|
"Graap, Ken" wrote: > > John - > > Printers and other devices are just objects on the system and subject to the > same security policies that any other objects is. > > A printer could be created with *PUBLIC *EXCLUDE and then only the authority > required... QSPL *CHANGE and TOP_SECRET_USER *CHANGE > No that's an oversimplification of the security. The security of a printer is in relationship to the document and not the user. This applies to display's as well. It is not whether a top secret user can access a printer or not. The question is the security level of printer vs the security level of the information. A "Top Secret" user could access "secret" info and send it to a "secret" printer just not the other way around. Also a secret user could send information to a top secret device. They would not be able to see the report produced because they would be denied physical access to that area. > -----Original Message----- > From: John Hall > To: MIDRANGE-L@midrange.com > Sent: 11/05/1999 3:34 PM > Subject: Re: Security Admin package for multi level security > > One thing you guys are missing about the security issue is that all > devices must be controlled under it also. > > Every terminal/tape drive/printer/fax/whatever must also be classified > as to its security clearance. > > This security is in addition to any other security that is in place. > > If a printer is not "top secret" cleared then you cannot print a top > secret document to it even if you have the clearance. And you cannot > display it on a terminal that does not have the proper clearance. > > About all OS400 can do is limit security officer signon to specific > devices. > > John Hall > > "V. Leveque" wrote: > > > > Very good! > > > > I lumped this under "discretionary access control" which as you > pointed out > > the 400 does well. > > > > To look at "Top Secret -- Crypto" classified data, a "Top Secret -- > Nukes" > > clearance will not do. > > > > The security officer is always an issue, which is why this person > must be > > trusted. Less of an issue with AS/400, as many functions which > require > > "root" on UNIX can be done with a more granular special authority on > the > > AS/400. You don't have to give away the whole machine just because a > help > > desk person may need to reset passwords once in a while. > > > > But most businesses still need transactional security more -- you > aren't > > keeping secrets so much as keeping people from writing checks to > themselves > > & charging it to "suspense". Major fraud looks really bad when it > hits the > > Wall Street Journal. > > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to > MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: > david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
