The Administrator Services subsystem of Natural Security provides the following functions which are used in conjunction with Natural SAF Security:
In order to use these functions:
you need to have access to the Natural Security library
SYSSEC
;
you have to be defined in Natural Security as a user of type "Administrator";
you need to have access to the Administrator Services subsystem of Natural Security (see Access to Administrator Services in the Natural Security documentation).
Warnung: The user ID DBA should not be used for testing
purposes. If you log on to SYSSEC as user DBA , any
Natural SAF Security settings and checks will be ignored. As indicated in the
Natural Security installation documentation, the user ID
DBA should only be used for the initial definition of Natural
Security administrators and for recovering the Natural Security
environment. |
Natural Security's Administrator Services provide several options which are used in conjunction with Natural SAF Security to setup your security environment. These General NSF options are only available if Natural SAF Security is installed.
For any changes of these options to take effect, you have to restart the SAF server and then restart your Natural session.
To invoke the General NSF options:
On the Natural Security Main Menu, select Administrator Services. The Administrator Services Menu 1 will be displayed.
On this menu, select General NSF options. The first General NSF Options screen will be displayed.
General NSF Options consists of two screens. With PF7 and PF8, you can switch between them.
The following types of NSF options are available:
The individual options are described below.
General NSF Options 1:
05:23:23 *** NATURAL SECURITY *** 2018-09-18 - General NSF Options 1 - Server Id 20020 Created ... 2011-09-26 by ADE Modified .. 2018-08-31 by ADE Security System External Security System ... RACF Server ID ............. 20020 Natural Security ........... FSEC Protection Level ...... 1 User Options NSF *GROUP ................. Y (Y,N) NSC Group ID .......... Y (Y,N) NSF *USER-NAME ............. Y (Y,N) NSC User ID ........... N (Y,N,I) NSF *ETID .....(N,O,B,A,J,T) N NSC Logon Priv. Library N (Y,D,N) NSF *USER Automatic Logon .. N (Y,N) NSC Support of RACF NSC User Maintenance ....... N (X,Y,N) Password case-sensitive .... N (Y,N) General Group ID ...... ________ Password phrases active .... N (Y,A,N) Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- Help Exit Def. Flip NSC NSF2 Canc |
Option | Explanation |
---|---|
External Security System |
In this field, you specify the external security system to be used. Possible values are: The default value is Anmerkung: |
Server ID | In this field, you specify the node ID of the SAF server to be
used (that is, the value of the parameter GWDBID as specified in
the SAF server installation).
|
Natural Security | This field is reserved for future use. At present, it must contain "FSEC". |
Protection Level |
This field is used to activate Natural SAF Security. Possible values are:
|
Option | Explanation |
---|---|
NSF *GROUP |
This option determines whether the group ID defined in the
external security system is to be used as value for the Natural system variable
It is recommended that this option be set to "Y" (see also option NSC Group ID below). |
NSC Group ID |
This option determines whether the group IDs defined in the external security system also have to be defined in Natural Security (Y/N). It is recommended that this option be set to "Y"; any conditions of use associated with the Natural Security group profile can then be controlled by Natural Security. If there are multiple default groups in the external security system, instead of having to define all these groups in Natural Security, you can define one General Group ID (see below), which will be used by the Natural logon procedure for the logon of all users defined in the external security system. RACF:
RACF allows for a user to be in multiple groups. If this option is set to "Y", any of these groups can be used for a logon to a protected library, and they will be evaluated by the Natural logon procedure to select the group to be used for the logon. |
NSF *USER-NAME |
This option determines whether the user name defined in the
external security system is to be used as value for the Natural system variable
|
NSC User ID |
This option determines whether, in addition to being defined in the external security system, users also have to be defined in Natural Security (Y/N). If set to "Y", the Natural Security user profile will be used once the user has successfully logged on to the external security system. After the initial logon, the conditions of use associated with the Natural Security user profile will be controlled by Natural Security. However, Natural Security will not perform any password checks. |
NSF *ETID |
This option determines if and how ETIDs (end of transaction IDs) are to be generated by Natural SAF Security at the start of the Natural session:
|
NSC Logon Priv. Library |
This option controls users' access to private libraries:
If this option is set to a value other than "N", the library option Protect Libraries (see below) must also be set to a value other than "N". |
Resource priv. lib. |
Only applicable if NSC Logon Priv. Library (see above) is set to "D": In this field, you specify the value which is to be used for access validation to private libraries. This value applies to all users. The default value is the string |
NSF *USER Automatic Logon |
When Automatic Logon is used (Natural profile parameter
|
Password Case-Sensitive |
This option is relevant if the external security system is set to distinguish between lower-case and upper-case characters in user passwords. It determines whether or not this distinction is to be made by Natural SAF Security as well:
If you set this option to "Y", the option Password Case-Sensitive in Natural Security's Library and User Preset Values is automatically set to "Y" as well to ensure consistent password checking. If you set this option to "Y", make sure that any password input
fields used also distinguish between lower- and upper-case. This may affect the
logon screen, the user exit |
General Group ID |
This option is useful if there are multiple default groups in the external security system and you do not wish to define all these groups in Natural Security. In this field, you can specify the ID of a group defined in Natural Security. For the Natural logon procedure, this group ID will be used instead of a default group ID: This means that the security profile of this group applies to all users defined in the external security system. If a group ID is specified in this field, the options NSF *GROUP and NSC Group ID (see above) must both be set to "Y". |
Password phrases active |
Password phrases are passwords which are longer than 8 characters. This option enables the use of password phrases.
If this option is set to "A" or "Y", Natural Security's
logon-related user exit |
This option is only available if RACF is used as the external security system.
Option | Explanation |
---|---|
NSC User Maintenance |
This option allows you to change user passwords in RACF user profiles, with the base segment field keyword EXPIRED, from within Natural Security's user maintenance. Before this option can be used, the subprogram
Using this option/subprogram requires that in RACF you have the appropriate authorizations. That is, you can only set the RACF user passwords and EXPIRED base segment field keywords via Natural Security if you are allowed to do so in RACF itself. Setting this option to "Y" causes the following changes on Natural Security user profile screens:
To set the Natural Security user password, you press PF9. Setting this option to "X" has the same effects as "Y". In addition, it causes a check to be performed as to which user IDs defined in Natural Security are also defined in RACF. As a result, the user IDs defined in both systems will be marked accordingly on Natural Security's User Maintenance selection list. |
General NSF Options 2:
13:45:37 *** NATURAL SECURITY *** 2015-12-16 - General NSF Options 2 - Server Id 26580 Created ... 2011-09-01 by ADE Modified .. 2015-12-31 by ADE Environment Options Protect Environments ....... N (Y,N) Allow Undef. Environments .. N (Y,N) Library Options Protect Libraries .......... N (Y,L,R,*,N) with Environment ....... N (Y,N) Disable Natural Commands ... N (Y,N) Set FUSER Read-Only ........ N (Y,N) Protect Natural Modules .... N (Y,X,N) RPC Options Protect Services ........... N (Y,F,N) with Environment ....... N (Y,N) User-Resource Options with Environment ........... N (Y,N) Allow Undef. Resources ..... N (Y,N) Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10--PF11--PF12--- Help Exit Def. Flip NSF1 Canc |
Option | Explanation |
---|---|
Protect Environments |
This option determines whether the environment profile of the system-file combination (FNAT, FUSER, FDIC, FSEC) is to be checked at the logon (Y/N).
See also Environment Profiles below. |
Allow Undef. Environments |
This option determines whether undefined system-file combinations are to be accepted at the logon (Y/N). This option is only relevant if RACF is used as external security system. With other external security systems, it will be ignored. |
Option | Explanation |
---|---|
Protect Libraries |
This option determines whether the library access level is to be checked via the SAF server:
"R" and "*" only apply with RACF. For other security systems, they are not possible. If this option is set to a value other than "N", the user option NSC Logon Priv. Library (see above) must also be set to a value other than "N". |
with Environment |
This option determines whether the environment alias is to be used as prefix of the resource library for the access-level check (Y/N). See also Environment Profiles below. |
Disable Natural Commands |
This option determines whether the use of Natural system commands is to be controlled by the access level (Y/N). If this option is set to "Y", the access level determines whether the use of Natural system commands is allowed:
If this option is set to "Y", the Natural profile parameter
|
Set FUSER Read-Only |
This option determines whether read-only access to the FUSER system file is to be controlled by the access level (Y/N). If this option is set to "Y", the access level determines whether modifications of the data on the FUSER system file are allowed:
If this option is set to "Y", the |
Protect Natural Modules |
This option determines whether the execution of Natural programming objects is to be controlled by the external security system:
An example of the effects of this option is shown under Programming Objects > Natural SAF Security Definitions. The use of this option requires that certain Natural profile parameters be set; see Step 2 of the Natural SAF Security installation procedure. |
Option | Explanation |
---|---|
Protect Services |
This option determines if the Natural RPC service access is to be checked via the SAF server (N/Y/F):
"Y" and "F" are only different for RACF; for other security systems, "F" has the same effect as "Y". |
with Environment |
This option determines whether the environment alias is to be used for the service-access check (Y/N). See also Environment Profiles below. |
Option | Explanation |
---|---|
with Environment |
This option determines whether the environment alias is to be used as prefix to the resource definitions (Y/N). See also Environment Profiles below. |
Allow Undef. Resources |
This option determines whether access to undefined resources is to be allowed via the Natural SAF Security application programming interfaces (Y/N). This option is only relevant if RACF is used as the external security system. With other external security systems, this option will be ignored. |
If you wish to protect resources in specific environments, you have to define environment profiles for these environments (that is, security profiles for the individual system-file combinations).
In an environment profile, you specify a one-character alias for the environment. The alias is used to identify the environment to the external security system; the environment-specific resource profiles whose names are prefixed with this alias determine users' access rights, if the with Environment option for the resource class in question is set to "Y" in the NSF options (see above).
To define environment profiles, you use the Natural Security function "Environment Profiles", as described under Defining Environment Profiles in the section Protecting Environments of the Natural Security documentation.
For any environment-profile modifications to take effect in Natural SAF Security, you have to restart your Natural session.
SAF Online Services provide several functions for monitoring the SAF server. They are described under SAF Online Services in the Natural Security documentation.
To invoke SAF Online Services:
from within the Natural Security library SYSSEC
: select
it from the Administrator Services Menu;
Oder:
from anywhere else in Natural: issue the direct command
SYSSAFOS
.
To be able to access SAF Online Services, a utility security profile for
SYSSAFOS
has to be defined in Natural Security (as described in
the section Protecting
Utilities of the Natural Security
documentation).