IBM Power Systems

IBM Power Systems

About This Blog

Warm wishes and welcome to all AS400 Administrators and Operators.



This is exclusive blog for iSeries system Administrators working anywhere in the world. Also a place for guys and gals who want to share knowledge pertaining to iSeries. This blog has been designed for exchanging knowledge on AS400 or iSeries server administration and operations.



Tuesday, February 9, 2010

Security Levels

The system provides the following levels of security:

10    No system-enforced security

Note: For V4R3, IBM® is dropping support for security level 10. IBM will not accept APARs for problems that cannot be re-created at security level 20 or higher. In addition, you can no longer set the QSECURITY system value to 10.   
  
20    Sign-on security      
30    Sign-on and resource security      
40    Sign-on and resource security; integrity protection      
50    Sign-on and resource security; enhanced integrity protection   

Security Level 10

At security level 10, you have minimal security protection. When a new user signs on, the system creates a user profile with the profile name equal to the user ID specified on the sign-on display. If the same user signs on later with a different user ID, a new user profile is created.

The system performs authority checking at all levels of security. Because all user profiles created at security level 10 are given *ALLOBJ special authority, users pass every authority check and have access to all resources. To test the effect of moving to a higher security level, remove *ALLOBJ special authority from user profiles and grant those profiles the authority to use specific resources. However, this does not provide security protection. Anyone can sign on with a new user ID, and a new profile is created with *ALLOBJ special authority. This cannot be prevented this at security level 10.

Security Level 20

In addition to the functions provided at security level 10, security level 20 provides the following additional security functions:

o    Both user ID and password are required to sign on.      
o    Only a security officer or someone with *SECADM special authority can create user profiles.       
o    The limit capabilities value specified in the user profile is enforced.   

Security Level 30

In addition to the functions provided at security level 20, security level 30 provides the following additional security functions:

o    Users must be specifically given authority to use resources on the system.      
o    Only user profiles created with the *SECOFR security class are given *ALLOBJ special authority automatically.   

Security Level 40

Security level 40 prevents potential integrity or security risks from programs that could circumvent security in special cases. Security functions at level 40 include:

o    Preventing the use of unsupported interfaces      
o    Preventing the use of restricted instructions      
o    Protecting job descriptions      
o    Preventing signing on without password      
o    Enhanced hardware storage protection      
o    Protecting a program's associated space      
o    Protecting a job's address space   

Security Level 50

Security level 50 provides enhanced integrity protection for installations with strict security requirements. Security level 50 is designed to meet the requirements defined by the U.S. Department of Defense for C2 security. It provides enhanced integrity protection in addition to what is provided by security level 40. Running your system at security level 50 is required for C2 security.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)