Implementing MultiValue Security

This section describes options from within the MultiValue environment that help you to:

Establish proper user and account access levels
Use additional MultiValue tools at your disposal which aid in implementing and tracking secure operations

The MultiValue security measures described in this section are derived from:

The SYSTEM Dictionary
Account attributes
Passwords
Process, update and retrieval codes
Account pointers (D pointers)
Synonym pointers (Q pointers)
System privilege levels
Coordinated use of such tools as the Accounting History file (ACC) and the SECURITY-LOG file

mvBase Prerequisites

The methods that this section describes assume that the following prerequisites have already been met.

mvBase must be properly installed, preferably from a previously-created Windows user account (with administration rights) that will also serve to operate mvBase on a daily basis.
The mvBase Server should already be authorized for the intended quantity of connections (licenses).
Processes, lines and virtual memory storage files should be defined properly, and the administrator must know the precise location (network system hard disk drives) on which the mvBase virtual memory storage files are located.
The administrator must have full knowledge of each anticipated client system, the respective User-Names who will connect to the mvBase Server via those systems, and the respective security and access requirements.

MultiValue Security Options

A number of security options are available during account creation or later modification. Security codes for both accounts and users may be entered in the appropriate line or attribute of the Account Definition item or User-ID item using the Editor. Passwords may be created during the time of account creation or edited after creation. You may limit an account’s access to the TCL prompt or commands. Finally, you can use the Account History file and the SECURITY-LOG file to track accounts or unauthorized activity.

Overview of Topics

The following sections cover these topics related to MultiValue security:

Line 1: Using D Codes in Account Attributes	Describes the several options that you can use with D codes in order to modify the behavior of an account.
Lines 5 and 6: Using Retrieval and Update Codes	Access to accounts and files can be restricted by assigning retrieval and update codes to them in lines 5-6 of the attribute definitions items. This topic describes how to do this.
Line 7: Assigning, Changing and Deleting Account Passwords	Account passwords can be assigned to any account to prevent unauthorized users from logging on to the system or from logging to the protected account from another account. Passwords can be defined at the time of account creation (CREATE-ACCOUNT), or they can be added, changed, or removed at other times using the PASSWORD command. This procedure describes how to assign passwords when using the CREATE-ACCOUNT command, and how to change or delete passwords for existing accounts. Passwords are stored in line 7 of account definition items.
Line 8: Using System Privilege Level Codes	This topic describes the four system privilege levels, and how to assign a privilege level to an account.
Line 9: Using Automatic Logoff	This topic describes how to use the AUTO-LOGOFF command to automatically log off accounts and processes after they have been idle for a certain period of time, or when a modem line is disconnected.
Line 9: Using Account Definition Codes	You can use a number of codes in line (attribute) 9 of an account item in order to utilize additional MultiValue security features. This topic describes those codes and security features.
Line 9: Restricting Access to TCL and Commands	You can restrict a user’s access to the TCL prompt or commands by using the T code in line 9, or by modifying a user account’s Master Dictionary.
Line 12: Using Process Codes	Process codes restrict system access by specifying that users can log on to accounts only from particular processes. This topic describes how to implement this strategy.
Using the Accounting History File (ACC)	An account in the SYSTEM Dictionary called ACC contains an Accounting History file also called ACC. This file contains information about activity on a given account. This topic describes the contents and use of this ACC file.
Using the Security Log File	The SECURITY-LOG file, located in the SYSTEM Dictionary, logs all invalid attempts to log on, all system privilege violations, and all attempts to access accounts and files restricted by retrieval and update codes. This file defines ten types of violations.
An Example of a MultiValue Security Scheme	This section provides one example of a security scheme that incorporates a combination of the methods described in this section.
Security-Related Command Summary	A number of SYSPROG commands perform certain security-related functions within the MultiValue environment. This summary table lists such commands. For additional information, see Using the SYSPROG Account and Commands in the Guide to mvBase Files and Accounts.