The ??SECAD (Security Administrator Authorization) command authorizes security administrator status on the system. This command is available only as part of Secure Access Control Module security enhancement software.
Security administrator status must be granted to a usercode through SYSTEM/MAKEUSER. Until the first security administrator is designated, a privileged user is allowed to run SYSTEM/MAKEUSER to designate a security administrator. After one security administrator is designated and the security administrator status is authorized for the system, only a security administrator can designate other usercodes as security administrators.
If security administrator status is authorized for the system, a security administrator usercode is required for changing security options, changing the USERDATAFILE, and invoking system commands or SETSTATUS calls that confer privileges or affect system security.
The following are the restricted system commands and related SETSTATUS calls.
|
CF |
LG |
RESTRICT |
|
DL LOG |
LOGGING |
SE |
|
DL USERDATA |
MP |
SL |
|
HU |
MU |
??SECAD |
|
ID |
REMOTESPO |
|
The MARC DIRECTIVE command is another security-critical function that can be performed only by security administrators.
If security administrator status is not authorized for the system, any operator or privileged user can change security options and the USERDATAFILE or invoke the restricted system commands and SETSTATUS calls.
If security administrator status is authorized for the system, restricted commands can be entered only from a source with SECADMIN status. Such sources include
-
A MARC session with a security administrator usercode.
-
A program using SETSTATUS that is running under a usercode with SECADMIN status.
-
A program using DCKEYIN that is marked with SECADMIN status by the MP (Mark Program) command.
| Note: | Setting the TERM USER attribute to a security administrator usercode at an ODT does not permit the use of restricted system commands from that ODT. |
The following are required when ??SECAD is set:
-
A security administrator usercode to update the network information file
-
A REMOTESPO : OK to activate the remotespo stations
Syntax
Explanation
??SECAD
Displays the current SECADMIN option setting.
??SECAD +
Sets the SECADMIN option. The system indicates whether a USERDATAFILE exists and, if so, how many security administrators are defined in it. It then waits for you to confirm that a security administrator is to be authorized. If you confirm the action, the SECADMIN option is set. If you deny the action, the option is not changed.
??SECAD −
??SECAD − <usercode>/<password>
Resets the SECADMIN option. If the security administrator is defined in the USERDATAFILE, then the usercode and password of the administrator must be supplied to verify that the person resetting the option is an administrator. If no security administrator is defined in the USERDATAFILE, no administrator usercode or password is needed to reset the option.
