TAA Tools
SECOFR2         SECURITY OFFICER NBR 2 MENU            TAASEDB

The Security Officer  Nbr 2 tool  provides a simple menu  for Assistant
Security  Officers  and Departmental  Security  Officers.   To  use the
options  on  the menu,  the user  must  be authorized  to authorization
lists (See later discussion).

The  Assistant  Security   Officer  can  access   all  options  he   is
authorized to.

If  you want  a Departmental  Security Officer  concept, see  the later
discussion.

The  SECOFR2 menu itself is controlled  by the TAASECOFR2 authorization
list.  This  is shipped  as *PUBLIC  *EXCLUDE.  An  option exists  when
authorizing  users  to  the  TAASECOFR2 authorization  list  that  will
require a  user to enter his password each time  the menu is used.  See
the later  discussion  of  'Checking  the  current  user'  for  how  to
authorize users to be able  to see the menu.  Each menu  option is also
controlled by a unique authorization list.

The menu is accessed by:

           GO    SECOFR2

The menu offers the following options:

  1.   Display user  profile.  The  DSPUSRPRF2 TAA Tool  command prompt
       appears.   This  is a simple  front end to  the system DSPUSRPRF
       command, but  allows  the user  the display  any  profile.   The
       user must  be authorized  to the TAADSPUSR2  authorization list.

  2.   Initialize  user profile.   The  INZPWD TAA Tool  command prompt
       appears.  This allows the  password to be initialized to  either
       the user profile name  or a random value.   This is intended for
       users who forget their password.

       If  INZPWD is used,  the user is  forced to change  his password
       when he signs  on.  QSECOFR  cannot be changed.   The user  must
       be  authorized to  the  TAAINZPWD authorization  list.   If  the
       user does  not have *ALLOBJ authority, any  profile with *ALLOBJ
       or  *SERVICE  cannot  be  changed.    The  Security  Officer can
       specify other  profiles  that  cannot be  initialized  by  using
       EDTCONARR for the data area INZPWD in TAASECURE.

       This option may  be removed from the menu.   See the INZPWD tool
       so that only INZPWD2 may be used.

  3.   Initialize  user  profile  2.    The  INZPWD2  TAA Tool  command
       prompt appears.  This allows  the password to be initialized  to
       a random  value.   The completion  message describes  the value.
       This is intended for users who forget their password.

       The  function is  similar to  INZPWD,  but forces  the use  of a
       random password.

       This option may be removed from  the menu.  See the INZPWD  tool
       so that only INZPWD may be used.

  4.   Enable user  profile.   The  ENAUSRPRF TAA  Tool command  prompt
       appears.   This  allows a  disabled profile  to  be reset.   The
       user must be authorized to the TAAENAUSR authorization list.

  5.   Disable  user profile.   The  DSAUSRPRF command  prompt appears.
       The user is  allowed to disable a  user profile.  The  user must
       be authorized to the TAADSAPRF authorization list.

       QSECOFR cannot  be disabled.   The Security Officer  can specify
       other  profiles that cannot  be disabled by  using EDTCONARR for
       the data area DSAUSRPRF in TAASECURE.

  6.   Change user profile 2.   The CHGUSRPRF2 command prompt  appears.
       The  user must  be authorized  to  the TAACHGPRF2  authorization
       list.   The Security Officer controls  what parameters are valid
       to  be  changed.    The  other  parameters  can  be   optionally
       displayed.   The system  has built  in restrictions relative  to
       changes  to  the  GRPPRF  or  SUPGRPPRF  parameters.    See  the
       instructions with CHGUSRPRF2.

  7.   Copy  user profile  2.   The CPYUSRPRF2  command prompt appears.
       The user  must  be authorized  to the  TAACPYUSR2  authorization
       list.   This  allows  an  authorized user  to  duplicate a  user
       profile  without  being the  Security  Officer.   By  default, a
       profile containing  any special  authorities (such  as  *JOBCTL)
       cannot be  duplicated.   See the tool  documentation for  how to
       allow  a user  profile that contains  special authorities  to be
       copied.

  8.   Delete user profile 2.   The DLTUSRPRF2 command prompt  appears.
       The  user must  be authorized  to  the TAADLTUSR2  authorization
       list.   This allows an authorized user to  delete a user profile
       without  being the Security Officer.   Critical profiles such as
       QSECOFR or QSRV cannot be deleted.

  9.   Vary device  on.   The  user must  have  either *JOBCTL  special
       authority  or  be  authorized  to  the  TAAVRYCFG  authorization
       list.   If  *JOBCTL exists,  the VRYCFG command  prompt appears.
       If the  user does not  have *JOBCTL,  but is  authorized to  the
       TAAVRYCFG  authorization list,  the VRYCFG2  TAA command  prompt
       appears.   The prompts are controlled so  that the user can only
       vary on a device description.

  10.  Vary device  off.   The user  must have  either *JOBCTL  special
       authority  or  be authorized  to  the  TAAVRYCFGO  authorization
       list.   The  VRYCFGOFF command  prompt appears.   The  prompt is
       controlled  so  that  the  user  can  only  vary  off  a  device
       description.

Checking the current user
-------------------------

In some environments,  the device  to be used  is in  an open area  and
only  the normal user  at the  device should  be authorized  to certain
menu options.

An  option with the  TAASECOFR2 authorization list exists  to assist in
controlling this situation.   The  default for  the authorization  list
is the  *PUBLIC user has  *EXCLUDE authority.   This prevents  any user
from accessing the menu.

  10.  If  the  user  (or *PUBLIC)  has  *USE  authority,  the user  is
       forced to  enter  his password  before  the menu  is  displayed.
       The CHKPWD command  is prompted for.   This would be  a solution
       for devices that are in an open area.

  10.  If the  user (or *PUBLIC)  has *CHANGE authority  to TAASECOFR2,
       the  menu is displayed  without any password  check.  This would
       be a solution for devices that are in a controlled area.

Departmental Security Officer Concept
-------------------------------------

The default for all of the  tools on the menu is that the user  must be
authorized to  a TAA authorization list.   The 'Vary on  device' option
may also be used by a *JOBCTL special authority user.

If the  user is authorized to one or  more of the user profile options,
any user  profile may  be operated  on with  certain  exceptions.   For
example,  a  tool  like  INZPWD  prevents  certain  profiles  (such  as
QSECOFR)  and  allows for  a  list of  additional  user  profiles which
cannot be initialized.

The default  is intended  to  allow an  assistant security  officer  to
handle the everyday functions of a Security Officer.

Departmental security
---------------------

You may  set up an  environment for  a 'Departmental Security  Officer'
where  multiple  assistant  Security  Officers  exist  where  each  can
manage  a  separate set  of user  profiles.   A  'Departmental Security
Officer' can  only manage  the user profiles  under his  control.   You
can combine the  function of a 'Departmental Security  Officer' as well
as  having  an assistant  security  officer  who can  control  any user
profile  (existing  restrictions   such  as   with  INZPWD  are   still
honored).

The following rules exist:

  10.  If the  TAADPTSEC authorization  list exists,  the user  must be
       authorized  to  the appropriate  TAAxxx  authorization  list for
       the desired SECOFR2 function and have one of the following:

         --   Have all  rights (typical  of an  owner) to  any  profile
              named  on   the  command   prompt.     For  example,   to
              initialize a  password, the user must have  all rights to
              the profile to be initialized.

         --   *USE  authority  to  the  TAADPTSEC  authorization  list.
              This concept  allows  an assistant  security officer  who
              can cross departmental boundaries.

Any existing restrictions  with the sub tools such  as INZPWD are still
honored.

To provide for a Departmental Security Officer, do the following:

  10.  Use  the  TAA  Tool  command  CRTDPTSEC  (no parameters  exist).
       This will create  the TAADPTSEC  authorization list.   You  must
       have *ALLOBJ special authority to use CRTDPTSEC.

  10.  Change the  ownership of the user  profiles of all  profiles for
       a given  set of users to be  owned by each Departmental Security
       Officer.

       A typical command would be:

               CHGOBJOWN   OBJ(USER1) OBJTYPE(*USRPRF)
                             NEWOWN(xxx)

To provide  for  an  Assistant  Security Officer  who  can  manage  any
profile  regardless  of ownership,  authorize  the  Assistant  Security
Officer to the TAADPTSEC authorization list such as:

             EDTAUTL   AUTL(TAADPTSEC)

When  the display appears,  enter the  Assistant Security  Officer name
and  specify *USE  authority.  Existing  restrictions such  as with the
INZPWD tool will still exist.

Note that any user  with *ALLOBJ authority is implicitly  authorized to
TAADPTSEC.

If you  have set  up for  Departmental Security and  want to  return to
normal  SECOFR2  security,  just  delete  the  TAADPTSEC  authorization
list.

              DLTAUTL   AUTL(TAADPTSEC)

Note that this will cause  any existing Departmental Security  Officers
to become Assistant Security Officers.

CRTDPTSEC Command                                     *CMD
-----------------

The command  has no  parameters.   It is used  to create  the TAADPTSEC
authorization  list to allow  for Departmental  Security.  The  user of
the command must have *ALLOBJ special authority.

Restrictions
------------

See  the   discussion  of   the   TAADPTSEC  authorization   list   for
Departmental Security.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHGUSRPRF2   Change user profile nbr 2
     CHKALLOBJ    Check *ALLOBJ special authority
     CPYUSRPRF2   Copy user profile nbr 2
     DLTUSRPRF2   Delete user profile nbr 2
     DSAUSRPRF    Disable user profile
     DSPERRMSG    Display error message
     DSPUSRPRF2   Display user profile nbr 2
     ENAUSRPRF    Enable user profile
     FMTLIN       Format line
     INZPWD       Initialize password
     VRYCFGOFF    Vary configuration off
     VRYCFG2      Vary configuration 2

Implementation
--------------

The tool  is  ready to  use, but  the user  must be  authorized to  the
commands which are performed by the options.

  **   DSAUSRPRF.     The  TAA  Tool  command  is   controlled  by  the
       TAADSAPRF authorization list.

  **   DSPUSRPRF2.     The  TAA  Tool  command  is  controlled  by  the
       TAADSPUSR2 authorization list.

  **   INZPWD.  The TAA  Tool commands are controlled by  the TAAINZPWD
       authorization list.

  **   ENAUSRPRF.     The  TAA  Tool  command  is   controlled  by  the
       TAAENAUSR authorization list.

  **   CHGUSRPRF2.     The  TAA  Tool  command  is  controlled  by  the
       TAACHGPRF2 authorization list.

  **   CPYUSRPRF2.    The  TAA  Tool  command  is  controlled  by   the
       TAACPYUSR2 authorization list.

  **   DLTUSRPRF2.    The  TAA  Tool   command  is  controlled  by  the
       TAADLTUSR2 authorization list.

  **   VRYCFG.   The system command is  shipped with *PUBLIC authority.
       However, the user  must have  the special  authority *JOBCTL  or
       be authorized  to the TAAVRYCFG  authorization list.   Selective
       prompting  is used to  control what  parameters are valid  to be
       entered  from  the menu  option.   The user  is only  allowed to
       'vary on' a device.

  **   VRYCFGOFF.   The TAA  command  is controlled  by the  TAAVRYCFGO
       authorization list.

To set up Departmental Security, see the previous discussion.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   SECOFR2       *MENU
   CRTDPTSEC     *CMD       CLP         TAASEDB2      QATTCMD
   TAASEDBC      *PGM       CLP         TAASEDBC      QATTCL
   TAASEDBC2     *PGM       CLP         TAASEDBC2     QATTCL
   TAASEDBC3     *PGM       CLP         TAASEDBC3     QATTCL
   TAASEDBD      *FILE      DSPF        TAASEDBD      QATTDDS
*  TAADPTSEC     *AUTL

The TAADPTSEC  authorization list is not  shipped.  Create  it with the
CRTDPTSEC command if required.

The  TAASEDBC3   program  adopts  to  access  the  INZPWD  values  from
TAASECURE.
					

Added to TAA Productivity tools May 1, 1996


Home Page Up to Top