<% @ Language="JScript" %> <% Server.Execute("/Server_Scripts/UpdateEntryCounter.asp"); %> Q & A: IQU Security SGS's
[/includes/Nav_MainHeader.htm]

  Home
 

Q & A

 


Making Use of the IQU Security SGS's In Order to Control IQU Access to a Production Environment

Question

Are we right in assuming that batch programs (IQU) started by either a user in demand or a system scheduler are subjected to the scrutiny of scanning the 'Security Groups' we'll create?

Also, it looks as if one could get carried away building these SGS. Any tips on how to keep it relatively simple?

Answer

The answer to your first question is "YES". With I-QU PLUS-1 security, it is all or nothing. When security is enabled in the COMUS configuration, I-QU does a top-down search through the file (and element) that you specify. Any match against an ACCESS sgs ends the search; otherwise, the search continues. If the search falls off the end of the file, security fails; i.e., access is denied.

Yes, you can get carried away with applying security.

TIP: Start simple and keep it simple! For example, you probably only have one or two people that actually do reorgs. Put them in a DBGROUP that allows them access to all reorg utilities that make alterations: PFIX and SCHUTL. All other utilities are harmless; PBLD, QRYSCH, QINDEX. For the IQU program, you define ALLOWED/DENIED access by IO type. The type of access you want, you specify by GROUP.

Here is a simple example where we have divided DMS access into two groups (the example in the IG is a bit overpowering at first glance). All other file types are wide open. We don't necessarily recommend that, however, especially for something potentially destructive as DIO.

USER GROUP NONREORGS HAS CHAZ

USER GROUP REORGS HAS BOB LEW

SCHEMA GROUP DEMOSCH HAS DEMOSCH

SUBSCHEMA GROUP DEMOSUB HAS DEMOSUB

SCHEMAFILE GROUP DEMOFILE HAS FILE,UDS$$SRC*SCHABS

ACCESS TO DMR ST ALLOWED FOR NONREORGS FOR ;

RETRIEVAL INVOKING DEMOSUB OF DEMOSCH FILE DEMOFILE

ACCESS TO DMR ST ALLOWED FOR REORGS FOR LOAD ;

INVOKING DEMOSUB OF DEMOSCH FILE DEMOFILE

ACCESS TO DMR $ALL ALLOWED FOR $ALL FOR LOAD

UTILITY TYPE REORGTYPE HAS PBLD PFIX SCHUTL

ACCESS TO UTILITY REORGTYPE ALLOWED FOR REORGS

ACCESS TO UTILITY REORGTYPE DENIED FOR $ALL

ACCESS TO UTILITY $ALL ALLOWED FOR $ALL

ACCESS TO PCIOS $ALL ALLOWED FOR $ALL FOR $ALL

ACCESS TO DIO $ALL ALLOWED FOR $ALL FOR $ALL

ACCESS TO RDMR $ALL ALLOWED FOR $ALL

 
 
 

Information on the KMSYS Worldwide web server is Copyright (c) 1983-2013. All rights reserved.
All copyrights and trademarks are the property of their respective owners.
For information regarding this site, or to report a problem pertaining to the site, please contact support
License Agreements and PoliciesPrivacy and Cookie Statements

 

.