Three example groups of suggested usercode attribute values are given here. Each group corresponds to a level of system security. These recommendations are for usercode centric systems where each user is assigned a unique usercode. If using a shared usercode system where each user is assigned an accesscode, substitute in the accesscode user attributes where applicable.
Refer to the System Software Utilities Operations Reference Manual for detailed information.
The settings shown in USERDATAFILE Attribute Settings for No System Security are appropriate only when your primary concern is ensuring that every user has access to all files and system functions, and security is of no particular importance.
Table 17. USERDATAFILE Attribute Settings for No System Security
|
Attributes |
All Users |
|---|---|
|
MINPW = 0 |
Yes |
|
PU |
Yes |
|
COMSCONTROL |
Yes |
|
SYSTEMUSER |
Yes |
|
CANDECONTROL |
Yes |
The settings shown in USERDATAFILE Attribute Settings for Medium System Security are appropriate when system security is a concern, but there is a need for many users to have access to most systems functions.
Table 18. USERDATAFILE Attribute Settings for Medium System Security
|
Attributes |
End Users, Application Programmers |
System Programmers |
System Administrators, Security Administrators |
|---|---|---|---|
|
MAXPW |
1 |
1 |
1 |
|
MFAREQUIRED |
No |
When required for trusted user |
Yes |
|
MFAPROTOCOL = <protocol> |
No |
When required for trusted user |
Yes |
|
MINPW |
1 |
1 |
1 |
|
PU |
No |
Yes |
Yes |
|
SHOWFILES |
Optional |
No |
No |
|
SYSTEMUSER |
No |
When required for trusted user |
Yes |
|
COMSCONTROL |
No |
When required for trusted user |
Yes |
|
CANDECONTROL |
No |
When required for trusted user |
Yes |
The settings shown in USERDATAFILE Attribute Settings for High System Security are appropriate when system security is important, and the need for security justifies restricting user access to some system functions.
Table 19. USERDATAFILE Attribute Settings for High System Security
|
Attributes |
End Users, Application Programmers |
System Programmers, Database Administrators |
Transaction Server Administrators |
System Administrators, Security Administrators |
|---|---|---|---|---|
|
MAXPW |
1 |
1 |
1 |
1 |
|
MFAREQUIRED |
No |
Yes |
Yes |
Yes |
|
MFAPROTOCOL |
No |
Yes |
Yes |
Yes |
|
MINPW |
1 |
1 |
1 |
1 |
|
PASSWORDAGING |
Yes |
Yes |
Yes |
Yes |
|
DAYSACTIVE |
30 |
30 |
30 |
30 |
|
DAYSWARNING |
15 |
15 |
15 |
15 |
|
PU |
No |
Use granulated privileges when appropriate |
No |
Yes |
|
SECADMIN |
No |
No |
No |
Yes |
|
SYSTEMUSER |
No |
No |
Yes |
Yes |
|
CANDECONTROL |
No |
No |
Yes |
No |
|
COMSCONTROL |
No |
No |
Yes |
No |
For a system where a high level of security is necessary,
-
Assign each usercode to only one user.
-
Assign privileged-user or SYSTEMUSER status only to users who are trusted with the access privileges and power, and who require such privileges and power to do their jobs.
-
Limit to a few trusted people the ability to change all usercode attributes of all users in the USERDATAFILE and to use security-relevant system commands.
-
Use granulated privileges to limit privileged users.
It is strongly recommended that
-
All usercodes be specified as PASSWORDAGING and that DAYSACTIVE is equal to 30 (or a smaller value).
-
You use the SECADMIN designation, following the suggestions given in the SECADMIN description earlier in this section.
-
You set MFAREQUIRED and MFAPROTOCOL to a valid protocol for any user with privileges.
