Version 6.3.8 for OpenVMS
 —  Natural Security  —

Countersignatures

This section covers the following topics:


Using Owners

The benefit of using owners for security profiles is that the work and responsibility of doing Natural Security maintenance may be distributed amongst several ADMINISTRATORs instead of resting in the hands of just one person.

This distribution may be done according to criteria of significance/sensitivity of objects, regional, branch or departmental aspects, or whatever suits your specific Natural environment.

The number of ADMINISTRATORs should be kept low, and the system by which you assign owners should be clearly structured.

It is also possible to enter a GROUP as an owner. All ADMINISTRATORs contained in the GROUP will then be authorized to maintain the security profile. (As only ADMINISTRATORs may do Natural Security maintenance anyhow, users of other user types contained in that GROUP will not be affected by this.)

Top of page

Using Countersignatures

It is the Natural Security ADMINISTRATORs who control all users' access rights to libraries. The question may well be asked, "Who controls the ADMINISTRATORs?" The answer is that they can control each other. This may be achieved by the use of countersignatures.

A security profile may have up to 8 owners. Without countersignatures, each of these owners may modify, delete, link, or edit the security profile unhindered.

If this is not desired, the countersignatures feature may be used: next to each owner of a security profile you may enter a number (1, 2 or 3); an owner must then obtain this number of countersignatures from other owners of the security profile, before he/she can gain access to the security profile. In this way, an owner cannot execute any alterations without the knowledge and consent of other owners.

Countersignatures are given by the co-owners entering their user passwords on the Countersignatures screen; this screen is displayed automatically when a function is invoked that requires countersignatures from co-owners of the security profile concerned.

Note:
If the Lock User Option is active, entering a wrong password on the Countersignatures screen may result in the user who has invoked the screen being locked.

Example of Countersignatures:

In the security profile of user IW the following owners are specified:

+----------------------------OWNERS----------------------------+
! User ID ........... IW                                       !
!                                                              !
! AD                                                           !
! HW       + 1                                                 !
! JC       + 2                                                 !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!                                                              !
!--------------------------------------------------------------+

Only the three ADMINISTRATORs specified may modify the security profile.

The owner situation is the following:

Let us imagine that owner HW wishes to modify the security profile of user IW. On the User Maintenance selection list, he marks user "IW" with code "MO". The Countersignatures screen will be invoked:

13:10:14                    *** NATURAL SECURITY ***                 2008-10-31
                                - Modify User -                                
                                                                               
User ID .. IW                                                                  
                                                                               
                                                                               
           Group ID  User ID     Password            Added       Modified      
           --------  --------    --------            ---------- ----------     
        1.           AD______    ________        On: 1999-08-13 2008-01-18     
        2.           JC______    ________            13:08:15   13:09:10       
        3.           ________    ________        By: AD         AD             
        4.           ________    ________                                      
        5.           ________    ________                                      
        6.           ________    ________                                      
        7.           ________    ________                                      
        8.           ________    ________                                      
                                                                               
                                                                               
                                                                               
                                                                               
SYSSEC5588: 1 authorized owner must enter his/her password.                    
                                                                               
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12---
      Help        Exit                                                  Canc  

All other owners of the security profile are listed on the screen. One of them must enter his/her password.

If none of the other owners are available in person, they may communicate (for example, AD may reveal his password to HW, which HW may then enter on the Countersignatures screen; AD should then change his password immediately afterwards).

Once the correct password of one co-owner (either AD or JC) has been entered, the Modify User screen with the security profile of user IW will be invoked for administrator HW to execute the intended modifications.

Top of page

Groups as Owners

If GROUPs are specified as owners, the following cases may occur:

If two or more GROUPs have equally few countersignatures, their alphabetical order is decisive.

Note:
In the above cases an ADMINISTRATOR may be an owner more than once. This implies that the ADMINISTRATOR may provide him-/herself with one or more of the countersignatures required.

Top of page

Groups as Co-Owners

If a GROUP appears as a co-owner on the Countersignatures screen, any one of the ADMINISTRATORs contained in the GROUP may countersign.

To select one ADMINISTRATOR from a GROUP, enter a "?" in the User ID field next to the Group ID on the Countersignatures screen. A list of all ADMINISTRATORs contained in the GROUP will be displayed, from which you may select the one whose countersignature you wish to obtain.

Please note that a GROUP counts as one co-owner, and one co-owner cannot provide more than one countersignature. If, for example, two countersignatures are required, these may not both be obtained from members of the same GROUP.

However, one ADMINISTRATOR may countersign more than once if he/she appears more than once as a co-owner on the Countersignatures screen, i.e. in his/her own right and/or as a member of one or more GROUPs.

Top of page

User Security Profiles of ADMINISTRATORs

When an ADMINISTRATOR wishes to create any new security profiles (that is, to use an Add or Copy function), the owner situation of his/her own security profile applies:

Warning:
Owners and countersignatures should be assigned with the utmost care, as it may be difficult, if not impossible, to cancel an undesired owner/co-owner configuration. "Experimenting" with this feature can also result in your locking yourself out from access to a security profile.

Top of page

Deferred Countersigning

Deferred countersigning allows you to perform a maintenance function, and obtain the required countersignature later.

This functionality is also referred to as "time-independent countersigning" (TIC).

Applicability

Deferred countersigning is possible:

The following explanation uses the term "modify" for easier reading; however, the explanation also applies to the other functions mentioned.

Note:
With the current version of Natural Security, deferred countersigning is available for the functions mentioned above. With subsequent versions, it is planned to make it available for further functions.

How Deferred Countersigning Works

When you attempt to modify a security profile and the Countersignatures screen is invoked, but none of the other owners of the security profile is available to supply his/her password, you may defer the countersigning. This means that you can proceed with your intended modification and obtain the other owner's countersignature afterwards.

To do so, you press PF5 (Defer) on the Countersignatures screen.

The security profile to be modified will be invoked, and you can make your changes to it.

When you have finished modifying the security profile, it will appear in the object maintenance selection list with an indication that a countersignature is still pending for the modification. The modification will not become active until the countersignature is provided.

Until the co-owner supplies or refuses his/her countersignature, there will be two versions of the security profile:

On the maintenance selection list, you can perform the following functions on the security profile:

Code Function
DI Display the active version of the security profile.
DT   Display the temporary version of the security profile. The modifications are highlighted in it.
MT Modify the temporary version of the security profile.
RT Revoke the countersignature request.

The co-owner can perform the following functions on the security profile:

Code Function
DI Display the active version of the security profile.
DT   Display the temporary version of the security profile. The modifications are highlighted in it.
CT Invoke the Countersignatures screen to confirm the modifications.
RT Revoke the countersignature request.

Until the countersignature is supplied or revoked, maintenance functions other than those listed above cannot be applied to the security profile.

When the countersignature is supplied by the co-owner, the modifications will be applied, that is, the active version of the security profile will be removed, and the temporary version will become the active version.

If the countersignature request is revoked - either by yourself or the co-owner - the temporary version of the security profile will be removed, and only the active version will continue to exist. Any information concerning the request will be removed.

Note:
The owner/co-owner specifications in a security profile cannot be changed via deferred countersigning.

Listing Profiles with Pending Countersignatures

To list only those security profiles of a specific object type for which countersignatures are pending, you enter the command SHOW TIC (TIC = time-independent countersigning) in the command line of the object maintenance selection list.

To revert to the normal selection-list display, you enter the command again.

Renamed and Deleted Security Profiles

If you defer the countersigning for the renaming of a security profile, the profile will appear in the object maintenance selection list under both the old ID and the new ID.

If you defer the countersigning for the deletion of a security profile, the profile will remain in the object maintenance selection list until the countersignature is supplied.

Top of page

Inaccessible Security Profiles

If a security profile has become completely inaccessible - that is, if an owner/co-owner configuration has been set up which does not allow any ADMINISTRATOR to access the security profile - the Natural system command INPL can be used as a last resort to recover the security profile.

You enter the INPL command; then, on the INPL menu, you enter Code "R" and Replace option "O". In the next window, you enter the object type and the ID of the security profile to be recovered. This deletes all owner entries from the security profile.

If you use the above INPL option in batch mode, work file 1 must be the Natural Security INPL file.

Example of Batch-Mode Input for Security-Profile Recovery:

//CMSYNIN DD *
R,O
U,AD
.

Top of page