As you design user groups, remember that the groups
you establish have an impact on data and resource protection and influence
those who receive the GROUP, GRPNAM, and GRPPRV privileges. You may
want to map out the functions you expect your users to perform. Look
for groups of users involved with a common function, such as accounting,
engineering, marketing, and personnel.
Think ahead to future plans in your organization.
Incorporate these ideas into your strategy. You can fine-tune the
group design at any time, but it is most important to gain a perspective
on the logical groupings according to the functions your users perform.
Following are two guidelines for determining the
placement of users in UIC groups:
Sharing: Users who typically
share data and control of processes should be arranged in the same
Protection: Users who
should not have access to each other's data or control each other's
processes should be assigned to separate groups.
However, there are limitations to UIC group design.
You may want to give only a few members of your UIC group access to
files that you own, or you may want to grant access to your files
to members of several UIC groups without having to grant world access.
These limitations are described in “Limitations to UIC Group Design”.
Example of UIC Group Design
The fictitious Rainbow Paint Company is a distribution
company with five departments: executive, accounting, marketing, shipping,
and administration. “Employee Grouping by Department and Function” identifies the employees in the various
departments who need computer resources. The table also lists the
job responsibilities of the employees.
Table 8-1 Employee Grouping by Department and Function
| Department|| Employee|| Function|
Treasurer Head of Computer Operations
Correspondence Management Paycheck Printing
The fact that the company has been organized into
departments suggests that individuals in the same department perform
many of the same functions. For example, the advantage of grouping
all the employees who perform bookkeeping tasks for the company in
the accounting department is that employees can easily communicate
with one another and gain access to the data they must share.
As the system manager of Rainbow Paint's
computer resources, Olivia Westwood will set up UIC groups based on
the existing organizational structure. For example, the employees
in the accounting department (Ruiz, Smith, Jacobs, and Ross) could
be members of the UIC group ACCOUNTING. Setting up the UIC group in
this way ensures that user Ruiz has easy access to data from user
Smith, and so on.
Effective department organization ensures that
only selected employees will have access to all data and employees
in the company. For example, one of the functions of the accounting
department concerns payroll. Because payroll information is confidential,
employees in the shipping and marketing departments should not have
access to that information.
As the system manager of Rainbow Paint's
computer resources, Westwood sets up the UIC groups---ACCOUNTING,
EXECUTIVE, MARKETING, SHIPPING, and ADMINISTRATION---corresponding
to the various departments in the company. Members of a UIC group
can be given common access to files, as shown in the following example:
$SET SECURITY/PROTECTION=G:RWE GROUP_STATS.DAT
With this command, the owner of the file GROUP_STATS.DAT
allows each member of the UIC group read, write, and execute access
to the file.
Limitations to UIC Group Design
In some cases, UIC-based protection does not present
the best solution to your object protection needs. If users in several
UIC groups need access to common files and other resources on the
system, the only UIC-based alternatives are to give world access to
the object (all users can access the object) or to grant extended
privileges to each user. Neither choice is desirable.
You may also need to allow users in a UIC group
several types of access to files; you may want to deny access to the
object to some users in the same group. Again, UIC-based protection
does not offer a good solution to meet these needs.
Access control lists (ACLs), described in the
following sections, offer another way to protect files and other objects
on the system.
As the site security administrator, it is extremely
important to familiarize yourself with the subtleties of the UIC categories,
as described in “Controlling Access with Protection Codes”. Putting users in certain UIC groups
may grant them system privileges, and a user with system privilege
has control access to any protected object on the system. The SYSPRV
privilege is given by default to all UIC groups less than or equal
to 10, but the actual range for the system UIC category is determined
by the value of the MAXSYSGROUP system parameter. Putting users with
the GRPPRV privilege in groups that own system files might also cause