|
Product Description PCSACC/400 provides easy and rapid access control to IBM OS/400 DB2/400 database file objects that are not secured sufficiently. All required access authority is defined within the security database of PCSACC/400. All accesses via DDM or IBM iSeries Access for Windows, TCP/IP FTP or interactive SQL, Query and Query Manager or CLI api (Netdata, native Java, PHP programs) will be rejected, if not defined previously.
Description of the security problems How the security concept works Contents of security program package Description of the security problems OS/400 offers a broad range of object level security functions. Assignment of object authority for physical data base files in most cases is sufficient. It can be specified using group profiles, authority lists or by adopting authority via programs with USRPRF(*OWNER) and by working with the *EXCLUDE function and GRT... commands. These are easy to use functions to assign necessary object authorities. It is important to use these functions. Are you working without special object level security and are you achieving security for your users via menus? This is, in most cases, a very simple and effective method to prevent users from unauthorized data access. IBM iSeries Access for Windows, remote DDM access and TCP/IP FTP, TFTP, REXEC as well as access via interactive SQL, Query and Query Manager or CLI api do not cooperate with security concepts based on normal user menus. All IBM iSeries Access for Windows-, DDM- and TCP/IP-FTP as well ase interactive SQL, Query and Query Manager or CLI-Api users can have access to all database files that are not protected and can read and write these files. IBM filetransfer can replace data and this may destroy your original data. If you have assigned authority to each user, you should check if that is really sufficient. Data access via 5250 terminal is controlled by an application program. This is not true for access via PC's. Users have access to all *PUBLIC data. You need access control on OS/400 via interface programs (Api's). Entries have to be made in network attributes for DDM access (DDMACC parameter) and/or with the command WRKREGINF. PCSACC/400 provides these interface programs including the necessary security database. You can keep your existing security concept and avoid all the effort that will be necessary to implement security that is object oriented and conform with the system's architecture. You do not need to specify restrictions for each database file by using *EXCLUDE. PCSACC/400 changes the normal OS/400 authorities. You only define your required access authorities within the security database. PCSACC/400 provides a rapid and effective method to create these definitions, it is not necessary for you to know each of these authorities. IBM iSeries Access for Windows
How the security concept works PCSACC/400 provides several interface programs. Special data base files contain structured information about authorities of PC, DDM and TCP/IP FTP/TFTP/REXEC users. Only authorized access will be stored. All this kind of information is separated into user-, library-, file-, member-, folder security data and information about remote commands and distributed calls. IP- and mail addresses will also be stored. Generic names can be used on file level and separation based on applications (SQL/ODBC, FTP, DDM,. Interactive SQL, Query and Query Manager, CLI-Ap) is possible. Access to data base files can be controlled even for single members (Read- and write authority). Separating authorities for libraries and data record for example, allows to specify general read authority for a library but update or creation of files can be prohibited. These authorities can even be specified for files. For most cases this is a reasonable method. Creation and deletion of libraries via remote SQL (CREATE/DROP collection) is controlled as well. The maximum string length for SQL/ODBC has been enhanced to 32512 Bytes. PCSACC/400 supports names of up to 128 Bytes for SQL/ODBC tables. "QGPL"."This is my nice file" is a valid table name and is supported by PCSACC/400. For DDM access additional authorities are defined to allow controlling of file accesses (CHGPF, DLTF). Execution of RMTCMD, SBMRMTCMD and the new Distributed Program Call can be controlled on user level by releasing CALL's with specifications of program names and library. It is also possible to define complete CL Commands together with information about the length that has to be checked. Remote call's via remote SQL can also be controlled. TCP/IP FTP/TFTP/REXEC users will generally be controlled, but accesses to database files, IFS or command execution is checked via additional control fields. An FTP signon with an internal PCSACC/400 user and a password based on an IP address allows switching (Crossover) to an i5/OS (OS/400) user who does not have a password. With this, misuse of this user profile is impossible. Use of a weekly calender is allowed. Beginning with OS/400 V4R4 TCP/IP FTP exit program PCSLO2 allows controlling of start modes: Either QSYS.LIB with a current library or the IFS mode with a home directory can be used. Starting with OS/400 V5R2 IP address control is now possible for DDM and for all Hostserver(SQL/ODBC; Netserver, remote command/iSeries Navigator and data queues). Thereby working with a weekly calendar is possible too. With TCP/IP control you can dictate which IP adress can be used to access system. Device can be checked and allocated - generic also - and the amount of sessions can be limited. Furthermore you can time the access by using a weekly calender. This is valid for all TELNET accesses. PCSACC/400 operates like an application firewall. All generally released files (like *PUBLIC) can be assigned to a default user, and so have to be defined only once, for example: QIWS... folder. When starting with PCSACC/400 in the QDEFAULT user record is specified that non-registered users shall automatically be registered and all their activities shall be written into logging files - learning phase of PCSACC/400. With command CVTPCSLOG this information can be automatically converted into authority structures. Furthermore test mode can be activated for individual programs in a later phase. Test mode is very helpful if several exit programs haven´t been activated or new exit programs have been added with a new release. With this functionalities PCSACC/400 is abled to determine the current state of your system all by itself. Data recorded in test mode will be converted to access rights once a day by using command CVTPCSLOG. All exit programs are doing a complete access control in learning mode. Only new access information will be stored to protocol data. This helps to keep the files as small as can be. Deleated disk storage will be used again. No access wil lbe rejected because of the test mode status of a user. Automatically registration is possible only if automatically creation of new not registered users is active within user record QDEFAULT. All files of the security concept in library QPCS are protected with PUBLIC (*EXCLUDE). Access to these files is possible via programs of the security concept only. Therefore they adopt the authorities of user QPCS. By that, access to these files is totally controlled by programs. Users QPCS and QSECOFR will be treated as 'master security officer' and are allowed to change all authority data. They cannot be removed from the security database files. By using command ADDPCSOWN you can setup these users as administrators of PCSACC/400. The user exit program contains information about the kind of access and checks against the stored records, whether access can be allowed. Error messages will be displayed or sent to user. Additionally, these informations can be routed to a central user, e.g. QSYSOPR (local or remote). This provides an easy and simple but effective control for all accesses from PC users to data on your AS/400 and cannot be circumvented. Accesses from the PC side (local or remote via TCP/IP, DDM or TCP/IP server and client accesses as well as accesses via interactive SQL, Query and Query manager (interactive and batch ) and the CLI api (used by native Java, NETDATA and PHP programs) ) can not bypass these controls because control takes place at the IBM OS/400 side by using system functions. PCSACC/400 provides a subset of IBM OS/400 authorities. Extensive access authority may be restricted. If a user has no authority for an OS/400 object, access is rejected by OS/400, without calling the user exit program at all. Stored data can be kept at minimum, based upon a 3 level hirachy with *PUBLIC authorithies, user groups and additional invidual authorities and the possiblity to generally allow READ access on library level. Contents of security program package PCSACC/400 supports multiple languages: German 2929, German International 2939 and US English 2924. PCSACC/400 provides a number of interface programs, including program PCSNETA for activation and deactivation of these interface programs. This application also contains the necessary maintenance menus for STRSBS, ENDSBS, STRHOSTSVR etc Own exit programs or programs of other distributors can still be used as sub exit programs under the control of PCSACC/400. These sub exit programs will be activated dynamically if required by using system values. Sample code is included in the program package. All exit programs can activated or deactivated at the push of a button. Active programs will close all opened files. Every access is allowed then. Right after the call the programs recognize their inactive status. Then they will set the return code to allowed and the program will be left with RETURN. Maintenance program CHGPCS allow creation and maintenance of authority structures and can be called by authorized users only. Thereby users with data accesses will be recorded automatically. TELNET/5250 users will not appear within the files. This program contains a lot of functions. It provides a good overview about stored authorithies via coloured display of users (controlled users = blue, non controlled users = green and locked users = red), by activation and deactivation with one single entry of 'A/U/T' (A=activation, U=deactivation, T=Test activation) and by offering different, additional reports. Changes will be effective immediately. All reports can be created via command. New user records can also be created via command. This function can be integrated into existing CL programs. File informations of library QSYSQPCS can be printed. Reorganization allows scheduled removal of information data. Deleated disk space will be used again immediately. Essential parts of reorganization can be done in batch while system is running. Mulit-level access structure is limiting the recorded informations to a minimum - up to 5 user groups are possible. If there is a 5250 emulation in use, that doesn´t support radio buttons, like e.g. MOCHA, you can activate an alternative function using the user properties. The programs contain extensive online
documentation and field sensitive detail information provided by panelgroups
(help). Additionally an online-user-guide is provided. It can be displayed
or printed any time.
Entry versions for 20 or 30 controlled users are possible for smaller installations. Every user with active protocol or control fields will be seen as controlled user. Users QPCS and QSECOFR are not included to that. Telnet and the graphical interface are not supported at small licences. A program shows the user structure and determines the licence type necessary.
The package will be delivered via
CD-ROM for RISC releases. It can be installed by QSECOFR,
*SECOFR -user using the LODRUN
command. Installation through the network using savefiles is possible. The copyright license number for
the program package must be ordered via formular after delivery. For complete
installation entry of this license number is required. Following the program
package is activated via maintenance program CHGPCS and registration of
all users and their activities is started. At
expiration of test period, the exit programs just stop operations. Access
control will no longer be active and no records will be logged any longer.
You can continue with normal operations. All
exit programs are deactivated.. This activation/deactivation functions
can be customized by changing user records of QDEFACT/QDEFINACT. Not all user have to be activated
at once, this can be performed per single user. When all users are activated,
the control fields in record of QDEFAULT user have to be set from 'not
controlled' to 'controlled' using option 'A'. Now, access control is active for
all users and IBM System i (iSeries 400, AS/400) are controlled by PCSACC/400. New users will automatically be
registered without any access rights. Only a user record is written to
the file, all accesses will be controlled and rejected as no additional
informations are in the database for this new users PCSACC/400 requires OS/400 V4R3 or higher and has been tested with all release levels up to i5/OS V7R1. Required dasd capacity for libraries
QPCS, QPCS2924, QPCS2929 and QPCS2939 containing more than 76 objects,
is approximately 96 MB. The disk space needed depends on the amount of stored informations while system is running. Example of a
helptext |
back to top 
