HP 3000 Manuals HP 3000 Manuals
Security Overview
Access Server adds its own level of security to that of IMAGE and MPE in
protecting your data. The following provides an overview of Access
Server security. (For details, see the Information Access Server:
Database Administration manual.)
Deciding Who Can Access Data
During Access Server configuration, the primary DBA and secondary DBAs
use the Administrator Utility to define who the users are. Both the
primary DBA and secondary DBAs can use the Administrator Utility to
define what data the users can see.
Access Server uses access groups, table security, and item security to
control the availability of data. Note that these access groups are
different from MPE groups. They supplement MPE security.
Protecting Users' Saved Data
PC users have six ways to save data on the host HP 3000:
* As DIF files, for use in Deluxe VisiCalc/3000.
* As SD files, for use in graphics products.
* As ASCII files, for use in text editors.
* As binary files, suitable for reading by a COBOL application on
the HP 3000, with no formatting information, and numeric data
stored in an unconverted form.
* As BRW/IRF files, for output to Business Report Writer format.
* As saved tables, for later manipulation in Access PC.
DIF, SD, ASCII, binary, and BRW/IRF files are kept in the MPE group in
which the PC user is logged on, unless the user specifies another group
through Access PC. The MPE security associated with the user's group and
account provides protection for this data.
Saved table data is kept as privileged MPE files in the group
PPCSAVE.HPOFFICE, and can be accessed only by an authorized Information
Access user. The creator name will be the MPE user name under which the
user is logged on.
Access Across Account Boundaries
If data on the host system must be accessed across group and/or account
boundaries, sources of data must be released for read access.
NOTE The same holds true for remote data residing in an account other
than the one specified in the logon defined for the remote system.
You can, however, maintain remote data security by first
configuring the same Node several times with different Remote
System names and different logons, then configuring your remote
databases using the Remote System name that logs on to the account
in which it resides.
To release data:
* Use the :ALTGROUP and :ALTACCT commands to allow access to the
data group and account. This relaxes MPE file security for all
files in the group and account, leaving IMAGE security on your
database files intact.
* Individual files within a group can be made available through the
:ALTSEC command or the :RELEASE command. Use RELEASE with
caution, as this totally turns off security for a file, allowing
it to be purged (:PURGE) by any system user.
* Or use the RELEASE command in DBUTIL.PUB.SYS. This relaxes MPE
file security for database files, but leaves it intact for other
files in the group and account.
Securing the Administrator Utility
There is no security on the Administrator Utility when you install Access
Server. We strongly recommend that the DBA follow these steps before
configuring Access Server:
* Disable Access Server to prevent users from accessing the data
before security is assigned.
* Assign a lockword to the program file ADMIN, to prevent
unauthorized users from running the Administrator Utility and from
enabling or disabling Access Server.
* Assign a password to the user ADMIN and change it often. ADMIN
has no password when Access Server is installed. (The user ADMIN
is an Access Server user, not an MPE user.)
The user OPERATOR can only enable or disable Access Server, but has no
access to any data in the Administrator Utility. It is predefined with
the password OPERATOR that can be changed later.