The ??SECAD primitive command enables you to
-
Protect the ability to control many aspects of system security.
-
Set or interrogate the value of the system SECADMIN option.
When this option is TRUE, the system software recognizes and enforces security-administrator status, which is said to be authorized.
Syntax
── ??SECAD ─┬───────────────────────────────────┬──────────────────────┤
├─ + ───────────────────────────────┤
└─ - ─┬─────────────────────────────┤
└─<security administrator ID>─┘
The <security administrator ID> construct is the usercode and password of a user designated as SECADMIN in the USERDATAFILE.
Enter the usercode and password in the following form:
<usercode>/<password>
Explanation
The system SECADMIN option can have the value
-
TRUE (or SET) assigned by using the ??SECAD + command
-
FALSE (or RESET) assigned by using the ??SECAD - command
To interrogate the current value of the option, enter ??SECAD.
SECAD +
When you enter the ??SECAD + command, the system verifies the
-
Existence of the USERDATAFILE
-
Number of security administrators it defines
The system then prompts the operator to verify that the intention is to assign the system SECADMIN option the value TRUE. If the response is positive, security-administrator status is authorized.
If the system SECADMIN option is TRUE but no usercode is assigned the SECADMIN usercode attribute in the USERDATAFILE, any privileged user or user with the USERDATA privilege can run MAKEUSER to alter all usercode attributes for all users in the USERDATAFILE.
When security-administrator status is authorized, Transaction Server does not allow PASS or ON commands through the ODT <mix#> SM command. The command is rejected and the following message displayed:
COMS:SM PASS not allowed if Security Administrator is authorized
Security Administrator Capabilities
If the system SECADMIN option is TRUE, only a user running under a usercode designated as SECADMIN can perform the following operations, regardless of whether any usercode is designated SECADMIN in the USERDATAFILE:
-
Use the Menu-Assisted Resource Control (MARC) DIRECTIVE command.
-
Update an in-use Datacom Info File. This procedure requires both security-administrator status and privileged status.
-
Use certain system commands for any purpose other than interrogation. Commands that can interrogate the system, such as DL and LOGGING, are still valid.
If no usercode is designated as SECADMIN, no user can perform these operations.
The security administrator can use the following system commands:
-
ACCOUNTING
-
CF (Configuration File)
-
DL (Disk Location) with these options:
-
LOG
-
USERDATA
-
-
HU (Host Usercode)
-
ID (Initialize Data Comm) with these options:
-
The minus (–) option
-
A file name or file title (<file name> and optional <family name>)
-
-
LG (Log for Mix Number)
-
LOGGING (Logging Options)
-
MP (Mark Program) with these options:
-
COMPILER
-
EXECUTABLE
-
IDENTITY
-
KERBEROS
-
PU
-
SECADMIN
-
SERVICE
-
SYSADMIN
-
TASKING
-
All granulated privileges
-
-
MU (Make User)
-
REMOTESPO (Activate REMOTESPO) with the OK option
-
RESTRICT (Set Restrictions)
-
SECOPT (Security Options)
-
SL (Support Library)
-
SYSADMIN
The SETSTATUS calls related to these system commands are also limited to those usercodes or processes designated as SECADMIN.
Security Administrator Restrictions
When security-administrator status is required for these system commands, the commands
-
Cannot be entered directly at an ODT.
-
Can be entered through MARC during a session running under a usercode with security-administrator status.
-
Can be entered through a Data Comm ALGOL program using SETSTATUS or DCKEYIN and running with security-administrator status.
Additionally, if the system SECADMIN option is TRUE and the SECADMIN usercode attribute is TRUE for at least one usercode in the USERDATAFILE, security-administrator status is said to be enabled. In this situation, only a user running under a usercode with SECADMIN status can run SYSTEM/MAKEUSER or use the USERDATA interface to interrogate or modify the USERDATAFILE. Any user with the USERDATA granulated privilege can also use this function.
