Of the many features and tools for moni toring and contro l l i ng t he system offered in the AG>IS moni tor, three areas are most often used .
30
• Contro l l ing and restri c t i ng term inal user environments
• Contro l li ng and restrict ing the appl ication • Abi l i ty to dynamically make changes to the appli
cation without stopping work
In add i t ion to using the VMS user amhorization fi le (Vi'v!S SYSUAF), the ACMS monitor provides u t i l i ties to define which users and terminals have access to the ACMS system . Cont ro l led te r m inals are term i nals defined by one of these u t i l i t ies to be owned by the ACJVIS monitor. These term inals are al located by the ACMS m o n i t o r when the ACM S system is s tarted . When a user p resses t he Return key, t he ACMS monitor displays its login prompt. U n less the user has login access , the VMS system cannot be accessed. The user's access is restricted to only t hose ACMS fu nctions that t he user is per m i tted to i nvoke. This restriction prevents a user from damaging the i ntegrity of data on t he system . The ACMS monitor also a llows access support for te rminals that are auto matical l y logged in to the ACMS system , such as a term inal on a shop floor. Such access is useful for u np rivi leged users who are not accustomed to compu ters. They can enter data without u nderstanding the process fo r log ging in to t he system .
For appl ication control, t h e ACMS monitor uses a protected d irectory, ACMS$DIRECTORY, to store the appl ication defini t ion files. The appl ication autho rization u t i l ity (AAU) ensures that special au thori zation is requi red for a user to make changes to an appl ication.
In t he ACMS moni tor, the appl ication is a single point of controL The ACMS/START APPI.ICATION and ACMS/ST'OP APPLICATION commands cause the exe cu t ion contro l le r for the appl ication to be created and deleted. An operator can cont rol the t imes when an appl ication is access ible. For example, an application can be contro l led to run only on Fridays or only between certa i n hours. The control of access times can also be used to restrict access whi le changes or rep a irs are m ade to the appl ica tion. This type of access control is difficu l t to achieve with o n l y the VMS system because the VMS system does not p rovide these capabil i t ies.
The execution contro l le r does access-control l ist checking that is specified for each task. This mechanism can restrict user access by fu nction. For examp le , a user could have the p rivi lege to make a particular update to a database but not have access to read or make changes to any other parts
of that database. The execution controller achieves a much finer level of control than do the mecha nisms of the VMS system or the database system.
DECintact Application Management
The DECintact monitor controls access to the whole system and to ind ividual t asks by means of a secu rity subsystem. The subsystem adds transaction processing-specific features to basic VMS security. • User security profi les specify
the DECintact user name and password (DECintact users are not required to have an entry in the VMS SYSUAF file); levels of security entitlement; incl usive and exclus ive hours of permissible s ign-on; menu entries authorized for the user. Only one user under a given DECintact user name can be signed on to the DECintact system a t any one t ime on any one nod e.• Dedicated terminal security profi les are used, in conjunction wit h user securi ty profiles, to pro vide geographic ent itlement.
• CAPTIVE and INITlAL_MENU user attributes
restrict users to a specific menu level of func t ions and prevent the user from accessing outer levels.
• User-specific menus are menu entries for which
an explici t authorization has been granted in the user profile and are the only menu i tems visible on the menu p resented to terminal users. The DECintact monitor does include an exception fo r u sers who have an audi tor privilege. Audi tors can see all menu functions but must be specifi cally authorized to execute any single function. • The subsystem provides the ability to dynami call y enable or disable specific menu functions. • Password revalidation is an attribute that can be associated with a menu function. If set, t he user must reenter the DECintact user name and pass word before being allowed to access the function. The DECintact monitor supports both controlled or dedicated terminals and term inals assigned LAT
term inal server appl ication ports, as does the ACMS monitor. These term inals are owned by, and allo cated to, the DECintact system. When a user types any character at t hese term inals, a DECintact s ign on screen is d isplayed, and the user is prevented from logging in to the VMS system.
Geographic entitlement lim its certain DECintact terminal-based funct ions to certain term inals or
Digital TecbtJicaljourtJal Vol. 3 No. I WitJter 1991
even to certain users on certain terminals. The three elements in geographic ent itlement are as follows:
• The user security profile enables a function to be
accessed by a certain user.
• The term inal security profile enables a function
to be accessed at a certain te rminal.
• A GEOG attribu te is associated with a menu
entry in the terminal m anager/d ispatcher's menu database. This attribute, when associated with a function, demands that there be an appli cable term inal security p rofile before the func t ion can be accessed .
Normally, if a function is enabled in a user p rofile, the user can access the funct ion without further checks. If t he GEOG attribute is associated with the functi on, however, t hat funct ion must be enabled in the user profi le and in the term inal profile before it can be accessed.
Geographic enti tlement is frequently a require ment in financial environments which have specific and rigid security p rotocols. For example, a bank
officer may be authorized to execute certain sensi tive functions available onl y at dedicated terminals when the offi cer is signed-in a t the home office. The same officer may be authorized to execu te onl y a subset of less sens i tive functions when signed-in from a branch office. Such sensitive func t ions can be protected by requ iring that the user profile and the dedicated terminal profile enable the function.
Applications and resources are cont rolled withi n the context of a DECintact copy's run- t ime and management environment. Multiple copies can be estab l is hed on the same VMS system. D ifferent groups of users can mainta in a certa in level of autonomy (e .g . , separate appl icat ions and data fi les), but all users can also share some or all funct ions and resources of a given DECintact ver sion. A typical example of this concept, that is, t he ability t o create multiple DECintact copies for isola tion and part i tioning, is the com mon practice of establishing development, acceptance testing, and p roduct ion DECintact environments. Managing applicat ions and resources within a development environment, for example, can d iffer from manag ing appl ications and resources within a prod uction environment with a d ifferent system manager.
Access to menu functions is contro l led by the INTACT MANAGE DISABLE/ENABLE command. This command removes or restores specified funct ions
Transact ion Processing, Databases, and Fault-tolerant Systems
dynam ically from a l l menus i n the DECin tact copy and d isables or enables their selection by subse quent users. (Current accessors of the specified function are al lowed to complete the function.) The execu tion of single- and multi threaded appli cations or D ECi ntact system components can be shut down by the INTACT 1Y1Ai'IAGE SH UTDOWN command. This command issues a m a i l box request to the appl ication or component, which then initi ates an orderly shutdown. Access to the system by inclusive and exclusive t ime of day is control led on a per-user basis through the DECi n tact security subsystem. In add i t ion to these com mands and funct ions, the queuing subsystem is managed by means of a queue management u t i l i ty This u t i l i ty creates and deletes queues and queue sets, modi fies queue and queue set attribu tes, and performs all othe r funct ions necessary for managing the DECintact queuing subsystem.
In general, the DECintact monitor's security and application control focuses on the front end by concentrat i ng access checking at the point of sys tem sign-in and menu generation. The ACMS system concentrates m ore on the back-end parts of the system by means of VMS access con t ro l l ists (ACL) on specified tasks. The ACMS app roach is built on VMS security and system access (the SYSUAF fi lc) and reflects an environment i n which the VMS sys tem and t he transaction p rocessing securi ty func t ions are typical l y pe rfo rmed by t he same system management agency The DECin tact moni tor's sys tem access is hand led more i ndependently of the VMS system and reflects an environment i n which t ransaction-p rocess ing-specific security functions may be pe rformed by a d iffe rent department from those of the general VMS security system.