• Subject: Re: Security Admin package for multi level security
  • From: John Hall <jhall@xxxxxxxxxxx>
  • Date: Sun, 07 Nov 1999 18:30:13 -0500



"Graap, Ken" wrote:
> 
>  John -
> 
> Printers and other devices are just objects on the system and subject to the
> same security policies that any other objects is.
> 
> A printer could be created with *PUBLIC *EXCLUDE and then only the authority
> required... QSPL *CHANGE and TOP_SECRET_USER *CHANGE
> 

No that's an oversimplification of the security.  The security of a
printer is in relationship to the document and not the user.  This
applies to display's as well.  It is not whether a top secret user can
access a printer or not.  The question is the security level of printer
vs the security level of the information.  A "Top Secret" user could
access "secret" info and send it to a "secret" printer just not the
other way around.  Also a secret user could send information to a top
secret device.  They would not be able to see the report produced
because they would be denied physical access to that area.

> -----Original Message-----
> From: John Hall
> To: MIDRANGE-L@midrange.com
> Sent: 11/05/1999 3:34 PM
> Subject: Re: Security Admin package for multi level security
> 
> One thing you guys are missing about the security issue is that all
> devices must be controlled under it also.
> 
> Every terminal/tape drive/printer/fax/whatever must also be classified
> as to its security clearance.
> 
> This security is in addition to any other security that is in place.
> 
> If a printer is not "top secret" cleared then you cannot print a top
> secret document to it even if you have the clearance.  And you cannot
> display it on a terminal that does not have the proper clearance.
> 
> About all  OS400 can do is limit security officer signon to specific
> devices.
> 
> John Hall
> 
> "V. Leveque" wrote:
> >
> > Very good!
> >
> > I lumped this under "discretionary access control" which as you
> pointed out
> > the 400 does well.
> >
> > To look at "Top Secret -- Crypto" classified data, a "Top Secret --
> Nukes"
> > clearance  will not do.
> >
> >   The security officer is always an issue, which is why this person
> must be
> > trusted.  Less of an issue with AS/400, as many functions which
> require
> > "root" on UNIX can be done with a more granular special authority on
> the
> > AS/400.  You don't have to give away the whole machine just because a
> help
> > desk person may need to reset passwords once in a while.
> >
> > But most businesses still need transactional security more -- you
> aren't
> > keeping secrets so much as keeping people from writing checks to
> themselves
> > & charging it to "suspense".  Major fraud looks really bad when it
> hits the
> > Wall Street Journal.
> >
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].