural Security is made by using user groups in both systems.

The above setup requires that:

Except for users with special tasks (for example, Natural Security administrators), you need not create security profiles for individual users in Natural Security, nor assign them to groups; it is sufficient that users are defined and assigned to groups in the external security system.

To establish the desired setup, you have to do the following:

In the external security system:

In Natural Security:

Environment Security

A Natural environment is determined by the combination of the system files FNAT, FUSER, FDIC and FSEC. When a users accesses a library, these are determined by the current values of the corresponding Natural profile parameters - with the following exception: If the Natural Security library profile of that library contains another FUSER value, this will overwrite the FUSER profile parameter.

Based on the user-security setup as described above, the desired security setup for Natural environments is assumed to be as follows:

This setup requires that Natural environments are defined in the external security system. Access authorization to the environments will then be controlled according to the access rules defined in the external security system.

To establish the desired setup, you have to do the following:

Environment-Specific Library Security

Based on the user-security setup described above, the desired security setup for environment-specific library protection is assumed to be as follows:

The necessary connection between the external security system and Natural Security is made via one-character aliases. The environment-specific access authorization to a library is checked as follows: When a user attempts to access a library, the environment in which the library is located is determined by the current values of the Natural profile parameters FNAT, FDIC, FSEC and FUSER - with the FUSER value being overwritten by the one specified in the Natural Security library profile. For this environment, a Natural Security environment profile has to exist, in which a one-character alias is specified. For the combination of this alias and the library (alias.library-ID), a resource profile has to exist in the external security system. The access level defined in this resource profile determines whether the user is allowed to log on to the library in that environment.

To establish the desired setup, you have to do the following:

In the external security system:

In Natural Security:

Top of page

Natural Security Related Considerations

The following Natural Security items should be considered when using Natural SAF Security.

Library SYSSEC

The library SYSSEC can only be accessed by users who, in addition to being defined in the external security system, are defined as "Administrators" in Natural Security.

Automatic Logon

If the Natural profile parameter AUTO=ON (Automatic Logon) is set, a user can only log on to Natural if a default library is defined for him/her. The default library can be specified in the Natural Security group security profile. See also the section Automatic Logon in the Natural Security documentation.

Natural SAF Security provides a user option "NSC Logon Priv. Library" by which it is possible that a user who logs on without specifying a library ID will be logged on to the library whose ID is the same as the current value of the Natural system variable *USER value.

PROFILE Command

When Natural SAF Security is active, the Natural system command PROFILE indicates whether the user and his/her group are defined in Natural Security:

Transition Period Logon

If the Natural Security general option Transition Period Logon is set to "N", only unprotected libraries can be accessed via Natural SAF Security. Undefined libraries can only be accessed if Transition Period Logon is set to "Y".

Utilities

For users for whom neither a user security profile nor a group security profile exists in Natural Security, the default utility profiles apply.

For users for whom no user security profile, but a group security profile exists, the use of utilities is controlled by the group-library-specific utility profiles and group-specific utility profiles associated with this group.

Natural SAF Security provides an additional utility: SAF Online Services (SYSSAFOS). To be able to access this utility, a utility security profile for SYSSAFOS has to be defined in Natural Security.

Utility profiles are described in the section Protecting Utilities of the Natural Security documentation.

Top of page

Natural SAF Security in Batch Mode

For information on logging on to Natural SAF Security in batch mode, see the section Natural Security In Batch Mode in the Natural Security documentation. What is said there also applies to Natural SAF Security. However, please bear in mind that for the logon, the user ID and password as defined in the external security system are used, and have to comply with the authentication rules defined in the external security system.

Top of page