SECOFR2 -- Security Officer 2 Menu

SECOFR2 SECURITY OFFICER NBR 2 MENU TAASEDB
The Security Officer Nbr 2 tool provides a simple menu for Assistant Security Officers and Departmental Security Officers. To use the options on the menu, the user must be authorized to authorization lists (See later discussion). The Assistant Security Officer can access all options he is authorized to. If you want a Departmental Security Officer concept, see the later discussion. The SECOFR2 menu itself is controlled by the TAASECOFR2 authorization list. This is shipped as PUBLIC EXCLUDE. An option exists when authorizing users to the TAASECOFR2 authorization list that will require a user to enter his password each time the menu is used. See the later discussion of 'Checking the current user' for how to authorize users to be able to see the menu. Each menu option is also controlled by a unique authorization list. The menu is accessed by: GO SECOFR2 The menu offers the following options: 1. Display user profile. The DSPUSRPRF2 TAA Tool command prompt appears. This is a simple front end to the system DSPUSRPRF command, but allows the user the display any profile. The user must be authorized to the TAADSPUSR2 authorization list. 2. Initialize user profile. The INZPWD TAA Tool command prompt appears. This allows the password to be initialized to either the user profile name or a random value. This is intended for users who forget their password. If INZPWD is used, the user is forced to change his password when he signs on. QSECOFR cannot be changed. The user must be authorized to the TAAINZPWD authorization list. If the user does not have ALLOBJ authority, any profile with ALLOBJ or SERVICE cannot be changed. The Security Officer can specify other profiles that cannot be initialized by using EDTCONARR for the data area INZPWD in TAASECURE. This option may be removed from the menu. See the INZPWD tool so that only INZPWD2 may be used. 3. Initialize user profile 2. The INZPWD2 TAA Tool command prompt appears. This allows the password to be initialized to a random value. The completion message describes the value. This is intended for users who forget their password. The function is similar to INZPWD, but forces the use of a random password. This option may be removed from the menu. See the INZPWD tool so that only INZPWD may be used. 4. Enable user profile. The ENAUSRPRF TAA Tool command prompt appears. This allows a disabled profile to be reset. The user must be authorized to the TAAENAUSR authorization list. 5. Disable user profile. The DSAUSRPRF command prompt appears. The user is allowed to disable a user profile. The user must be authorized to the TAADSAPRF authorization list. QSECOFR cannot be disabled. The Security Officer can specify other profiles that cannot be disabled by using EDTCONARR for the data area DSAUSRPRF in TAASECURE. 6. Change user profile 2. The CHGUSRPRF2 command prompt appears. The user must be authorized to the TAACHGPRF2 authorization list. The Security Officer controls what parameters are valid to be changed. The other parameters can be optionally displayed. The system has built in restrictions relative to changes to the GRPPRF or SUPGRPPRF parameters. See the instructions with CHGUSRPRF2. 7. Copy user profile 2. The CPYUSRPRF2 command prompt appears. The user must be authorized to the TAACPYUSR2 authorization list. This allows an authorized user to duplicate a user profile without being the Security Officer. By default, a profile containing any special authorities (such as JOBCTL) cannot be duplicated. See the tool documentation for how to allow a user profile that contains special authorities to be copied. The presentation of the PWDEXP and CHGOWN keywords of the CPYUSRPRF2 command can be controlled by the PMTPWDEXP and PMTCHGOWN keys of the CPYUSRPRF2 application value found in TAASECURE. Use EDTAPPVAL TAASECURE/CPYUSRPRF2 to modify the settings. The default is to prompt for both of these command keywords. 8. Delete user profile 2. The DLTUSRPRF2 command prompt appears. The user must be authorized to the TAADLTUSR2 authorization list. This allows an authorized user to delete a user profile without being the Security Officer. Critical profiles such as QSECOFR or QSRV cannot be deleted. 9. Vary device on. The user must have either JOBCTL special authority or be authorized to the TAAVRYCFG authorization list. If JOBCTL exists, the VRYCFG command prompt appears. If the user does not have JOBCTL, but is authorized to the TAAVRYCFG authorization list, the VRYCFG2 TAA command prompt appears. The prompts are controlled so that the user can only vary on a device description. 10. Vary device off. The user must have either JOBCTL special authority or be authorized to the TAAVRYCFGO authorization list. The VRYCFGOFF command prompt appears. The prompt is controlled so that the user can only vary off a device description. Checking the current user ------------------------- In some environments, the device to be used is in an open area and only the normal user at the device should be authorized to certain menu options. An option with the TAASECOFR2 authorization list exists to assist in controlling this situation. The default for the authorization list is the PUBLIC user has EXCLUDE authority. This prevents any user from accessing the menu. 10. If the user (or PUBLIC) has USE authority, the user is forced to enter his password before the menu is displayed. The CHKPWD command is prompted for. This would be a solution for devices that are in an open area. 10. If the user (or PUBLIC) has CHANGE authority to TAASECOFR2, the menu is displayed without any password check. This would be a solution for devices that are in a controlled area. Departmental Security Officer Concept ------------------------------------- The default for all of the tools on the menu is that the user must be authorized to a TAA authorization list. The 'Vary on device' option may also be used by a JOBCTL special authority user. If the user is authorized to one or more of the user profile options, any user profile may be operated on with certain exceptions. For example, a tool like INZPWD prevents certain profiles (such as QSECOFR) and allows for a list of additional user profiles which cannot be initialized. The default is intended to allow an assistant security officer to handle the everyday functions of a Security Officer. Departmental security --------------------- You may set up an environment for a 'Departmental Security Officer' where multiple assistant Security Officers exist where each can manage a separate set of user profiles. A 'Departmental Security Officer' can only manage the user profiles under his control. You can combine the function of a 'Departmental Security Officer' as well as having an assistant security officer who can control any user profile (existing restrictions such as with INZPWD are still honored). The following rules exist: 10. If the TAADPTSEC authorization list exists, the user must be authorized to the appropriate TAAxxx authorization list for the desired SECOFR2 function and have one of the following: -- Have all rights (typical of an owner) to any profile named on the command prompt. For example, to initialize a password, the user must have all rights to the profile to be initialized. -- USE authority to the TAADPTSEC authorization list. This concept allows an assistant security officer who can cross departmental boundaries. Any existing restrictions with the sub tools such as INZPWD are still honored. To provide for a Departmental Security Officer, do the following: 10. Use the TAA Tool command CRTDPTSEC (no parameters exist). This will create the TAADPTSEC authorization list. You must have ALLOBJ special authority to use CRTDPTSEC. 10. Change the ownership of the user profiles of all profiles for a given set of users to be owned by each Departmental Security Officer. A typical command would be: CHGOBJOWN OBJ(USER1) OBJTYPE(USRPRF) NEWOWN(xxx) To provide for an Assistant Security Officer who can manage any profile regardless of ownership, authorize the Assistant Security Officer to the TAADPTSEC authorization list such as: EDTAUTL AUTL(TAADPTSEC) When the display appears, enter the Assistant Security Officer name and specify USE authority. Existing restrictions such as with the INZPWD tool will still exist. Note that any user with ALLOBJ authority is implicitly authorized to TAADPTSEC. If you have set up for Departmental Security and want to return to normal SECOFR2 security, just delete the TAADPTSEC authorization list. DLTAUTL AUTL(TAADPTSEC) Note that this will cause any existing Departmental Security Officers to become Assistant Security Officers. CRTDPTSEC Command CMD ----------------- The command has no parameters. It is used to create the TAADPTSEC authorization list to allow for Departmental Security. The user of the command must have ALLOBJ special authority. Restrictions ------------ See the discussion of the TAADPTSEC authorization list for Departmental Security. Prerequisites ------------- The following TAA Tools must be on your system: CHGUSRPRF2 Change user profile nbr 2 CHKALLOBJ Check ALLOBJ special authority CPYUSRPRF2 Copy user profile nbr 2 DLTUSRPRF2 Delete user profile nbr 2 DSAUSRPRF Disable user profile DSPERRMSG Display error message DSPUSRPRF2 Display user profile nbr 2 ENAUSRPRF Enable user profile FMTLIN Format line INZPWD Initialize password VRYCFGOFF Vary configuration off VRYCFG2 Vary configuration 2 Implementation -------------- The tool is ready to use, but the user must be authorized to the commands which are performed by the options. * DSAUSRPRF. The TAA Tool command is controlled by the TAADSAPRF authorization list. DSPUSRPRF2. The TAA Tool command is controlled by the TAADSPUSR2 authorization list. INZPWD. The TAA Tool commands are controlled by the TAAINZPWD authorization list. ENAUSRPRF. The TAA Tool command is controlled by the TAAENAUSR authorization list. CHGUSRPRF2. The TAA Tool command is controlled by the TAACHGPRF2 authorization list. CPYUSRPRF2. The TAA Tool command is controlled by the TAACPYUSR2 authorization list. DLTUSRPRF2. The TAA Tool command is controlled by the TAADLTUSR2 authorization list. ** VRYCFG. The system command is shipped with PUBLIC authority. However, the user must have the special authority JOBCTL or be authorized to the TAAVRYCFG authorization list. Selective prompting is used to control what parameters are valid to be entered from the menu option. The user is only allowed to 'vary on' a device. ** VRYCFGOFF. The TAA command is controlled by the TAAVRYCFGO authorization list. To set up Departmental Security, see the previous discussion. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- SECOFR2 MENU CRTDPTSEC CMD CLP TAASEDB2 QATTCMD TAASEDBC PGM CLP TAASEDBC QATTCL TAASEDBC2 PGM CLP TAASEDBC2 QATTCL TAASEDBC3 PGM CLP TAASEDBC3 QATTCL TAASEDBD FILE DSPF TAASEDBD QATTDDS * TAADPTSEC *AUTL The TAADPTSEC authorization list is not shipped. Create it with the CRTDPTSEC command if required. The TAASEDBC3 program adopts to access the INZPWD values from TAASECURE.

SECOFR2         SECURITY OFFICER NBR 2 MENU            TAASEDB


The Security Officer  Nbr 2 tool  provides a simple menu  for Assistant
Security  Officers  and Departmental  Security  Officers.   To  use the
options  on  the menu,  the user  must  be authorized  to authorization
lists (See later discussion).

The  Assistant  Security   Officer  can  access   all  options  he   is
authorized to.

If  you want  a Departmental  Security Officer  concept, see  the later
discussion.

The  SECOFR2 menu itself is controlled  by the TAASECOFR2 authorization
list.  This  is shipped  as *PUBLIC  *EXCLUDE.  An  option exists  when
authorizing  users  to  the  TAASECOFR2 authorization  list  that  will
require a  user to enter his password each time  the menu is used.  See
the later  discussion  of  'Checking  the  current  user'  for  how  to
authorize users to be able  to see the menu.  Each menu  option is also
controlled by a unique authorization list.

The menu is accessed by:

           GO    SECOFR2

The menu offers the following options:

  1.   Display user  profile.  The  DSPUSRPRF2 TAA Tool  command prompt
       appears.   This  is a simple  front end to  the system DSPUSRPRF
       command, but  allows  the user  the display  any  profile.   The
       user must  be authorized  to the TAADSPUSR2  authorization list.

  2.   Initialize  user profile.   The  INZPWD TAA Tool  command prompt
       appears.  This allows the  password to be initialized to  either
       the user profile name  or a random value.   This is intended for
       users who forget their password.

       If  INZPWD is used,  the user is  forced to change  his password
       when he signs  on.  QSECOFR  cannot be changed.   The user  must
       be  authorized to  the  TAAINZPWD authorization  list.   If  the
       user does  not have *ALLOBJ authority, any  profile with *ALLOBJ
       or  *SERVICE  cannot  be  changed.    The  Security  Officer can
       specify other  profiles  that  cannot be  initialized  by  using
       EDTCONARR for the data area INZPWD in TAASECURE.

       This option may  be removed from the menu.   See the INZPWD tool
       so that only INZPWD2 may be used.

  3.   Initialize  user  profile  2.    The  INZPWD2  TAA Tool  command
       prompt appears.  This allows  the password to be initialized  to
       a random  value.   The completion  message describes  the value.
       This is intended for users who forget their password.

       The  function is  similar to  INZPWD,  but forces  the use  of a
       random password.

       This option may be removed from  the menu.  See the INZPWD  tool
       so that only INZPWD may be used.

  4.   Enable user  profile.   The  ENAUSRPRF TAA  Tool command  prompt
       appears.   This  allows a  disabled profile  to  be reset.   The
       user must be authorized to the TAAENAUSR authorization list.

  5.   Disable  user profile.   The  DSAUSRPRF command  prompt appears.
       The user is  allowed to disable a  user profile.  The  user must
       be authorized to the TAADSAPRF authorization list.

       QSECOFR cannot  be disabled.   The Security Officer  can specify
       other  profiles that cannot  be disabled by  using EDTCONARR for
       the data area DSAUSRPRF in TAASECURE.

  6.   Change user profile 2.   The CHGUSRPRF2 command prompt  appears.
       The  user must  be authorized  to  the TAACHGPRF2  authorization
       list.   The Security Officer controls  what parameters are valid
       to  be  changed.    The  other  parameters  can  be   optionally
       displayed.   The system  has built  in restrictions relative  to
       changes  to  the  GRPPRF  or  SUPGRPPRF  parameters.    See  the
       instructions with CHGUSRPRF2.

  7.   Copy  user profile  2.   The CPYUSRPRF2  command prompt appears.
       The user  must  be authorized  to the  TAACPYUSR2  authorization
       list.   This  allows  an  authorized user  to  duplicate a  user
       profile  without  being the  Security  Officer.   By  default, a
       profile containing  any special  authorities (such  as  *JOBCTL)
       cannot be  duplicated.   See the tool  documentation for  how to
       allow  a user  profile that contains  special authorities  to be
       copied.

       The presentation  of  the  PWDEXP and  CHGOWN  keywords  of  the
       CPYUSRPRF2  command  can  be controlled  by  the  PMTPWDEXP  and
       PMTCHGOWN  keys of  the  CPYUSRPRF2 application  value  found in
       TAASECURE.    Use EDTAPPVAL  TAASECURE/CPYUSRPRF2 to  modify the
       settings.  The  default is to prompt  for both of these  command
       keywords.

  8.   Delete user  profile 2.  The DLTUSRPRF2  command prompt appears.
       The  user  must be  authorized to  the  TAADLTUSR2 authorization
       list.  This allows an  authorized user to delete a user  profile
       without being the  Security Officer.  Critical  profiles such as
       QSECOFR or QSRV cannot be deleted.

  9.   Vary  device on.    The user  must have  either  *JOBCTL special
       authority  or  be  authorized  to  the  TAAVRYCFG  authorization
       list.   If *JOBCTL  exists, the  VRYCFG command prompt  appears.
       If  the user  does not have  *JOBCTL, but  is authorized  to the
       TAAVRYCFG  authorization  list, the  VRYCFG2 TAA  command prompt
       appears.  The prompts are  controlled so that the user  can only
       vary on a device description.

  10.  Vary  device off.   The  user must  have either  *JOBCTL special
       authority  or  be  authorized  to  the  TAAVRYCFGO authorization
       list.   The VRYCFGOFF  command prompt  appears.   The prompt  is
       controlled  so  that  the  user  can  only  vary  off  a  device
       description.

Checking the current user
-------------------------

In  some environments, the  device to  be used is  in an open  area and
only the normal  user at  the device  should be  authorized to  certain
menu options.

An option with  the TAASECOFR2 authorization  list exists to  assist in
controlling  this situation.   The default  for the  authorization list
is  the *PUBLIC  user has *EXCLUDE  authority.  This  prevents any user
from accessing the menu.

  10.  If  the user  (or  *PUBLIC)  has  *USE authority,  the  user  is
       forced  to enter  his  password before  the  menu is  displayed.
       The  CHKPWD command is prompted  for.  This would  be a solution
       for devices that are in an open area.

  10.  If the user  (or *PUBLIC) has  *CHANGE authority to  TAASECOFR2,
       the menu  is displayed without any  password check.   This would
       be a solution for devices that are in a controlled area.

Departmental Security Officer Concept
-------------------------------------

The default  for all of the tools on the menu  is that the user must be
authorized to a TAA  authorization list.  The  'Vary on device'  option
may also be used by a *JOBCTL special authority user.

If the user is authorized  to one or more of the  user profile options,
any  user profile  may be  operated on  with  certain exceptions.   For
example,  a  tool  like  INZPWD  prevents  certain  profiles  (such  as
QSECOFR) and  allows  for  a list  of  additional user  profiles  which
cannot be initialized.

The  default is  intended to  allow  an assistant  security officer  to
handle the everyday functions of a Security Officer.

Departmental security
---------------------

You  may set  up an environment  for a  'Departmental Security Officer'
where  multiple  assistant  Security  Officers  exist  where  each  can
manage  a separate  set of  user  profiles.   A 'Departmental  Security
Officer'  can only  manage the  user profiles under  his control.   You
can combine the function of  a 'Departmental Security Officer' as  well
as  having an  assistant  security officer  who  can control  any  user
profile   (existing  restrictions  such   as  with  INZPWD   are  still
honored).

The following rules exist:

  10.  If  the TAADPTSEC  authorization list  exists, the  user must be
       authorized  to the  appropriate  TAAxxx authorization  list  for
       the desired SECOFR2 function and have one of the following:

         --   Have  all rights  (typical of  an owner)  to  any profile
              named   on  the   command  prompt.     For   example,  to
              initialize a password, the user  must have all rights  to
              the profile to be initialized.

         --   *USE  authority  to  the  TAADPTSEC  authorization  list.
              This  concept allows  an  assistant security  officer who
              can cross departmental boundaries.

Any existing restrictions with the sub  tools such as INZPWD are  still
honored.

To provide for a Departmental Security Officer, do the following:

  10.  Use  the  TAA  Tool command  CRTDPTSEC  (no  parameters  exist).
       This  will create the  TAADPTSEC authorization  list.   You must
       have *ALLOBJ special authority to use CRTDPTSEC.

  10.  Change  the ownership of  the user profiles  of all profiles for
       a given set of users  to be owned by each  Departmental Security
       Officer.

       A typical command would be:

               CHGOBJOWN   OBJ(USER1) OBJTYPE(*USRPRF)
                             NEWOWN(xxx)

To  provide  for an  Assistant  Security  Officer  who can  manage  any
profile  regardless  of  ownership,  authorize  the  Assistant Security
Officer to the TAADPTSEC authorization list such as:

             EDTAUTL   AUTL(TAADPTSEC)

When the display  appears, enter  the Assistant  Security Officer  name
and specify  *USE authority.   Existing restrictions  such as  with the
INZPWD tool will still exist.

Note that  any user with *ALLOBJ authority  is implicitly authorized to
TAADPTSEC.

If you have  set up  for Departmental Security  and want  to return  to
normal  SECOFR2  security,  just  delete  the  TAADPTSEC  authorization
list.

              DLTAUTL   AUTL(TAADPTSEC)

Note that  this will cause any existing  Departmental Security Officers
to become Assistant Security Officers.

CRTDPTSEC Command                                     *CMD
-----------------

The  command has  no parameters.   It is  used to  create the TAADPTSEC
authorization list  to allow for  Departmental Security.   The user  of
the command must have *ALLOBJ special authority.

Restrictions
------------

See   the  discussion   of   the  TAADPTSEC   authorization  list   for
Departmental Security.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHGUSRPRF2   Change user profile nbr 2
     CHKALLOBJ    Check *ALLOBJ special authority
     CPYUSRPRF2   Copy user profile nbr 2
     DLTUSRPRF2   Delete user profile nbr 2
     DSAUSRPRF    Disable user profile
     DSPERRMSG    Display error message
     DSPUSRPRF2   Display user profile nbr 2
     ENAUSRPRF    Enable user profile
     FMTLIN       Format line
     INZPWD       Initialize password
     VRYCFGOFF    Vary configuration off
     VRYCFG2      Vary configuration 2

Implementation
--------------

The  tool is  ready to  use,  but the  user must  be authorized  to the
commands which are performed by the options.

  **   DSAUSRPRF.    The  TAA  Tool   command  is  controlled  by   the
       TAADSAPRF authorization list.

  **   DSPUSRPRF2.    The  TAA  Tool   command  is  controlled  by  the
       TAADSPUSR2 authorization list.

  **   INZPWD.   The TAA Tool commands are  controlled by the TAAINZPWD
       authorization list.

  **   ENAUSRPRF.    The  TAA  Tool   command  is  controlled  by   the
       TAAENAUSR authorization list.

  **   CHGUSRPRF2.    The  TAA  Tool  command   is  controlled  by  the
       TAACHGPRF2 authorization list.

  **   CPYUSRPRF2.    The  TAA   Tool  command  is  controlled  by  the
       TAACPYUSR2 authorization list.

  **   DLTUSRPRF2.     The  TAA  Tool  command  is  controlled  by  the
       TAADLTUSR2 authorization list.

  **   VRYCFG.  The system  command is shipped with *PUBLIC  authority.
       However,  the user must  have the  special authority  *JOBCTL or
       be  authorized to the  TAAVRYCFG authorization  list.  Selective
       prompting is used  to control  what parameters are  valid to  be
       entered  from the  menu option.   The  user is  only allowed  to
       'vary on' a device.

  **   VRYCFGOFF.   The  TAA command  is  controlled by  the TAAVRYCFGO
       authorization list.

To set up Departmental Security, see the previous discussion.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   SECOFR2       *MENU
   CRTDPTSEC     *CMD       CLP         TAASEDB2      QATTCMD
   TAASEDBC      *PGM       CLP         TAASEDBC      QATTCL
   TAASEDBC2     *PGM       CLP         TAASEDBC2     QATTCL
   TAASEDBC3     *PGM       CLP         TAASEDBC3     QATTCL
   TAASEDBD      *FILE      DSPF        TAASEDBD      QATTDDS
*  TAADPTSEC     *AUTL

The TAADPTSEC authorization list  is not shipped.   Create it with  the
CRTDPTSEC command if required.

The  TAASEDBC3  program  adopts  to  access   the  INZPWD  values  from
TAASECURE.

Added to TAA Productivity tools May 1, 1996

Home Page

Up to Top