Secure Connectivity
Access Control and AuthorizationAccess control provides controlled resource access based on a user’s identity, including the protection of files that you must shield from prying eyes and malicious or unintentional modification. Access control supports authorization, which establishes users’ rights. But authorization also controls administrative tasks such as backup/restore, adding and assigning privileges to other users and allowing certain operational tasks to be performed remotely. It’s a Trade-offThe security protections you implement depend on your requirements, particularly your evaluation of the trade-offs. Security is always a trade-off among ease of use, administration costs and the value of the data protected. You wouldn’t keep your wallet in a safety deposit box at a bank, would you? While it might be very secure, the convenient access you need is missing so it’s not a practical solution. ClearPath systems give you the flexibility you need to tailor your access control and make the appropriate trade-offs for your site. OS 2200 offers a wide range of security protections, from minimal security to security that meets the most stringent, governmental, top-secret requirements. In fact, OS 2200 access controls are superior to offerings found on most other operating systems and include object ownership and both mandatory and discretionary access controls. Here are some of the solutions you might implement:
Public and Private FilesYou can create public files when you want to let everyone read and write the files. On the other hand, you can create private files that only you, their creator, can access. Access Control RecordsOften you need a level of file access control that is between completely public and completely private. For these “semiprivate” files, Access Control Records (ACRs) are the solution. Users can attach ACRs to files they create to control who can access them. Discretionary and Mandatory Access ControlsWith discretionary access controls, users control access to the files that they own. In contrast, mandatory access controls provide tighter administrative control of security. Only administrators, not users, can make changes to a file’s security labels. OS 2200 also lets you implement additional mandatory access controls via clearance levels or compartments – features that are available only in mainframe-class operating systems. Clearance LevelsClearance levels can be very useful if you want an hierarchical structure for access authority. Your files are automatically classified in a range – from most confidential to public domain – depending on the clearance level of each user. And these files can be accessed only by those who’ve been given a sufficient clearance level. CompartmentsCompartments are non-hierarchical, giving you multiple categories of data on one system. Let’s say you’re running a financial application and an order-entry application on the same ClearPath system. There’s no chance that your financial users could even accidentally create a file that could be read by your order-entry users – when you use compartments. AuthorizationOS 2200 gives you fine-grained control over operating system calls, security levels, compartments and security privileges, so you can implement the “least privilege” security policy that gives a user or program no more than the privileges needed to do a specific job.
|
