Version 6.3.3
 —  Natural Security  —

Countersignatures

This section covers the following topics:


Using Owners

The benefit of using owners for security profiles is that the work and responsibility of doing Natural Security maintenance may be distributed amongst several ADMINISTRATORs instead of resting in the hands of just one person.

This distribution may be done according to criteria of significance/sensitivity of objects, regional, branch or departmental aspects, or whatever suits your specific Natural environment.

However, the number of ADMINISTRATORs should be kept low and the system by which you assign owners should be clearly structured.

It is also possible to enter a GROUP as an owner. All ADMINISTRATORs contained in the GROUP will then be authorized to maintain the security profile. (As only ADMINISTRATORs may do Natural Security maintenance anyhow, users of other user types contained in the GROUP will not be affected by this.)

Top of page

Using Countersignatures

It is the Natural Security ADMINISTRATORs who control all users' access rights to libraries. The question may well be asked, "Who controls the ADMINISTRATORs?" The answer is that they can control each other. This may be achieved by the use of countersignatures.

A security profile may have up to 8 owners. Without countersignatures, each of these owners may modify, delete, link, or edit the security profile unhindered.

If this is not desired, the countersignatures feature may be used: next to each owner of a security profile you may enter a number (1, 2 or 3); an owner must then obtain this number of countersignatures from other owners of the security profile, before he/she can gain access to the security profile. In this way, an owner cannot execute any alterations without the knowledge and consent of other owners.

Countersignatures are given by the co-owners entering their user passwords on the Countersignatures screen; this screen is displayed automatically when a function is invoked that requires countersignatures from co-owners of the security profile concerned.

Note:
If the Lock User Option is active, entering a wrong password on the Countersignatures screen may result in the user who has invoked the screen being locked.

Example of Countersignatures:

In the security profile of user IW the following owners are specified:

+----------------------------OWNERS----------------------------+
! User ID ........... IW                                       !
!                                                              !
! AD                                                           !
! HW       + 1                                                 !
! JC       + 2                                                 !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!--------------------------------------------------------------+

Only the three ADMINISTRATORs specified may modify the security profile.

The owner situation is the following:

Let us imagine that owner HW wishes to modify the security profile of user IW. On the User Maintenance selection list, he marks user "IW" with code "MO". The Countersignatures screen will be invoked:

13:10:14                    *** NATURAL SECURITY ***                 2007-09-13
                                - Modify User -                                
                                                                               
User ID .. IW                                                                  
                                                                               
                                                                               
           Group ID  User ID     Password            Added       Modified      
           --------  --------    --------            ---------- ----------     
        1.           AD______    ________        On: 1999-08-13 2007-01-18     
        2.           JC______    ________            13:08:15   13:09:10       
        3.           ________    ________        By: AD         AD             
        4.           ________    ________                                      
        5.           ________    ________                                      
        6.           ________    ________                                      
        7.           ________    ________                                      
        8.           ________    ________                                      
                                                                               
                                                                               
                                                                               
                                                                               
SYSSEC5588: 1 authorized owner must enter his/her password.                    
                                                                               
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
      Help        Exit                                                  Canc  

All other owners of the security profile are listed on the screen. One of them must enter his/her password.

If none of the other owners are available in person, they may communicate (for example, AD may reveal his password to HW, which HW may then enter on the Countersignatures screen; AD should then change his password immediately afterwards).

Once the correct password of one co-owner (either AD or JC) has been entered, the Modify User screen with the security profile of user IW will be invoked for administrator HW to execute the intended modifications.

Top of page

Groups as Owners

If GROUPs are specified as owners, the following cases may occur:

If two or more GROUPs have equally few countersignatures, their alphabetical order is decisive.

Note:
In the above cases an ADMINISTRATOR may be an owner more than once. This implies that the ADMINISTRATOR may provide him-/herself with one or more of the countersignatures required.

Top of page

Groups as Co-Owners

If a GROUP appears as a co-owner on the Countersignatures screen, any one of the ADMINISTRATORs contained in the GROUP may countersign.

To select one ADMINISTRATOR from a GROUP, enter a "?" in the User ID field next to the Group ID on the Countersignatures screen. A list of all ADMINISTRATORs contained in the GROUP will be displayed, from which you may select the one whose countersignature you wish to obtain.

Please note that a GROUP counts as one co-owner, and one co-owner cannot provide more than one countersignature. If, for example, two countersignatures are required, these may not both be obtained from members of the same GROUP.

However, one ADMINISTRATOR may countersign more than once if he/she appears more than once as a co-owner on the Countersignatures screen, i.e. in his/her own right and/or as a member of one or more GROUPs.

Top of page

User Security Profiles of ADMINISTRATORs

When an ADMINISTRATOR wishes to create any new security profiles (that is, to use an Add or Copy function), the owner situation of his/her own security profile applies:

Warning:
Owners and countersignatures should be assigned with the utmost care, as it may be difficult, if not impossible, to cancel an undesired owner/co-owner configuration. "Experimenting" with this feature can also result in your locking yourself out from access to a security profile.

Top of page

Inaccessible Security Profiles

If a security profile has become completely inaccessible - that is, if an owner/co-owner configuration has been set up which does not allow any ADMINISTRATOR to access the security profile - the Natural system command INPL can be used as a last resort to recover the security profile.

You enter the INPL command; then, on the INPL menu, you enter Code "R" and Replace option "O". In the next window, you enter the object type and the ID of the security profile to be recovered. This deletes all owner entries from the security profile.

If you use the above INPL option in batch mode, work file 1 must be the Natural Security INPL file.

Example of Batch-Mode Input for Security-Profile Recovery:

//CMSYNIN DD *
R,O
U,AD
.

Top of page