CAPP: What it represents for i5/OS

Discretionary access control (DAC) describes how access to objects can be controlled or limited to specific user profiles on the system. Through object authority, users are granted or excluded permission to use objects defined to the system.

Object reuse is a requirement for internal storage control. In most systems, when an object is deleted, it is only deleted at the directory level. The object still exists in the disk space where it was recorded but since it is no longer referenced by the directory, it cannot be used by most users. CAPP object reuse takes that a step further and prevents users who create new objects on the system from accessing information that was formerly stored in the allocated disk space.

Identification and authentication requires that users on the system are personally accountable for what they do. Each user must be uniquely identified -- that identity must be able to be confirmed and it must be immediately associated with all security events performed.

Auditability of security events in CAPP calls for the system being able to audit all security events at the user profile level. This audit information must include a time and date stamp, the nature of the event, the object or objects used and the user identifier.

As you can see, with all of these security requirements deployed, you are in a good position to properly manage and control the security environment on your system. OS/400 V5R3 and later support the CAPP standard when security level (system value QSECURITY) is set to level 50. So, you can take advantage of all of this security control, and more, by moving to this level. Be aware that changing your QSECURITY setting is not to be taken lightly and planning is required for a seamless move.

If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.