Protecting Libraries

This section describes how to control the access of users to protected libraries. It covers the following topics:


Protected Libraries

A library may be protected by specifying the values of People-protected and Terminal-protected in the General Options column of the library's security profile.

Protection Combinations

The possible combinations of People-protected and Terminal-protected are listed below:

Protection Explanation
People: N
Terminal: N
The library is not protected. It may be used by any person from any terminal. The terminal need not be defined to Natural Security. The user must be defined to Natural Security. The user ID must be entered on the logon screen in order to be able to log on to the library.
People: L
Terminal: N

This is identical to the above combination - with the following addition: Although the library is not protected, it is possible to link a group to the library. Only one group can be linked to the library, and the link must be a special link. This special link only applies to users of type "Administrator" contained in the group. This feature is only intended to allow administrators different access to an unprotected library for maintenance purposes. (The special link to such a library can only be established via the function "Link users to library" which is invoked from the Library Maintenance selection list.)

Note:
When an administrator processes the library's contents with a Natural utility under a condition under which the Utilities option in the library profile would apply, Natural Security will react as if this option were set to "N".

People: Y
Terminal: N
The library may be used only by persons who are linked to the library or are in a group that is linked to the library. It may be used from any terminal. The terminal need not be defined to Natural Security. The user (and the group if need be) must be defined to Natural Security. The user ID must be entered on the logon screen in order to be able to log on to the library.
People: N
Terminal: Y
The library may be used by any person, but it may only be used from a terminal which is defined to Natural Security and is contained in a group which is linked to the library. No user ID is required on the logon screen to log on to the library.
People: Y
Terminal: Y
The library may be used either by people linked to the library or from a terminal which is contained in a group which is linked to the library. In other words, by entering his or her user ID on the logon screen, a linked person may use the library from any terminal; people who are not linked to the library may only use the library from a linked terminal.
People: Y
Terminal: A
The library may be used only by people from linked terminals: The person must be defined to Natural Security and must be in a group which is linked to the library (or may be linked directly, if user type "Administrator" or "Person"); the terminal must also be defined to Natural Security, and it must be contained in a group which is linked to the library. The user ID and library ID must be entered on the logon screen in order to be able to log on to the library.
People: P
Terminal: N
This combination only applies to private libraries in public mode. The user with the same ID as the library ID may use the library without requiring a link to it. Otherwise, this combination is identical to "People: Y, Terminal: N" (see above).
People: P
Terminal: Y
This combination only applies to private libraries in public mode. The user with the same ID as the library ID may use the library without requiring a link to it. Otherwise, this combination is identical to "People: Y, Terminal: Y" (see above).
People: P
Terminal: A
This combination only applies to private libraries in public mode. The user with the same ID as the library ID may use the library without requiring a link to it. Otherwise, this combination is identical to "People: Y, Terminal: A" (see above).
People: N
Terminal: A
This combination is not possible!
People: L
Terminal: Y
This combination is not possible!
People: L
Terminal: A
This combination is not possible!

Changing a Protection Combination

Please take care when you change an existing combination of People-protected and Terminal-protected. If the change results in a "lower" protection level, certain links will automatically be cancelled by Natural Security according to the following rules:

Change from to Effect on Links
any protection combination People: N
Terminal: N
All existing links to the library will be cancelled.
People: N
Terminal: Y
All direct links of "Administrator"s and "Person"s will be cancelled. Links of "Group"s to the library will remain.
People: Y
Terminal: N
No links will be cancelled.
People: Y
Terminal: Y
No links will be cancelled.
People:    N
Terminal: Y
People: Y
Terminal: Y
No links will be cancelled. However, all people contained in "Group"s which are linked to the library may now also log on the library!

Protecting a Private Library

The user with the same user ID as the library ID always has access to his/her private library.

In public mode, other users' access to someone's private library is determined by the settings of the fields People-protected and Terminal-protected in the security profile of the private library. Possible values for the field People-protected are "P" (which is the default value, and which corresponds to "Y" in other library profiles) and "N" (which is the same as in other library profiles). Possible values for the field Terminal-protected are the same as for other libraries (Y, N or A). The possible protection combinations are described above.

In private mode, no other user has access to someone else's private library.

Linking Users to Libraries

To allow a user access to a protected library, a link has to be established between the user and the library.

Only users of types "Administrator", "Person", and "Group" can be linked to a library.

Users of types "Administrator" and "Person" can be linked to a library either directly or via a "Group".

Users of types "Member" and "Terminal" can be linked to a library only via a "Group"; that is, they must be assigned to a "Group", and the "Group" be linked to the library.

Two functions are available to establish and maintain links between users and libraries:

  • a User Maintenance function to link one user to one or more libraries,

  • a Library Maintenance function to link one or more users to one library.

Both functions are described below.

Linking a Single User to Libraries

Start of instruction setTo link one user to one or more libraries:

  1. On the User Maintenance selection list, mark the user you wish to link with function code LL.

  2. A window will be displayed, providing the following options:

    • Start value - You can enter a start value for the list of libraries to be displayed (as described in the section Finding Your Way in Natural Security).

    • Selection criterion - N = none: all libraries will be listed; L = linked: only libraries to which the user is already linked (normal and special links, including temporarily locked ones) will be listed; U = unlinked: only libraries to which the user is not yet linked will be listed.

  3. Then the Link User To Libraries selection list will be displayed, showing the list of libraries. It includes all protected libraries; that is, if you link a user of type "Person" or "Administrator", it includes all libraries with "People-protected" set to "Y"; if you link a user of type "Group", it includes all libraries with at least one of the two protection values set to "Y". The list can be scrolled as described in the section Finding Your Way in Natural Security.

    On the list, you mark the libraries to which you wish to link the selected user.

    In the Co column, you may mark each library with one of the following function codes (possible code abbreviations are underlined):

    Code Function
    LK  

    Link - The user may use the library with the security profile of the library being in effect.

    SL  

    Special Link - The user may use the library with a special security profile to be defined for the link; the link profile will take precedence over the library profile. See Special Links below.

    CL  

    Cancel - An existing link or special link will be cancelled.

    TL  

    Temporarily Locked - An existing link or special link will be suspended until it is re-establishd. A suspended link or special link can be re-established by marking the library concerned with LK or SL again. When a special link is re-established, the original link security profile will be re-established, too.

    DL  

    Display Special Link - The security profile of an existing special link between the user and the library will be displayed.

    DI

    Display Library - The security profile of the library will be displayed.

    LD  

    Modify DDM Restrictions in Special Link Profile

    (This function is not available on mainframe computers. It corresponds to function MD as described under Creating And Maintaining DDM Security Profiles).

    You can mark one or more libraries on the screen with a function code.

  4. For each library marked, the selected functions will be executed one after another. When processing is completed, a message will be displayed stating the link situation now in effect for each library.

Linking Multiple Users to a Library

Start of instruction setTo link one or more users to one library:

  1. On the Library Maintenance selection list, mark the library to which you wish to link users with code LU.

  2. A window will be displayed, providing the following options:

    • Start value - You can enter a start value for the list of users to be displayed (as described in the section Finding Your Way in Natural Security).

    • Selection criterion - N = none: all users will be listed; L = linked: only users which are already linked to the library (normal and special links, including temporarily locked ones) will be listed; U = unlinked: only user which are not yet linked to the library will be listed.

  3. Then the Link Users To Library selection list will be displayed, showing the list of users. It includes all users of types "Group", "Administrator", and "Person". It can be scrolled as described in the section Finding Your Way in Natural Security.

    On the list, you mark the users you wish to be linked to the selected library.

    In the Co column, you may mark each user with one of the following function codes (possible code abbreviations are underlined):

    Code Function
    LK  

    Link - The user may use the library with the security profile defined for the library being in effect.

    SL  

    Special Link - The user may use the library with a special security profile to be defined for the link; the link profile will take precedence over the library profile. See Special Links below.

    CL  

    Cancel - An existing link or special link will be cancelled.

    TL  

    Temporarily Locked - An existing link or special link will be suspended until it is re-establishd. A suspended link or special link can be re-established by marking the user concerned with LK or SL again. When a special link is re-established, the original link security profile will be re-established, too.

    DL  

    Display Special Link - The security profile of an existing special link between the user and the library will be displayed.

    DI

    Display User - The security profile of the user will be displayed.

    LD

    Modify DDM Restrictions in Special Link Profile

    (This function is not available on mainframe computers. It corresponds to function MD as described under Creating And Maintaining DDM Security Profiles).

    You can mark one or more users on the screen with a function code.

  4. For each user marked, the selected functions will be executed one after another. When processing is completed, a message will be displayed stating the link situation now in effect for each user.

Special Links

If a library security profile determines the conditions under which the library may be used generally, the special-link security profile determines the conditions under which the user (or group of users) thus linked may use the library. This means that by using special links you may define for different users different conditions of use of the same library.

The items you define in a special-link profile take precedence over the corresponding items in the library profile.

Some items cannot be set in special-link profiles. For these, the settings specified in the library profile apply.

Creating a Special Link

If you mark a user/library with SL, you may define the security profile for this special link on the screens which will be displayed. The default settings which appear on the Special Link security profile screens are taken from the security profile of the library.

The components of a special-link security profile correspond with those you may define as part of a library security profile (see Components of a Library Profile in the section Library Maintenance).

Modifying a Special Link

To modify an existing special-link security profile, mark the respective user/library with SL again on the Link Users To Library or Link User To Libraries screen: the Special Link security profile screen will be invoked for modification.

Displaying a Special Link

To view the security profile of a special link, mark the respective user/library with DL on the Link Users To Library or Link User To Libraries screen: the Special Link security profile screen will be displayed.

Which Conditions of Use are in Effect?

When a user logs on to a protected library, Natural Security will execute a number of checks to determine under which conditions the user may use the library. If none of the checks are positive, the logon will be rejected.

The following checks will be executed in the following order:

Library Protection Checks Performed
1.
People: Y
Terminal: N

First: Check whether the user is linked directly to the library; if the user is linked with a special link, the conditions defined in the special-link security profile will be in effect; if the user is linked with an ordinary link, the conditions defined in the library security profile will be in effect.

Second: Check whether the user is in a group which is linked to the library; if the user is contained in more than one group, these groups will be checked in the following order: first the Privileged Groups in the user's security profile will be checked in order of entry, then the other groups will be checked in alphabetical order; the first linked group found will be selected; if the group is linked with a special link, the conditions defined in the special-link security profile will be in effect; if the group is linked with an ordinary link, the conditions defined in the library security profile will be in effect.

2.
People: N
Terminal: Y

Check whether the terminal is in a group which is linked to the library; if the terminal is contained in more than one group, these groups will be checked in the following order: first the Privileged Groups in the terminal's security profile will be checked in order of entry, then the other groups will be checked in alphabetical order; the first linked group found will be selected; if that group is linked with a special link, the conditions defined in the special-link security profile will be in effect; if that group is linked with an ordinary link, the conditions defined in the library security profiles will be in effect.

3.
People: Y
Terminal: Y

If the user logs on with a user ID, the same checks as under 1. will be executed.

If the user logs on without specifying a user ID, the same checks as under 2. will be executed.

4.
People: Y
Terminal: A
The same checks as under 1. will be executed.

Note:
The terminal must be in a group which is linked to the library, but the conditions of use are determined by the user's link.

PROFILE Command

When logged on to a library, a user may enter the Natural system command PROFILE to ascertain which conditions of use are currently in effect.

When you enter the PROFILE command, the Security Profile screen is displayed, showing the following information:

User
ID The user's ID.
Name The user's name.
Type The user type.
Link ID

The current value of the Natural system variable *GROUP.

An asterisk (*) next to the ID indicates that the group's/user's link to the current library is a Special Link.

ETID The current value of the Natural system variable *ETID.
Library  
ID The ID of the current library.
Name The name of the current library.
Steplibs The steplibs of the current library.
Transactions  
Startup The current value of the Natural system variable *STARTUP.
Restart The name of the restart transaction.
Error The current value of the Natural system variable *ERROR-TA.

Additional Options

If you mark the field Additional Options on the Security Profile screen with "Y" or press PF4, a window will be displayed from which you can select the following items of information:

  • Security options

  • Security limits

  • Session parameters

  • Command restrictions

  • Editing restrictions

  • Statement restrictions

  • Time windows

  • System files

  • Natural version

The options where something is defined for the current user are marked with a plus sign (+).

You can select one or more items from the window by marking them with any character. For each item selected, an additional window/screen will be displayed (in the order of the items in the selection window).

Utility Access Rights

If you press PF5, the NSC Utility Access Rights window will be displayed, providing an overview of the utility functions which you are allowed to use in each library.

  • If you have issued the PROFILE command from within a utility, the window lists the functions available in that utility.

  • If you have issued the PROFILE command elsewhere, the window lists all utilities along with information on whether some or all functions of a utility are allowed/disallowed for a specific library. (The notation <others> in the Library field of the window indicates all libraries for which nothing specific has been defined.) To obtain more detailed information on the utility functions allowed for a particular library, you can select one or more libraries from the window by marking them with any character.