The security option of ACCENT R provides full control over access to data and programs. The algorithms and logic in programs are as sensitive as data because they define how a company does business. Protection of programs is a part of the ACCENT R security option.
Access Control restricts who can access data and programs and provides control over read, update, and execute privileges. All files created by ACCENT R adheres to previously defined OpenVMS Access Control Lists for files and directories. Once a Data Base Library (DBL), Data Set (DS), or other System File (SF) is created, copied, or rebuilt by the user through ACCENT R, that file’s Access Control List will be maintained in the new version of the file.- Encryption provides the ability to encrypt data and programs. This prevents access to the data or programs outside of the ACCENT R environment. Encryption can be provided for a DBL as well as for the data associated with objects in the DBL.
Data Base Administrator (DBA) level - for administrative control over the security of the information system.- DBL Level - control of an entire Data Base Library (DBL).
- Individual DBL Object Level - the most restrictive control that is used where individual object security is important access control levels.
Each of these levels is discussed in more detail in the following paragraphs.
The purpose of the Data Base Administrator (DBA) level is to control who can assign security for the objects in a Data Base Library (DBL). For example, if an employee leaves the organization then the DBA can immediately change all the employee's passwords without knowing them.
Multiple DBA’s can be associated with the same DBL. Each DBA can have their own password. If necessary, an organization can require that more than one DBA be present before changing security.
DBA security access, if used, must be assigned to a DBL before any other security is set up. The reason is that a DBA has access to all objects in the DBL. Someone could assign DBA security for himself, bypassing any lower-level security that had been assigned, and access any object without knowing the passwords. ACCENT R will not allow DBA-level security to be assigned if any other security has already been assigned.
The DBA can pass the ability to change security on to either the DBL level or the individual object level through the ALTER security privilege.
Once DBA security is assigned, the DBA password(s) must be entered to assign security to an object, or the DBL security must have the ALTER security privilege. If changing security for an object, enter the DBA or DBL password, or the ALTER security privilege must be set for the individual object.
The DBA level only controls who can assign security, and does not password-protect the DBL or its objects. Password protection of the DBL and its objects must be assigned at the DBL level and the individual object level.
Data Base Library (DBL) security provides access control to all objects in the DBL. If specific objects in the DBL also have security assigned to them then enter either the DBL password (which gives access to all objects) or the object's password which identifies the authorized user. In this way total access can be provided for one group of users (DBL level) and individual object access for another group of users. Protection can also be provided for objects but allow users to execute Command Modules (CM) and Process Modules (PM).
If DBL security is assigned and no Data Base Administrator (DBA) security exists, then the DBL password must be entered to assign security to an individual object. If changing security for an object, enter either the DBL password or the ALTER security privilege must be set for the individual object.
Individual object security provides password protection of any given object in the DBL. If DBA or DBL level security has not been assigned then any user who has access to the account can assign security to any object in the DBL. Once security has been assigned to an object then its password must be entered in order to change it. Once DBA security has been assigned then only the DBA’s can assign new security to specific objects unless DBL security has also been assigned and the ALTER security privilege has been set.
DBL security must be assigned before security is assigned to any object in the DBL. ACCENT R will not allow DBL security to be assigned after individual objects in the DBL have been assigned security because someone could later add DBL security and have access to all the protected objects in the DBL.
It is recommended that Data Base Administrator (DBA) security be assigned to make it easy to administer security for objects in a Data Base Library (DBL) with sensitive data. For example, if someone in the organization leaves, or if access for a person must be changed, then the DBA has full control over all objects for which that person had responsibility.
The DBL level, unlike the DBA level, actually controls access to the DBL. Users can be allowed to execute Command Modules (CM) and Process Modules (PM), but be prevented from modifying or removing them.
A Data Base Library (DBL), a Data Set (DS), or a Data Index (DI) can be encrypted (ciphered). There are two ways of providing encryption protection. The first way is to prevent access from outside the ACCENT R environment, but permit access within ACCENT R without entering a cipher key (password). The second way is to specify that a cipher key must be entered to access encrypted data within ACCENT R.
Encryption protection is independent of the other levels of security. Always enter the cipher key to access an encrypted object even if Data Base Administrator (DBA) authorization has been set. There is no way for ACCENT R to decipher the data without the cipher key.
--------------------------------------------- WARNING ----------------------------------------------
If the cipher key is forgotten, access will be lost to the encrypted data.
-----------------------------------------------------------------------------------------------------------
Identify as an authorized Data Base Administrator (DBA) by entering a password with the PERMIT DBA command. Depending on how the DBA level of security was assigned, other DBA’s may have to enter their password before DBA authorization is set and changes can be made to security. Identify as being authorized to access a Data Base Library (DBL) or its objects by entering a password or cipher key in a PERMIT command. Enter a password with the PERMIT PASSWORD command in order to access a secured DBL or a secured object. Similarly, enter a cipher key with the PERMIT DBL command or the PERMIT KEY command in order to access an encrypted DBL, Data Set (DS), or Data Index (DI).
Several secured or encrypted Data Base Libraries (DBL) can be accessed at the same time. Secured individual objects, encrypted Data Sets (DS), or Data Indexes (DI) in different DBL’s can be accessed by using the IN DBL clause. Before giving the command or Process Module (PM) statement that accesses the DBL or object, enter the appropriate password or cipher key.
The security processing flowchart on the next page shows how the ACCENT R security package handles access requests for secured objects and the decisions that are made when checking the multiple levels of security. This logic is also shown in the pseudo-code on the next page.