This section covers the following topics:
Natural Security allows you to make users' access to a library environment-specific. A Natural environment is determined by the combination of the system files FNAT, FUSER, FSEC and FDIC. You define a security profile for each environment (that is, for each system-file combination) you wish to protect, and control users' access to it. You can also make a library accessible in some environments, but not in others.
A logon to another environment occurs when a users logs onto a library located on another FUSER system file (as specified by the Library File DBID/FNR in the library profile).
Whenever a user logs on to a library in another environment, Natural Security will check whether:
access to the library is allowed in that environment, and
the user is authorized to access that environment.
Such a check is performed not only when a user explicitly logs on to a library, but also when the user invokes a function which implicitly accesses another library or processes the contents of another library.
Environment protection is activated by setting the general option Environment Protection to "Y".
If environment protection is active, the following applies:
Access to undefined environments is not possible.
For every environment to be accessed, an environment security profile has to be defined.
By default, access to a library is allowed in any defined environment.
By default, access to a defined environment is allowed for all users.
For individual defined environments, you can disallow access to a library.
For individual users, you can disallow access to a defined environment.
To deactivate environment protection, you set the general option Environment Protection option to "N".
Note:
If environment protection is active, the user ID "DBA" may be used to
log on to the library SYSSEC
, even if the environment is
undefined. This makes it possible to define new environments.
The Administrator Services function Environment Profiles is used to define environment profiles, that is, security profiles for the individual system-file combinations.
To invoke this function:
On the Main Menu, select Administrator Services.
If you are allowed access to Administrator Services, the Administrator Services Menu 1 will be displayed.
Press PF8.
On the Administrator Services Menu 2, select Environment Profiles.
The Environment Maintenance selection list will be invoked.
The Environment Maintenance selection list displays a list of all environment profiles which have been defined.
The list can be scrolled as described in the section Finding Your Way In Natural Security.
For each environment profile, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. In addition, each environment profile's alias (AL) and protection status (P) are displayed.
The protection status can be:
I | The environment profile is inactive (both NSC Protection = N and NSF Protection = N in the environment profile). |
---|---|
N | Access to the environment is evaluated by Natural Security (NSC Protection = Y in the environment profile). |
S | Access to the environment is evaluated by the SAF server (NSF Protection = Y in the environment profile). |
The following functions are available:
Code | Function |
---|---|
AD |
Add a new environment profile. (You can also invoke this function by entering AD in the
Command line.)
|
CO |
Copy environment profile. |
MO |
Modify environment profile. |
RE |
Rename environment profile. |
DE |
Delete environment profile. |
DI |
Display environment profile. |
EP |
Protect environment. |
To invoke a function for an environment, you mark the environment with the appropriate function code in column Co.
You may select various environments for various functions at the same time; that is, you can mark several environments on the screen with a function code. For each environment marked, the selected functions will then be executed one after another.
When you add a new environment or modify an existing one, the Define Environment Profile screen will be displayed. The items you can define as part of an environment profile on this screen and any subsequent screens/windows are:
Field | Explanation |
---|---|
Environment ID |
You specify a descriptive name for the environment profile. |
Alias |
You can specify a one-character alias for the environment profile. An alias can be shared by multiple environment profiles. By specifying the same alias in several environment profiles, you can form groups of environments. For example, you can use aliases like: D - for all development environments, T - for all test environments, P - for all production environments. This will make the maintenance of environment profiles easier, because you can use the alias as selection criterion on the Environment Maintenance selection list to list all profiles which have the same alias. For Natural SAF Security the following applies: The alias is used in the external security system to define the resources related to the system-file combination of this environment. The rules defined for an alias in the external security system apply to all system-file combinations in whose environment profiles this alias is specified. |
General Options |
You specify by which system the environment is to be protected:
If both are set to "N", the environment profile is not active, that is, it is treated as if it were not defined. |
System Files |
You define the environment by specifying the database IDs and file number of each system file (FUSER, FDIC, FSEC, FNAT). This combination of system files identifies the environment, and must be unique. Once entered, the values of these fields cannot be changed. If you press PF9 on the main environment profile screen, a window will be displayed showing the system-file combination of your current Natural session. In the window, you can mark with any character the system files you wish to be part of the environment whose profile you are creating. |
If you either mark the field Additional Options with "Y" or press PF4, a window will be displayed from which you can select the following options:
Maintenance Information
Security Notes
Owners
Session Options
The options for which something has already been specified or defined are marked with a plus sign (+).
You can select one or more items from the window by marking them with any character. For each item selected, an additional window will be displayed:
Additional Option | Explanation |
---|---|
Maintenance Information (display only) | The following information is displayed:
|
Security Notes | You may enter your notes on the security profile. |
Owners | You may enter up to eight IDs of administrators. Only the
administrators specified here will be allowed to maintain this environment
security profile or allow/disallow users' access to it. If no owner is
specified, any user of type "Administrator" may do so.
For each owner, the number of co-owners whose countersignatures will be required for maintenance/link permission may optionally be specified in the field after the ID. For an explanation of owners and co-owners, see the section Countersignatures. |
Session Options | |
TEST Command | With this option, you can control the use of the Natural system
command TEST in the environment. Possible values
are:
This option only applies to environments on mainframe computers. |
By default, when environment protection is active, access to a library is allowed in any environment. For individual environments, you can disallow access to a library.
When access to a library is disallowed in at least one environment, the fact that the library is "environment-protected" will be indicated in the library's security profile.
Two functions are available to disallow/allow environment-specific access to libraries:
an Environment Maintenance function to disallow/allow access to one or more libraries for one environment,
a Library Maintenance function to disallow/allow access to one library for one or more environments.
Both functions are described below.
To allow/disallow access to one more libraries for one environment:
On the Environment Maintenance selection list,
mark the environment you wish to protect with EP
.
A window will be displayed with the following fields:
Protect for users/libraries: Enter an "L".
Start value: You can enter a start value for the list of libraries to be displayed (as described in the section Finding Your Way in Natural Security)
Select only disallowed ones: If you select this option, the list of libraries to be displayed will only include those libraries for which access in the environment is currently disallowed.
The Disallow/Allow Libraries screen will be displayed, showing the list of libraries. The list can be scrolled as described in the section Finding Your Way In Natural Security.
On the list, you mark the libraries for which you wish to disallow/allow access in the environment. In the Co column, you may mark each library with one of the following function codes:
Code | Function |
---|---|
ED |
Disallow - The library cannot be accessed in that environment. |
EA
|
Allow - The library can be accessed in that environment. |
You can mark one or more libraries on the screen with a function code.
For each library marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each library.
To allow/disallow access to one library for one or more environments:
On the Library Maintenance selection list, mark
the desired library with function code EP
.
A window will be displayed in which you have the following options:
Option | Explanation | |
---|---|---|
Disallow/allow |
D = Access to the library is initially allowed for all environments, and you can disallow it for individual ones. A = Access to the library is initially disallowed for all environments, and you can allow it for individual ones. When you later invoke this function and change the value of this option, the "allowed/disallowed" status of all environments will be changed for this library. |
|
Sorted by environment ID / Sorted by alias |
By marking one of these two fields with a character, you can choose to have the list of environments to be displayed sorted by environment IDs or by aliases. The latter allows you to simultaneously allow/disallow access for all environments which have the same alias (see below). |
|
Start value |
In one of these two fields, you can enter a start value (as described in the section Finding Your Way in Natural Security) for the list of environments to be displayed. Depending on how the list is to be sorted, you can specify either the database ID / file number of the environments' FNAT system file or a one-character alias as start value. |
|
Select only disallowed/allowed ones | If you select this option, the list of environments to be displayed will only include - depending on the above option Disallow/allow - either those for which access is allowed or those for which it is disallowed. |
The Disallow/Allow Environments screen will be displayed, showing the list of environments. For each environment, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. It addition, each environment profile's alias (AL) and protection status (P) are displayed.
The list can be scrolled as described in the section Finding Your Way In Natural Security.
On the list, you mark the environments for which you wish disallow/allow access to the library. In the Co column, you may mark each environment with one of the following function codes:
Code | Function |
---|---|
ED |
Disallow - The library cannot be accessed in that environment. |
EA
|
Allow - The library can be accessed in that environment. |
You can mark one or more environments with a function code.
For each environment marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each environment.
If the list is sorted by alias, you do not mark individual environments. Instead, you mark an alias, and the selected function will be applied to all environments which have that alias.
By default, when environment protection is active, access to an environment is allowed for all users. For individual users you can disallow access to an environment.
Access to an environment can only be allowed/disallowed for users of types "Group", "Administrator" and "Person". For users of types "Administrator" and "Person" it can be allowed/disallowed either directly or via a "Group". For users of types "Member" and "Terminal", it can only be allowed/disallowed for the "Group" to which they are assigned.
When access to at least one environment is disallowed for a user, the session option Environment Protection in the user's security profile is automatically to "Y".
Two functions are available to disallow/allow users' access to environments:
an Environment Maintenance function to disallow/allow access of one or more users to one environment,
a User Maintenance function to disallow/allow access of one user to one or more environments.
Both functions are described below.
To protect an environment for one or more users:
On the Environment Maintenance selection list,
mark the environment you wish to protect with EP
.
A window will be displayed with the following fields:
Protect for users/libraries: Enter a "U".
Start value: You can enter a start value for the list of users to be displayed (as described in the section Finding Your Way in Natural Security).
Select only disallowed ones: If you select this option, the list of users to be displayed will only include those users for whom access to the environment is currently disallowed.
The Disallow/Allow Users screen will be displayed, showing the list of users.
By default, it contains only users of type Group. To switch between a list of Groups and a list of all three user types, you press PF5.
The list can be scrolled as described in the section Finding Your Way In Natural Security.
On the list, you mark the users for whom you wish to disallow/allow access to the environment. In the Co column, you may mark each user with one of the following function codes:
Code | Function |
---|---|
ED |
Disallow - The user cannot access the environment. |
EA
|
Allow - The user may access the environment. |
You can mark one or more users on the screen with a function code.
For each user marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each user.
To protect one or more environments for a user:
On the User Maintenance selection list, mark
the user for whom you wish to protect environments with function code
EP
.
A window will be displayed providing the following options:
Start value: You can enter a start value for the list of environments to be displayed (as described in the section Finding Your Way in Natural Security); as start value, you use the database ID / file number of the environments' FNAT system file.
Select only disallowed environments: If you select this option, the list of environments to be displayed will only include those environments to which access is currently disallowed for the user.
The Disallow/Allow Environments screen will be displayed, showing the list of environments. For each environment, either its system-file combination (database IDs and file numbers of system files FUSER, FDIC, FSEC and FNAT) or its ID is displayed; with PF4 you can switch between the two displays. It addition, each environment profile's alias (AL) and protection status (P) are displayed.
The list can be scrolled as described in the section Finding Your Way In Natural Security.
On the list, you mark the environments the access to which you wish to disallow/allow for the user. In the Co column, you may mark each environment with one of the following function codes:
Code | Function |
---|---|
ED |
Disallow - The user cannot access the environment. |
EA |
Allow - The user may access the environment. |
You can mark one or more environments on the screen with a function code.
For each environment marked, the selected functions will then be executed one after another. When processing is completed, a message will indicate the access situation now in effect for each environment.