SafeSFS Enables Efficient & Secure SFS Administration

SafeSFS enables you to effectively and efficiently manage your use of the Shared File System (SFS). SFS provides you with many benefits, but these come at the cost of several administration and security issues that have prevented VM installations from partially or fully taking advantage of SFS.

SFS Security and Administration Issues


Administration Concerns


SFS ADMIN authorization is too powerful

Users with native SFS ADMIN authorization have complete control over, and access to, the entire contents of the file pool. All other users control only the objects they own. Most VM installations need to delegate a subset of administration functions to their help desk staff – Enrolling/Deleting users, Modifying allocation (usage) limits, and helping with authorizations. You have to choose between tasking expensive systems programmers with this duty or expose your system to potential security exposures by giving help desk technicians far more authority than they require.  

SFS Catalogs are large and take a very long time to backup

SFS Catalogs contain tremendous amounts of data to maintain the authorization information. A typical SFS file pool can take 10 hours to back up and about 20 hours to restore.

SFS users can undo administrator specified security authorizations

SFS authorizations can be created by administrators and deleted by your users. You cannot guarantee that a user or application can access information, such as a .WEB directory. You cannot guarantee that a user may accidentally share information with someone that they should not.

User/Application Concerns


SFS authorizations do not apply to sub-directories or their contents

SFS authorizations do not apply to sub-directories or their contents. This forces you and your users to define and manage authorizations for sub-directories as separate objects.

SFS users cannot create directories in file spaces they don’t own

SFS authorizations do not allow users or applications to create directories in file spaces that they do not own. This requires you to intervene whenever a directory needs to be created in a different file space.

SFS has a complicated and confusing user interface

SFS authorizations are defined using a complicated, confusing line mode interface. This consistently leads to errors when creating security authorizations, and requires SFS administrator time to be spent assisting end users and determining why a user or application cannot access data.

SFS authorizations only apply to one file pool

SFS authorizations apply only to one file pool. If similar security is desired across multiple file pools, authorizations must be replicated and then manually maintained.


SafeSFS Solves Your SFS Security and Administration Issues


SafeSFS address all of the SFS Administration Issues.

SafeSFS enables you to delegate responsibility to your help desk staff or end users.
SafeSFS reduces the authorizations you manage from hundreds of thousands to hundreds.
SafeSFS speeds up your backups and restores by 90%.
SafeSFS enables you to guarantee access to data for applications and ensure that security exposures do not occur.
SafeSFS allows you to use acigroups and dynamic pattern matching.
SafeSFS gives your users and applications the SFS features that they miss the most.

SafeSFS Solves Security and Administration Issues


SafeSFS provides distributed, flexible SFS security and user administration

With SafeSFS, you define SafeSFS Managers who perform security and user administration tasks. The scope of these tasks may be limited to individual users or groups of users using Acigroups or pattern matching. You can quickly and easily distribute your SFS security and administration. VM:Secure™ Directory Manager authorizations can be used for seamless SFS administration.

SafeSFS provides dynamic Acigroup support and dynamic pattern matching

SafeSFS provides the ability to control SFS security and user administration by Acigroup. SafeSFS rules may contain pattern matching for each and every token of the requestor and target, enabling you to control a vast number of users and SFS objects with a very small number of SafeSFS rules.

SafeSFS removes the authorization information from SFS

SafeSFS rules are maintained in its database. This enables backup products to quickly backup or restore SFS. SafeSFS typically reduces SFS backup and restore time by over 90%.

SafeSFS has a multiple level rule evaluation hierarchy

SafeSFS rules have multiple levels designed to provide complete control while still providing flexible security administration. Security exposures are eliminated. SafeSFS administrators may provide or restrict access to SFS resources at system wide, Acigroup, or user levels. All three levels cannot be overridden by end users. VM:Secure customers will find this to be a familiar concept.

SafeSFS rules apply to sub-directories

SafeSFS directory rules apply to the directory, the contents of that directory, and all sub-directories and their contents. SafeSFS REJECT rules can be used to prevent access to sub-directories.

SafeSFS let's you control who can or can't create directories in other file spaces

SafeSFS rules control creation of directories. This allows end users and applications to perform these tasks for themselves without waiting for an SFS administrator.

SafeSFS provides four user interfaces: Fullscreen, Dirlist/Filelist, Xedit, & API

The SafeSFS user interfaces allow end users and administrators to define and maintain SFS security quickly and easily. The API interface allows you to automate security tasks using local applications.

SafeSFS rules may apply to one or more file pools, including remote file pools

The SafeSFS service machine may be used to control many file pools using one set of SafeSFS rules. When pattern matching is used for file pool name, a single SafeSFS rule may be used to control all or some of the file pools.

SafeSFS Full Screen Interfaces


Rule List Screen

An initial rule list, showing all the rules in a particular rule file. You simply position the cursor and press a key to add, delete, or modify a rule.

Add/Modify/Update Screen
After selecting Add, Model, or Update or when pressing the SafeSFS ADD key in FILELIST or DIRLIST, you can easily allow users to access information in SFS.


Filelist/Dirlist Interface

SafeSFS integrates into the CMS Filelist and Dirlist interfaces. You can type a SafeSFS command over an entry or simply position the cursor next to a file or directory and press the SafeSFS ADD key to enter the SafeSFS Rule Add interface.


Additional SafeSFS Features and Benefits

Runs with any VM/CP security product.
SafeSFS is a standalone security solution. It also integrates well with your existing CP security solution to leverage your current solution.
Application program interface
SafeSFS provides commands that may be issued from the CMS command line or from within application programs to manipulate SafeSFS rules or perform other SafeSFS tasks.
Flexible security for SFS data served by a VM Webserver
SafeSFS eases the task of serving up data via VM based webservers by substantially reducing the SFS authorizations required.
Easy conversion and implementation
SafeSFS provides utilities to convert existing SFS authorizations to SafeSFS rules.
High performance and capacity
SafeSFS was designed with high performance and capacity in mind. End users notice no change in response time and system overhead is insignificant.
Flexible auditing and audit reporting
SafeSFS provides you with control over audit information. Utilities allow flexible reporting of the audit information.
File space sharing via co-owner rules
"Co-owner" is a concept that Safe Software introduced for SFS. Co-owner rules allow a user to have the same capabilities over a file space as the owning user.
Alternate userid support (Diagnose X’D4’ or SFS CSL alternate id)
SafeSFS supports all forms of the CMS and CP alternate userid facilities. This allows servers such as FTP and Web servers to perform work on behalf of users using their security characteristics.
XEDIT interface
SafeSFS provides an XEDIT interface that allows you to easily define and manipulate SafeSFS rules using XEDIT. This interface is similar in look and feel to the Sterling Software VM:Secure™ product’s "RULES" command interface and reduces training costs for VM:Secure customers.
Requires no system modifications
SafeSFS uses the SFS External Security Manager exit interface provided and documented by IBM, and does not require any modifications to VM/ESA or any of the VM/ESA components.