User Authorities

As users log on to NFS clients and servers, the user authority of each user dictates what they can and cannot do. User authorities are assigned to users by administrators, and usually take the form of user identi®cations (UIDs) for particular users, group identi®cations (GIDs) for groups of users, and supplemental GIDs, which list various group identi®cations that a user belongs to.

Properly assigning user authorities for users and systems can help you to construct a secure, efficient namespace. Users will always have access to the right data when they need it. Improperly assigning user and system authorities will lead to an insecure namespace with major internal and external security breaches.

User Identi®cations (UIDs)

A UID is a user identi®cation. UIDs are made up of a number that represents the user on a particular system. The UID does not include a user's name or any other information about the user at all. UIDs are simply a way for the system to recognize users and activate their user pro®le for use with authorization checking. Users may have access to a various number of systems, so they could maintain a number of different UIDs and associated authorities across those systems. Users should only ever have the access authority that they need, and no more.

For example, on one AS/400, Bill might have a UID of 136. On a different AS/400 his UID could be 142. On yet another, Bill might have a UID of 2700. All of these UIDs could potentially carry with them a number of different authorities on each network system. Bill could have *USER authority on one system and *QSECOFR authority on the next, and so on. The improper administration of such varied UIDs that can lead to NFS security hazards.

Group Identi®cations (GIDs)

 

A GID is a group identi®cation. It operates in the same fashion as a UID as a way

 

of identifying a user's access on a given system. The GID goes one step further,

 

however, by acting as a general authority for a group of users or machines. GIDs

 

are not at all relative to UIDs and do not correspond with UIDs. A user pro®le may

 

or may not have a GID associated with it.

 

GIDs, therefore, might function for a department in a company or for a set of

 

workstations in a computer lab. GIDs can function as a second method of access to

 

a given ®le or object if a particular UID does not have access authority to that ®le or

 

object. A GID never takes away authority from the user pro®le associated with it;

 

GIDs can only add authority. If a GID exists on the server that matches the request

 

of a client, then the associated authority is added to the request. If the GID does

 

not exist on the server, then the GID is ignored.

There are also supplemental GIDs, which can act as a third or fourth or nth method

of access authority to an object. GIDs are assigned to users based on what groups

a user in question belongs to. UNIX servers and clients can use supplemental GIDs

to determine the authority of a user. The Network File System on AS/400 supports

supplemental GIDs. If a user on the client system is a member of multiple groups,

then the system sends the GIDs for those groups to the server. The server will use

those GIDs that have existing group pro®les as the list of supplemental GIDs for the

mapped NFS user on the server. Because GIDs and supplemental GIDs add to a

user's authority, GIDs may allow users to access objects that are ordinarily

Chapter 9. Network File System Security Considerations 83

Page 100 Page 102
Page 101
Image 101
IBM AS/400E manual User Authorities, User Identications UIDs, Group Identications GIDs
Page 100 Page 102

AS/400E specifications

The IBM AS/400E, now more commonly known as IBM i, is a robust and versatile midrange server that has been designed to provide a comprehensive computing solution for businesses of all sizes. First introduced in the late 1980s, the AS/400 series has undergone multiple enhancements and rebranding, with the AS/400E being one of the notable iterations. This powerful platform is closely associated with IBM's commitment to reliability, scalability, and integrated business solutions.

One of the main features of the AS/400E is its highly integrated architecture that combines hardware and software into a cohesive system. This integration allows for seamless operations, reducing the complexity typically associated with managing disparate systems. The system is powered by IBM's proprietary OS/400 operating system, which has evolved into IBM i, featuring advanced capabilities like object-oriented programming, integrated database management, and security features that are essential for enterprise environments.

A key characteristic of the AS/400E is its robust database support, primarily through the use of DB2 for i. This integrated database management system enables efficient data handling and retrieval, facilitating real-time business analytics and reporting. Furthermore, the platform supports a variety of programming languages, including RPG, COBOL, and Java, making it flexible for developers who require diverse tools for application development.

The AS/400E is also known for its exceptional reliability and uptime, making it a preferred choice for critical business applications in industries such as finance, healthcare, and manufacturing. This reliability is backed by advanced error detection and correction mechanisms, as well as redundancy features that help prevent data loss and minimize downtime.

In terms of scalability, the AS/400E can effortlessly expand to accommodate growing business demands. Organizations can increase processing power by adding more resources without significant disruption. This scalability, combined with the system’s built-in virtualization capabilities, allows businesses to optimize resource usage and streamline operations.

Security is another defining feature of the AS/400E. The platform incorporates various layers of security measures, including user authentication, encryption, and comprehensive auditing capabilities, ensuring that sensitive business data is protected against unauthorized access.

Overall, the IBM AS/400E remains a powerful tool in the enterprise computing landscape, providing businesses with an integrated, reliable, and secure solution for their technological needs. Its enduring popularity is a testament to its capability to evolve with changing business requirements while maintaining its core attributes of high performance and stability.
Top Page Image Contents