Secure Access Control Module

Product Overview

Secure Access Control Module is a controlled-access protection security module that enables you to invoke additional system-wide security features to protect critical information. Secure Access Control enforces accountability of individual actions through log-on procedures, audit, and resource isolation. Password generation and password aging capabilities are available to reduce the threat of password compromise and to assist the security administrator in password management activities.

General Features

Secure Access Control enables an installation to define one or more security administrators to identify who has access to the system and what resources can be accessed. An administrator can enforce log-on procedures by requiring users to periodically update their passwords. An optional password generation feature ensures the use of passwords that cannot be easily guessed.

Auditing of the system is critical to the process with extensive, flexible reports generated as needed. You can dynamically select the audit options needed with a “spot checking” option to selectively turn on and off auditing for specific requirements. After you acquire audit information, you can perform selective filtering to produce your reports.

Secure Access Control provides the following features:

  • System-enforced security-administrator status

  • Password aging

  • Password generation

  • Simplified security administration

  • Tape security

  • Logging activities associated with a mix number

  • Selective SUMLOG access

Secure Access Control is integrated with other system software products to ensure a high level of resource restriction at multiple levels. Additional levels of protection guard against the importation of code files from unknown or unreliable sources. Limited access can be granted to disk files, as well as tape volumes. For further restrictions to information, the operating system can scrub disk areas to be returned to the pool of available areas so that no one can inadvertently access information left over from prior functions.

Secure Access Control security features are also available as the following security feature groups. A ClearPath server running all of these security feature groups has the same security features as a system running the Secure Access Control Module product.

  • Password Management Facility

  • Secure Accountability Facility

  • Secure Identification Facility

Password Management Facility

The Password Management Facility enables you to designate a lifetime and a warning period for passwords. When a password reaches a certain age, the user is warned by the system that the password is to expire in a certain number of days. At the end of that time, the password no longer allows the user to access the system. You have the software-supported option of either allowing users with expired passwords to generate new passwords for themselves, or requiring users to request new passwords from the security administrator. This functionality applies to passwords associated with both usercodes and accesscodes.

In addition, the PASSWORDCHANGE security option enables you to install a custom library to validate passwords against local rules when passwords are changed. For example, a rule might indicate that the password be different from the usercode or that the password must contain a variety of characters such as lowercase letters, uppercase letters, numbers, and special characters.

Secure Accountability Facility

The Secure Accountability Facility includes the following software groups:

Audit

This group includes those selective logging features that have not been bundled with the MCP. Specifically, these features include result and visibility information and the spot-check capabilities of the LOGSELECT attribute and the LG system command.

Object Reuse and Access Control

This group includes the features controlled by the PROGDUMPFILTER, DISKSCRUB, TAPESCRUB, NONUSERFILES and USERCODEDBACKUP security options.

Tape Security

This group includes maintenance of the volume directory that allows security attributes to be associated with tape volumes that are controlled by the TAPECHECK security option.

Secure Identification Facility

The Secure Identification Facility includes the following groups:

User History Profile

This group includes the maintenance of last log-on and batch use information and the accumulation of security violations.

Security Administrator Privilege

This group includes the ability to enable security administrator status on the system.

Ordering Information

Secure Access Control Module is included as part of the operating environment for ClearPath servers. Source code is available for this product. It is included as part of the operating environment source products, which you can license separately.

Product Information

Refer to the MCP Security Overview and Implementation Guide (8205 7498) for more information.