HP 3000 Manuals

Eliminating Password Exposure with the Stream Privilege Option [ HP Security Monitor/iX User's Guide ] MPE/iX 5.0 Documentation

HP Security Monitor/iX User's Guide

Eliminating Password Exposure with the Stream Privilege Option 

This section explains how to reduce the chance of password exposure by
using the Stream Privilege option.

Stream Privilege Option Features 

This option provides the following features:

   *   Allows system processes to stream jobs without passwords.

   *   Allows the System Manager, Account Manager, and job owners to
       stream jobs without supplying passwords.

   *   Provides Stream Privilege Authorization to let users other than
       System Managers, Account Managers, and job owners stream jobs
       without supplying passwords.

When password verification is waived under this privilege, passwords are
ignored if present.  Note that if the Embedded Password Disallowed option
is enabled, the stream attempt fails if an embedded password is present.

The Stream Privilege feature is independent of the Cross Streaming
restriction.  System Managers, Account Managers and job owners always
have the right to stream jobs within their domain of control, even with
the cross streaming restriction in effect.  On the other hand, they do
not have the right to bypass password authentication when the Stream
Privilege feature is not enabled.

Stream privilege can be granted at two levels:. 

   1.  System Managers, Account Managers, and job owners only, this is
       the more restrictive of the two.

   2.  Additional authorization on protected jobs, this extends the
       privilege to other users when streaming protected jobs to which
       they have EXECUTE access.

Recommendation:.   

If nested jobs (jobs that are streamed from within another job) are used,
Stream Privilege should be enabled.  This lets System Managers, Account
Managers, and job owners stream the nested job without passwords.  (Make
sure any passwords are removed, and ensure the outer job has proper
capability to stream the nested job).

Similarly, enable the Stream Privilege when running device-direct jobs,
such as those that come directly from tapes.  This lets these jobs run
without passwords.

When enabled, the Stream Privilege option also applies to system
processes.  This is the case because system processes are associated with
MANAGER.SYS and therefore, share the same attributes and capabilities.

MPE/iX 5.0 Documentation