Using the DMTF Standard profile to manage IBM I user rights

Introduction

The Distributed Management Working Group (Distributed Management Task FORCE,DMTF) is an industry organization that leads the development and adoption of management standards. DMTF's management technology plays a key role in enhancing interoperability among multi-vendor tools used within the enterprise. By deploying management applications that conform to the DMTF standard within a hybrid system environment, customers can manage them in a unified way, effectively reducing the complexity and cost of management.

DMTF has developed and released a series of management profiles for different management areas. For example, Software Inventory profile for the software field. These profiles use the General Information Model (Common information MODEL,CIM) to describe the management object, to construct the managed object class, the relation, the attribute, the operation and so on in the Object-oriented method. This article demonstrates how to apply role Based Authorization profile to the IBM I system for Rights management and combine standards Based Linux instrumentation for manageability (S Blim) Development Toolkit shows how to develop management interfaces.

User roles and permissions on IBM I

IBM I defines 5 roles and 8 permissions, and there is a default correspondence between these roles and permissions as shown in table 1. Qsecurity is a system value that represents a security level, and the role's corresponding permissions vary from one security level to another. IBM I supports users to modify the default permissions, for example, if User A is granted a qsecurity 10, user A should have *allobj and *savsys two permissions by default, but also allow additional *secadm rights for User A Limits, this customization of permissions is limited to the current user.

Table 1. IBM I role and permissions correspondence table

role	privileges
qsecurity level or above
"*allobj", "*savsys"
SYSOPR		"*savsys", "*jobctl"
"*allobj", "*savsys", "*jobctl"
secadm	"*allobj", "*savsys", "SECADM", "*jobctl"	"*secadm"
secofr	*allobj", "*audit", "*IOSYSC FG "," *jobctl "," *savsys "," SECADM "," *service "," *splctl "	*allobj "," *audit " , "*iosyscfg", "*jobctl", "*savsys", "SECADM", "*service", "*splctl"

Role-based Authorization Profile

Figure 1 shows the DMTF class based on role authorization profile and the connection between them. Where class role is used to model roles, class privilege is used to model permissions, and these two classes use the association class memberofcollection to represent the corresponding relationship in table 1. Class Identity is used to represent an account, a security agent for a user or a user group, and provides security-related information for operations such as user roles or permission validation. The Association class memberofcollection between Identity and role is used to help discover the roles that a user has. There are two types of relationships between classes and classes, where red lines represent associations, green lines represent combinations or include relationships, and classes and classes exist one-to-one, one-to-many, Many-to-many, and more.

Figure 1. Class diagram based on role authorization profile