|
SFS Security
and Administration Issues |
|
|
|
|
SFS ADMIN authorization is too powerful
|
| Users with native SFS ADMIN
authorization have complete control over, and access to, the entire
contents of the file pool. All other users control only the objects
they own. Most VM installations need to delegate a subset of
administration functions to their help desk staff – Enrolling/Deleting
users, Modifying allocation (usage) limits, and helping with
authorizations. You have to choose between tasking expensive systems
programmers with this duty or expose your system to potential security
exposures by giving help desk technicians far more authority than they
require. |
|
|
|
|
SFS Catalogs are large and take a very
long time to backup
|
| SFS Catalogs contain
tremendous amounts of data to maintain the authorization information.
A typical SFS file pool can take 10 hours to back up and about 20
hours to restore. |
|
|
SFS users can undo administrator
specified security authorizations
|
| SFS authorizations can be created by administrators and deleted by
your users. You cannot guarantee that a user or application can access
information, such as a .WEB directory. You cannot guarantee that a user
may accidentally share information with someone that they should not.
|
|
|
|
User/Application Concerns |
|
|
SFS authorizations do not apply to sub-directories
or their contents |
| SFS authorizations do not apply to sub-directories or their contents.
This forces you and your users to define and manage authorizations for
sub-directories as separate objects. |
|
|
SFS users cannot create directories in file spaces they
don’t own |
| SFS authorizations do not allow users or applications to create directories
in file spaces that they do not own. This requires you to intervene whenever
a directory needs to be created in a different file space. |
|
|
SFS has a complicated and confusing user interface
|
| SFS authorizations are defined using a complicated, confusing line
mode interface. This consistently leads to errors when creating security
authorizations, and requires SFS administrator time to be spent assisting
end users and determining why a user or application cannot access data.
|
|
|
SFS authorizations only apply to one file pool
|
| SFS authorizations apply only to one file pool. If similar security
is desired across multiple file pools, authorizations must be replicated
and then manually maintained. |
|
|
SafeSFS Solves
Your SFS Security and Administration Issues |
|
SafeSFS address all of the SFS Administration Issues. |
|
| SafeSFS enables you to delegate responsibility to your help desk staff
or end users.
|
| SafeSFS reduces the authorizations you manage from hundreds of thousands
to hundreds. |
| |
| SafeSFS speeds up your backups and restores by 90%. |
| |
| SafeSFS enables you to guarantee access to data for applications and ensure
that security exposures do not occur. |
| |
| SafeSFS allows you to use acigroups and dynamic pattern matching. |
| |
| SafeSFS gives your users and applications the SFS features that they miss
the most. |
|
SafeSFS Solves Security and Administration Issues |
|
|
SafeSFS provides distributed, flexible SFS security
and user administration
|
|
| With SafeSFS, you define SafeSFS Managers who perform security and
user administration tasks. The scope of these tasks may be limited to individual
users or groups of users using Acigroups or pattern matching. You can quickly
and easily distribute your SFS security and administration. VM:Secure™
Directory Manager authorizations can be used for seamless SFS administration.
|
|
|
SafeSFS provides dynamic Acigroup support and
dynamic pattern matching |
| SafeSFS provides the ability to control SFS security and user
administration by Acigroup. SafeSFS rules may contain pattern matching
for each and every token of the requestor and target, enabling you to control
a vast number of users and SFS objects with a very small number of SafeSFS
rules. |
|
|
SafeSFS removes the authorization information
from SFS |
| SafeSFS rules are maintained in its database. This enables backup products
to quickly backup or restore SFS. SafeSFS typically reduces SFS backup
and restore time by over 90%. |
|
|
SafeSFS has a multiple level rule evaluation hierarchy
|
| SafeSFS rules have multiple levels designed to provide complete control
while still providing flexible security administration. Security exposures
are eliminated. SafeSFS administrators may provide or restrict access to
SFS resources at system wide, Acigroup, or user levels. All three levels
cannot be overridden by end users. VM:Secure customers will find this to
be a familiar concept. |
|
|
SafeSFS rules apply to sub-directories
|
| SafeSFS directory rules apply to the directory, the contents of that
directory, and all sub-directories and their contents. SafeSFS REJECT rules
can be used to prevent access to sub-directories. |
|
|
SafeSFS let's you control who can or can't
create directories in other file spaces
|
| SafeSFS rules control creation of directories. This allows end users
and applications to perform these tasks for themselves without waiting
for an SFS administrator. |
|
|
SafeSFS provides four user interfaces: Fullscreen,
Dirlist/Filelist, Xedit, & API
|
| The SafeSFS user interfaces allow end
users and administrators to define and maintain SFS security quickly
and easily. The API interface allows you to automate security tasks
using local applications. |
|
|
SafeSFS rules may apply to one or more file pools,
including remote file pools
|
| The SafeSFS service machine may be used to
control many file pools using one set of SafeSFS rules. When pattern
matching is used for file pool name, a single SafeSFS rule may be used
to control all or some of the file pools. |
|
|
SafeSFS Full Screen Interfaces |
|
|
|
An initial rule list, showing all the rules in a particular rule file.
You simply position the cursor and press a key to add, delete, or modify
a rule. |
|
|
|
| |
|
|
| After selecting Add, Model, or Update or when pressing the SafeSFS ADD
key in FILELIST or DIRLIST, you can easily allow users to access information
in SFS. |
|
|
|
|
Filelist/Dirlist Interface |
|
|
| SafeSFS integrates into the CMS Filelist and Dirlist interfaces. You can
type a SafeSFS command over an entry or simply position the cursor next
to a file or directory and press the SafeSFS ADD key to enter the SafeSFS
Rule Add interface. |
|
|
|
|
Runs with any VM/CP security product.
SafeSFS is a standalone security solution. It also integrates well with
your existing CP security solution to leverage your current solution. |
Application program interface
SafeSFS provides commands that may be issued
from the CMS command line or from within application programs to manipulate
SafeSFS rules or perform other SafeSFS tasks. |
|
Flexible security for SFS data
served by a VM Webserver
SafeSFS eases the task of serving up data via VM based webservers by substantially
reducing the SFS authorizations required. |
Easy conversion and implementation
SafeSFS provides utilities to convert existing SFS authorizations to SafeSFS
rules. |
|
High performance and capacity
SafeSFS was designed with high performance and capacity in mind. End users
notice no change in response time and system overhead is insignificant. |
Flexible auditing and audit reporting
SafeSFS provides you with control over audit information. Utilities allow
flexible reporting of the audit information. |
|
File space sharing via co-owner rules
"Co-owner" is a concept that Safe Software introduced for SFS. Co-owner
rules allow a user to have the same capabilities over a file space as the
owning user. |
Alternate userid support (Diagnose X’D4’
or SFS CSL alternate id)
SafeSFS supports all forms of the CMS and CP alternate userid facilities.
This allows servers such as FTP and Web servers to perform work on behalf
of users using their security characteristics. |
|
XEDIT interface
SafeSFS provides an XEDIT interface that allows you to easily define and
manipulate SafeSFS rules using XEDIT. This interface is similar in look
and feel to the Sterling Software VM:Secure™ product’s "RULES"
command interface and reduces training costs for VM:Secure customers. |
Requires no system modifications
SafeSFS uses the SFS External Security Manager exit interface provided
and documented by IBM, and does not require any modifications to VM/ESA
or any of the VM/ESA components. |
