TAA Tools
SECOFR2         SECURITY OFFICER NBR 2 MENU            TAASEDB

The Security Officer  Nbr 2 tool  provides a simple menu  for Assistant
Security  Officers  and Departmental  Security  Officers.   To  use the
options  on  the menu,  the user  must  be authorized  to authorization
lists (See later discussion).

The  Assistant  Security   Officer  can  access   all  options  he   is
authorized to.

If  you want  a Departmental  Security Officer  concept, see  the later
discussion.

The  SECOFR2 menu itself is controlled  by the TAASECOFR2 authorization
list.  This  is shipped  as *PUBLIC  *EXCLUDE.  An  option exists  when
authorizing  users  to  the  TAASECOFR2 authorization  list  that  will
require a  user to enter his password each time  the menu is used.  See
the later  discussion  of  'Checking  the  current  user'  for  how  to
authorize users to be able  to see the menu.  Each menu  option is also
controlled by a unique authorization list.

The menu is accessed by:

           GO    SECOFR2

The menu offers the following options:

  1.   Display user  profile.  The  DSPUSRPRF2 TAA Tool  command prompt
       appears.   This  is a simple  front end to  the system DSPUSRPRF
       command, but  allows  the user  the display  any  profile.   The
       user must  be authorized  to the TAADSPUSR2  authorization list.

  2.   Initialize  user profile.   The  INZPWD TAA Tool  command prompt
       appears.  This allows the  password to be initialized to  either
       the user profile name  or a random value.   This is intended for
       users who forget their password.

       If  INZPWD is used,  the user is  forced to change  his password
       when he signs  on.  QSECOFR  cannot be changed.   The user  must
       be  authorized to  the  TAAINZPWD authorization  list.   If  the
       user does  not have *ALLOBJ authority, any  profile with *ALLOBJ
       or  *SERVICE  cannot  be  changed.    The  Security  Officer can
       specify other  profiles  that  cannot be  initialized  by  using
       EDTCONARR for the data area INZPWD in TAASECURE.

       This option may  be removed from the menu.   See the INZPWD tool
       so that only INZPWD2 may be used.

  3.   Initialize  user  profile  2.    The  INZPWD2  TAA Tool  command
       prompt appears.  This allows  the password to be initialized  to
       a random  value.   The completion  message describes  the value.
       This is intended for users who forget their password.

       The  function is  similar to  INZPWD,  but forces  the use  of a
       random password.

       This option may be removed from  the menu.  See the INZPWD  tool
       so that only INZPWD may be used.

  4.   Enable user  profile.   The  ENAUSRPRF TAA  Tool command  prompt
       appears.   This  allows a  disabled profile  to  be reset.   The
       user must be authorized to the TAAENAUSR authorization list.

  5.   Disable  user profile.   The  DSAUSRPRF command  prompt appears.
       The user is  allowed to disable a  user profile.  The  user must
       be authorized to the TAADSAPRF authorization list.

       QSECOFR cannot  be disabled.   The Security Officer  can specify
       other  profiles that cannot  be disabled by  using EDTCONARR for
       the data area DSAUSRPRF in TAASECURE.

  6.   Change user profile 2.   The CHGUSRPRF2 command prompt  appears.
       The  user must  be authorized  to  the TAACHGPRF2  authorization
       list.   The Security Officer controls  what parameters are valid
       to  be  changed.    The  other  parameters  can  be   optionally
       displayed.   The system  has built  in restrictions relative  to
       changes  to  the  GRPPRF  or  SUPGRPPRF  parameters.    See  the
       instructions with CHGUSRPRF2.

  7.   Copy  user profile  2.   The CPYUSRPRF2  command prompt appears.
       The user  must  be authorized  to the  TAACPYUSR2  authorization
       list.   This  allows  an  authorized user  to  duplicate a  user
       profile  without  being the  Security  Officer.   By  default, a
       profile containing  any special  authorities (such  as  *JOBCTL)
       cannot be  duplicated.   See the tool  documentation for  how to
       allow  a user  profile that contains  special authorities  to be
       copied.

       The presentation  of  the  PWDEXP and  CHGOWN  keywords  of  the
       CPYUSRPRF2  command  can  be controlled  by  the  PMTPWDEXP  and
       PMTCHGOWN  keys of  the  CPYUSRPRF2 application  value  found in
       TAASECURE.    Use EDTAPPVAL  TAASECURE/CPYUSRPRF2 to  modify the
       settings.  The  default is to prompt  for both of these  command
       keywords.

  8.   Delete user  profile 2.  The DLTUSRPRF2  command prompt appears.
       The  user  must be  authorized to  the  TAADLTUSR2 authorization
       list.  This allows an  authorized user to delete a user  profile
       without being the  Security Officer.  Critical  profiles such as
       QSECOFR or QSRV cannot be deleted.

  9.   Vary  device on.    The user  must have  either  *JOBCTL special
       authority  or  be  authorized  to  the  TAAVRYCFG  authorization
       list.   If *JOBCTL  exists, the  VRYCFG command prompt  appears.
       If  the user  does not have  *JOBCTL, but  is authorized  to the
       TAAVRYCFG  authorization  list, the  VRYCFG2 TAA  command prompt
       appears.  The prompts are  controlled so that the user  can only
       vary on a device description.

  10.  Vary  device off.   The  user must  have either  *JOBCTL special
       authority  or  be  authorized  to  the  TAAVRYCFGO authorization
       list.   The VRYCFGOFF  command prompt  appears.   The prompt  is
       controlled  so  that  the  user  can  only  vary  off  a  device
       description.

Checking the current user
-------------------------

In  some environments, the  device to  be used is  in an open  area and
only the normal  user at  the device  should be  authorized to  certain
menu options.

An option with  the TAASECOFR2 authorization  list exists to  assist in
controlling  this situation.   The default  for the  authorization list
is  the *PUBLIC  user has *EXCLUDE  authority.  This  prevents any user
from accessing the menu.

  10.  If  the user  (or  *PUBLIC)  has  *USE authority,  the  user  is
       forced  to enter  his  password before  the  menu is  displayed.
       The  CHKPWD command is prompted  for.  This would  be a solution
       for devices that are in an open area.

  10.  If the user  (or *PUBLIC) has  *CHANGE authority to  TAASECOFR2,
       the menu  is displayed without any  password check.   This would
       be a solution for devices that are in a controlled area.

Departmental Security Officer Concept
-------------------------------------

The default  for all of the tools on the menu  is that the user must be
authorized to a TAA  authorization list.  The  'Vary on device'  option
may also be used by a *JOBCTL special authority user.

If the user is authorized  to one or more of the  user profile options,
any  user profile  may be  operated on  with  certain exceptions.   For
example,  a  tool  like  INZPWD  prevents  certain  profiles  (such  as
QSECOFR) and  allows  for  a list  of  additional user  profiles  which
cannot be initialized.

The  default is  intended to  allow  an assistant  security officer  to
handle the everyday functions of a Security Officer.

Departmental security
---------------------

You  may set  up an environment  for a  'Departmental Security Officer'
where  multiple  assistant  Security  Officers  exist  where  each  can
manage  a separate  set of  user  profiles.   A 'Departmental  Security
Officer'  can only  manage the  user profiles under  his control.   You
can combine the function of  a 'Departmental Security Officer' as  well
as  having an  assistant  security officer  who  can control  any  user
profile   (existing  restrictions  such   as  with  INZPWD   are  still
honored).

The following rules exist:

  10.  If  the TAADPTSEC  authorization list  exists, the  user must be
       authorized  to the  appropriate  TAAxxx authorization  list  for
       the desired SECOFR2 function and have one of the following:

         --   Have  all rights  (typical of  an owner)  to  any profile
              named   on  the   command  prompt.     For   example,  to
              initialize a password, the user  must have all rights  to
              the profile to be initialized.

         --   *USE  authority  to  the  TAADPTSEC  authorization  list.
              This  concept allows  an  assistant security  officer who
              can cross departmental boundaries.

Any existing restrictions with the sub  tools such as INZPWD are  still
honored.

To provide for a Departmental Security Officer, do the following:

  10.  Use  the  TAA  Tool command  CRTDPTSEC  (no  parameters  exist).
       This  will create the  TAADPTSEC authorization  list.   You must
       have *ALLOBJ special authority to use CRTDPTSEC.

  10.  Change  the ownership of  the user profiles  of all profiles for
       a given set of users  to be owned by each  Departmental Security
       Officer.

       A typical command would be:

               CHGOBJOWN   OBJ(USER1) OBJTYPE(*USRPRF)
                             NEWOWN(xxx)

To  provide  for an  Assistant  Security  Officer  who can  manage  any
profile  regardless  of  ownership,  authorize  the  Assistant Security
Officer to the TAADPTSEC authorization list such as:

             EDTAUTL   AUTL(TAADPTSEC)

When the display  appears, enter  the Assistant  Security Officer  name
and specify  *USE authority.   Existing restrictions  such as  with the
INZPWD tool will still exist.

Note that  any user with *ALLOBJ authority  is implicitly authorized to
TAADPTSEC.

If you have  set up  for Departmental Security  and want  to return  to
normal  SECOFR2  security,  just  delete  the  TAADPTSEC  authorization
list.

              DLTAUTL   AUTL(TAADPTSEC)

Note that  this will cause any existing  Departmental Security Officers
to become Assistant Security Officers.

CRTDPTSEC Command                                     *CMD
-----------------

The  command has  no parameters.   It is  used to  create the TAADPTSEC
authorization list  to allow for  Departmental Security.   The user  of
the command must have *ALLOBJ special authority.

Restrictions
------------

See   the  discussion   of   the  TAADPTSEC   authorization  list   for
Departmental Security.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHGUSRPRF2   Change user profile nbr 2
     CHKALLOBJ    Check *ALLOBJ special authority
     CPYUSRPRF2   Copy user profile nbr 2
     DLTUSRPRF2   Delete user profile nbr 2
     DSAUSRPRF    Disable user profile
     DSPERRMSG    Display error message
     DSPUSRPRF2   Display user profile nbr 2
     ENAUSRPRF    Enable user profile
     FMTLIN       Format line
     INZPWD       Initialize password
     VRYCFGOFF    Vary configuration off
     VRYCFG2      Vary configuration 2

Implementation
--------------

The  tool is  ready to  use,  but the  user must  be authorized  to the
commands which are performed by the options.

  **   DSAUSRPRF.    The  TAA  Tool   command  is  controlled  by   the
       TAADSAPRF authorization list.

  **   DSPUSRPRF2.    The  TAA  Tool   command  is  controlled  by  the
       TAADSPUSR2 authorization list.

  **   INZPWD.   The TAA Tool commands are  controlled by the TAAINZPWD
       authorization list.

  **   ENAUSRPRF.    The  TAA  Tool   command  is  controlled  by   the
       TAAENAUSR authorization list.

  **   CHGUSRPRF2.    The  TAA  Tool  command   is  controlled  by  the
       TAACHGPRF2 authorization list.

  **   CPYUSRPRF2.    The  TAA   Tool  command  is  controlled  by  the
       TAACPYUSR2 authorization list.

  **   DLTUSRPRF2.     The  TAA  Tool  command  is  controlled  by  the
       TAADLTUSR2 authorization list.

  **   VRYCFG.  The system  command is shipped with *PUBLIC  authority.
       However,  the user must  have the  special authority  *JOBCTL or
       be  authorized to the  TAAVRYCFG authorization  list.  Selective
       prompting is used  to control  what parameters are  valid to  be
       entered  from the  menu option.   The  user is  only allowed  to
       'vary on' a device.

  **   VRYCFGOFF.   The  TAA command  is  controlled by  the TAAVRYCFGO
       authorization list.

To set up Departmental Security, see the previous discussion.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   SECOFR2       *MENU
   CRTDPTSEC     *CMD       CLP         TAASEDB2      QATTCMD
   TAASEDBC      *PGM       CLP         TAASEDBC      QATTCL
   TAASEDBC2     *PGM       CLP         TAASEDBC2     QATTCL
   TAASEDBC3     *PGM       CLP         TAASEDBC3     QATTCL
   TAASEDBD      *FILE      DSPF        TAASEDBD      QATTDDS
*  TAADPTSEC     *AUTL

The TAADPTSEC authorization list  is not shipped.   Create it with  the
CRTDPTSEC command if required.

The  TAASEDBC3  program  adopts  to  access   the  INZPWD  values  from
TAASECURE.
					

Added to TAA Productivity tools May 1, 1996


Home Page Up to Top