Overall recommendations for security design
Keeping your security design as simple as possible makes it easier to manage and audit security. It also improves application performance and backup performance.
Here is a list of general recommendations for security design:
- Use resource security along with the methods available, such as limited
capabilities in the user profile and restricting users to a set of menus,
to protect information. Attention: If you use a product such as IBM® i Access or if you have communication lines attached to your system, do not rely only on limiting capabilities in the user profile and menu access control. You must use resource security to secure any objects that you do not want to be accessible through these interfaces.
- Secure only those objects that really require security. Analyze a library to determine which objects, such as data files, are confidential and secure those objects. Use public authority for other objects, such as data areas and message queues.
- Move from the general to the specific:
- Plan security for libraries and directories. Deal with individual objects only when necessary.
- Plan public authority first, followed by group authority and individual authority.
- Make the public authority for new objects in a library (CRTAUT parameter) the same as the public authority for the majority of existing objects in the library.
- To make auditing easier and improve authority-checking performance, avoid defining private authority that is less than the public authority for an object.
- Use authorization lists to group objects with the same security requirements. Authorization lists are simpler to manage than individual authorities and help to recover security information.