Securing the Database by using SSM and GSSM

This section describes the use of the SSM (System Security Maintenance) and GSSM (Global Security System Maintenance) commands, which are available in the SYSMAN account. It provides an overview of the security facilities that can be configured using SSM and GSSM and describes how to use them.

SSM also allows you to set up operating environments. These are named collections of settings that change the way in which Reality functions. They can be used for backwards compatibility with earlier versions of Reality or to simplify migration from other MultiValue system.

GSSM extends the capabilities of SSM to allow you to create and update multiple network, user, and security profiles at the same time, based on a new or existing profile. The list of profiles to create or update can be provided by (all or part of) an active SELECT list, or the list can be created on the fly.

Note

Other security controls can be set up at account and file level; these are described in Database Account Management.

Introduction

Network profiles

Network profiles are maintained by using SSM Option 1 - Define Network Profiles to access the NETWORK FILE MAINTENANCE screen. Network profiles define the characteristics and some security restrictions that are always applied when logging on from a particular physical location or group of locations. Additional security can be applied for particular locations depending on the user-id. Network profiles are identified by Physical Location Identifiers (PLIds or partial PLIds) and are held as items in the NETWORK system file in the SYSMAN account.

PLIds are explained in the topic Location-based Security.

User profiles

User profiles are maintained by using SSM Option 2 - Define User Profiles to access the USERS FILE MAINTENANCE screen. User profiles define the security restrictions to be applied when attempting to log on to a database under a specified user-id. User profiles are identified by user identifiers (user-ids) and are held as items in the USERS system file in the SYSMAN account, which contains a user profile item for each user-id allowed to access the database. Refer to User-based Security for more details.

Security profiles

Security profiles are maintained by using SSM Option 3 - Define Security Profiles to access the SECURITY FILE MAINTENANCE screen. Security profiles define allowed and disallowed database access and can be assigned to particular user-ids and locations (PLIds) through the user profile. They are identified by profile-ids and are held as items in the SECURITY system file in the SYSMAN account.

Refer to User-based Security for more information.

Environments

Operating environments are named collections of environment settings that change the way in which Reality functions. For example, you might create an environment for backwards compatibility with an earlier version of Reality, or to simplify migration from a different type of MultiValue system. Several predefined environments are provided, which you can use either directly or as templates for creating your own environments.

Environments are maintained by using SSM Option 4 - Define Environment Settings (or the DEFINE-ENVIRONMENT TCL command) to access to access the ENVIRONMENT CONFIGURATION screen and are held in the ENVIRONMENT system file in the SYSFILES account.

It is recommended that you associate the environments you create with user profiles, so that each user is given a suitable profile at log on. In addition, an option in the user's security profile allows you specify the action to be taken if the environment specified for the user cannot be found or is invalid.

You can apply an environment when needed with the SET-ENVIRONMENT TCL command, and you can set and clear environment options with the SET-OPTION and CLEAR-OPTION commands respectively.

The options that are currently set can be listed with LIST CUSTOM.OPTIONS.

Data encryption

Data encryption makes your data more secure and also allows you to control which users can access particular files. SSM Option 5 - Encryption Key Maintenance allows you to set up the encryption keys that will both protect and provide access to your data.

Password definitions

Password definitions allow you to define the valid composition of passwords including minimum and maximum length; allowed patterns of alphabetic, numeric and special characters; sequences of ascending or descending characters; and so on. SSM Option 6 - Define Password Definitions allows you to set up password definitions for both user passwords and account passwords.

Password definitions are stored as items in the PW.DEFINITIONS system file in the SYSMAN account. The file includes DEFAULT user and account password definitions that are used whenever no particular password definition is specified.

A user password definition is linked to a particular user through their user profile. Several users can share the same password definition.

An account password definition is linked to an account simply through having the same name as the account. However, an account password definition item can be a synonym to another account password definition, so several accounts can effectively share the same password definition.