This section covers the following topics:
The benefit of using owners for security profiles is that the work and responsibility of doing Natural Security maintenance may be distributed amongst several ADMINISTRATORs instead of resting in the hands of just one person.
This distribution may be done according to criteria of significance/sensitivity of objects, regional, branch or departmental aspects, or whatever suits your specific Natural environment.
However, the number of ADMINISTRATORs should be kept low and the system by which you assign owners should be clearly structured.
It is also possible to enter a GROUP as an owner. All ADMINISTRATORs contained in the GROUP will then be authorized to maintain the security profile. (As only ADMINISTRATORs may do Natural Security maintenance anyhow, users of other user types contained in the GROUP will not be affected by this.)
It is the Natural Security ADMINISTRATORs who control all users' access rights to libraries. The question may well be asked, "Who controls the ADMINISTRATORs?" The answer is that they can control each other. This may be achieved by the use of countersignatures.
A security profile may have up to 8 owners. Without countersignatures, each of these owners may modify, delete, link, or edit the security profile unhindered.
If this is not desired, the countersignatures feature may be used: next to each owner of a security profile you may enter a number (1, 2 or 3); an owner must then obtain this number of countersignatures from other owners of the security profile, before he/she can gain access to the security profile. In this way, an owner cannot execute any alterations without the knowledge and consent of other owners.
Countersignatures are given by the co-owners entering their user passwords on the Countersignatures screen; this screen is displayed automatically when a function is invoked that requires countersignatures from co-owners of the security profile concerned.
Note:
If the Lock User
Option is active, entering a wrong password on the Countersignatures
screen may result in the user who has invoked the screen being locked.
In the security profile of user IW the following owners are specified:
+----------------------------OWNERS----------------------------+ ! User ID ........... IW ! ! ! ! AD ! ! HW + 1 ! ! JC + 2 ! ! ! ! ! ! ! ! ! ! ! ! ! !--------------------------------------------------------------+ |
Only the three ADMINISTRATORs specified may modify the security profile.
The owner situation is the following:
Owner AD may modify the security profile unhindered, that is, without having to obtain a countersignature from any of the other owners.
Owner HW may only modify the security profile with the consent of one of the other owners (this need not be one specific owner but can be any one of the others).
Owner JC may only modify the security profile with the consent of two, that is, all other owners of the security profile.
Any other administrators cannot modify the security profile, as they are not owners of the security profile.
Let us imagine that owner HW wishes to modify the security profile of user IW. On the User Maintenance selection list, he marks user "IW" with code "MO". The Countersignatures screen will be invoked:
13:10:14 *** NATURAL SECURITY *** 2007-09-13 - Modify User - User ID .. IW Group ID User ID Password Added Modified -------- -------- -------- ---------- ---------- 1. AD______ ________ On: 1999-08-13 2007-01-18 2. JC______ ________ 13:08:15 13:09:10 3. ________ ________ By: AD AD 4. ________ ________ 5. ________ ________ 6. ________ ________ 7. ________ ________ 8. ________ ________ SYSSEC5588: 1 authorized owner must enter his/her password. Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- Help Exit Canc |
All other owners of the security profile are listed on the screen. One of them must enter his/her password.
If none of the other owners are available in person, they may communicate (for example, AD may reveal his password to HW, which HW may then enter on the Countersignatures screen; AD should then change his password immediately afterwards).
Once the correct password of one co-owner (either AD or JC) has been entered, the Modify User screen with the security profile of user IW will be invoked for administrator HW to execute the intended modifications.
If GROUPs are specified as owners, the following cases may occur:
An ADMINISTRATOR is an owner of a security profile and also contained in a GROUP which is an owner of the security profile. In this case the countersignature requirements specified for the ADMINISTRATOR him-/herself apply.
An ADMINISTRATOR is not an owner of a security profile him-/herself, but is contained in two or more GROUPs which are owners of the security profile. In this case the countersignature requirements specified for the GROUP with the fewest countersignatures apply.
If two or more GROUPs have equally few countersignatures, their alphabetical order is decisive.
Note:
In the above cases an ADMINISTRATOR may be an owner more than once.
This implies that the ADMINISTRATOR may provide him-/herself with one or more
of the countersignatures required.
If a GROUP appears as a co-owner on the Countersignatures screen, any one of the ADMINISTRATORs contained in the GROUP may countersign.
To select one ADMINISTRATOR from a GROUP, enter a "?" in the User ID field next to the Group ID on the Countersignatures screen. A list of all ADMINISTRATORs contained in the GROUP will be displayed, from which you may select the one whose countersignature you wish to obtain.
Please note that a GROUP counts as one co-owner, and one co-owner cannot provide more than one countersignature. If, for example, two countersignatures are required, these may not both be obtained from members of the same GROUP.
However, one ADMINISTRATOR may countersign more than once if he/she appears more than once as a co-owner on the Countersignatures screen, i.e. in his/her own right and/or as a member of one or more GROUPs.
When an ADMINISTRATOR wishes to create any new security profiles (that is, to use an Add or Copy function), the owner situation of his/her own security profile applies:
If the ADMINISTRATOR's security profile has no owners assigned, he/she may create new security profiles unhindered.
If the ADMINISTRATOR's security profile has owners assigned but these do not include the ADMINISTRATOR, he/she must obtain the countersignatures of all owners of his/her security profile, before he/she may create any new security profiles.
If the ADMINISTRATOR is one of the owners of his/her own security profile and has a number of co-owners specified, the ADMINISTRATOR must obtain this number of countersignatures from other owners of his/her security profile, before he/she may create any new security profiles.
Warning: Owners and countersignatures should be assigned with the utmost care, as it may be difficult, if not impossible, to cancel an undesired owner/co-owner configuration. "Experimenting" with this feature can also result in your locking yourself out from access to a security profile. |
If a security profile has become completely inaccessible - that is, if an owner/co-owner configuration has been set up which does not allow any ADMINISTRATOR to access the security profile - the Natural system command INPL can be used as a last resort to recover the security profile.
You enter the INPL command; then, on the INPL menu, you enter Code "R" and Replace option "O". In the next window, you enter the object type and the ID of the security profile to be recovered. This deletes all owner entries from the security profile.
If you use the above INPL option in batch mode, work file 1 must be the Natural Security INPL file.
//CMSYNIN DD * R,O U,AD .