SafeSFS is an external security management solution for the IBM Shared File System. It provides a high performance, complete security management solution for SFS. SafeSFS greatly simplifies and reduces the task of managing security. By providing a sophisticated rules database with powerful grouping and pattern matching capabilities, combined with the easy to use SafeSFS user interface, security management functions can be completed using a small fraction of the time and effort required with native SFS. Security management tasks may be distributed in a flexible way without compromising security. Dynamic Acigroup support allows VM sites to leverage their existing VM security groups. Listed below is a summary of the major features SafeSFS provides.
SafeSFS provides distributed, flexible SFS security and user administration
With SafeSFS, you define SafeSFS Managers who perform security and user administration tasks. The scope of these tasks may be limited to individual users or groups of users. This reduces your cost of computing by allowing controlled distribution of security and user administration tasks. SafeSFS supports the use of acigroups and pattern matching when defining authorizations to control these tasks. This means that flexible, distributed security and user administration can be implemented very quickly and easily. A Rexx user exit allows VM:SecureTM Directory Manager authorizations to be used via a Rexx user exit, for seemless, distributed SFS administration.
SafeSFS provides dynamic Acigroup support
SafeSFS provides the ability to control SFS security and user administration dynamically by security group (Acigroup). Users added to or removed from an acigroup are automatically granted or revoked authorization without requiring corresponding security control changes. The use of Acigroup rules can greatly reduce the total number of rules.
SafeSFS provides dynamic pattern matched rules capability
SafeSFS rules may contain pattern matching for requestor and for each and every token within the rule object (filepool, file space, directories, file name, and file type). This allows SafeSFS users to control a large number of users and/or SFS objects with a very small number of SafeSFS rules.
With SafeSFS rules you can control which objects are affected by rules
SafeSFS provides both ACCEPT and REJECT rules allowing you to control access with a minimum number of rules. This greatly reduces administrative efforts and eliminates the need to add additional authorizations when new directories are created.
SafeSFS allows you to define who can or cannot create directories in other's file spaces
SafeSFS rules may be used to control creation of directories as desired. This allows end users to perform these tasks for themselves without waiting. SFS administrators are no longer required to create directories for end users.
SafeSFS has a multiple level rule evaluation hierarchy
SafeSFS rules have multiple levels designed to provide complete control while still providing flexible security administration. Security exposures are eliminated. Security may be specified system wide, at the Acigroup level, or at the user level.
SafeSFS provides four user interface methods: Fullscreen, Dirlist/Filelist, Xedit, and API
The SafeSFS user interfaces allow end users and administrators to define and maintain SFS security quickly and easily. The API interface allows you to automate security tasks using local applications.
SafeSFS rules may apply to one or more filepools, including remote filepools
The SafeSFS service machine may be used to control many filepools using one set of SafeSFS rules. When pattern matching is used for filepool name, a single SafeSFS rule may be used to control all or some of the filepools.
SafeSFS provides complete control over SFS access requests and user administration commands
All SFS access requests and user administration commands may be controlled with SafeSFS rules. This provides complete, dynamic security for the IBM Shared File System.
SafeSFS runs with any VM/CP security product.
SafeSFS is a standalone security solution. It was also designed for use in conjunction with any VM/CP security product. SafeSFS may be integrated with your existing CP security product to leverage security controls you have already defined.
SafeSFS provides flexible security for SFS data served by a VM Webserver
SafeSFS eases the task of serving up data via VM based webservers by significantly reducing the SFS authorizations required to allow the webserver to access information. Some web servers and web applications require a native SFS authorization for each item to be served, for each web server in the configuration. One VM site had to implement over 10,000 SFS authorizations (Grants) to enable the use of a web based e-mail application. SafeSFS can provide the same authorization with a single rule -- and without the concern of the owner of that object accidentally removing that authorization.
SafeSFS provides high performance and capacity
SafeSFS was designed with high performance and capacity in mind. SafeSFS performs so well that the overhead associated with SafeSFS is insignificant and is not noticed by end users. The capacity of SafeSFS exceeds that of SFS itself, and SafeSFS will function properly with any size and number of SFS filepool(s).
SafeSFS provides file space sharing via co-owner rules
"Co-owner rules" is a concept that Safe Software introduced for SFS. Co-owner rules allow a user to have the same capabilities over a file space as the owning user. This provides a quick and easy way for end users to give others the same capabilities they have for objects they own. This is particularly convenient for users that have more than one userid.
SafeSFS provides a Fullscreen user interface
SafeSFS provides a fullscreen panel interface that allows SafeSFS Administrators, Managers, and End Users to easily define and manipulate SafeSFS rules.
SafeSFS provides Dirlist/Filelist interface
SafeSFS provides a Dirlist/Filelist interface which gives users the ability to position the cursor on a filespace, directory, or file, and then press a PF key to go directly to a SafeSFS fullscreen panel where the user may add rules for the SFS object. Users may also over type SFS objects in the Dirlist/Filelist display with SafeSFS commands that affect rules for the SFS object.
SafeSFS provides an XEDIT interface
SafeSFS provides an XEDIT interface that allows SafeSFS Administrators, Managers, and End Users to easily define and manipulate SafeSFS rules using XEDIT. With this interface, SafeSFS presents its rules database as a set of flat files, each containing the rules for a particular filespace (user level rules), acigroup (group level rules), or the entire system (system level rules). This interface is similar in look and feel to the Sterling Software VM:SecureTM product's "rules" command interface and reduces training costs for VM:Secure customers.
SafeSFS provides a linemode/application program interface (API)
SafeSFS provides commands which may be issued from the CMS command line or from within application programs to manipulate SafeSFS rules or perform other SafeSFS tasks. These linemode/API commands provide return codes which may be examined by application programs.
SafeSFS provides easy conversion and implementation
SafeSFS provides utilities to convert existing SFS authorizations to SafeSFS rules. It also provides several modes of operation that allow an easy, gradual implementation of SafeSFS.
SafeSFS provides several dynamically configurable modes of operation
SafeSFS has several modes of operation that affect the way it operates. These modes of operation may be changed dynamically while SafeSFS is running, and the changes take effect immediately.
Causes SafeSFS to defer SFS requests that are not controlled by SafeSFS rules to SFS. The SFS requests are then processed based on native SFS authorizations.
This is the normal production mode of SafeSFS. All SFS requests are controlled by SafeSFS rules.
When MANAGE mode is used, SafeSFS will control SFS user administration commands (ENROLL, MODIFY, DELETE, QUERY LIMITS, etc.).
SafeSFS provides flexible auditing and audit reporting
SafeSFS provides the ability to control auditing of SFS requests. SafeSFS utilities allow flexible reporting of the audit information collected. SafeSFS also audits and reports on SafeSFS commands.
SafeSFS provides alternate userid support (Diagnose X'D4' or SFS CSL alternate id)
Applications that make use of the VM/CP alternate user id may issue SFS requests on the behalf of users. SafeSFS will evaluate the request as if it were issued by the user instead of by the userid of the server running the application. This is also commonly referred to as "surrogate" support.
SafeSFS requires no system modifications
SafeSFS uses the SFS External Security Manager exit interface provided and documented by IBM, and does not require any modifications to VM/ESA or any of the VM/ESA components.