On a system where the Secure Identification Facility is installed, the system administrator can enable a special security administrator status. If security administrator status is enabled for the system, then certain system commands that would otherwise be available to any privileged, SYSADMIN, or SYSTEMUSER process are instead reserved for use only by processes with security administrator status. The DCKEYIN and SETSTATUS functions corresponding to these system commands are similarly restricted. In addition, the ability to create or alter usercode definitions, which would otherwise be available to any privileged user, is restricted to processes with security administrator status.
The security administrator can also use the RESTRICT command to prevent or limit the use of certain system commands. For information about the RESTRICT command, refer to the System Commands Reference.
The system administrator can enable security administrator status on the system by setting the system SECADMIN option. This option is set using the ??SECAD system command. Once the SECADMIN option is set, a process assumes security administrator status if either of the following conditions are true:
-
The process is running with a usercode for which the SECADMIN attribute is set in the USERDATAFILE.
-
The process is executing code from an object code file that has been marked with security administrator status. This concept is discussed further under Object Code File earlier in this section.
For further information about security administrator capabilities, refer to the Security Operations Guide.
