HPlogo HP Security Monitor/iX User's Guide: HP 3000 MPE/iX Computer Systems > Chapter 2 Accessing the System

Eliminating Password Exposure with the Stream Privilege Option
» 

Technical documentation

Complete book in PDF
» Feedback

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This section explains how to reduce the chance of password exposure by using the Stream Privilege option.

Stream Privilege Option Features

This option provides the following features:

  • Allows system processes to stream jobs without passwords.

  • Allows the System Manager, Account Manager, and job owners to stream jobs without supplying passwords.

  • Provides Stream Privilege Authorization to let users other than System Managers, Account Managers, and job owners stream jobs without supplying passwords.

When password verification is waived under this privilege, passwords are ignored if present. Note that if the Embedded Password Disallowed option is enabled, the stream attempt fails if an embedded password is present.

The Stream Privilege feature is independent of the Cross Streaming restriction. System Managers, Account Managers and job owners always have the right to stream jobs within their domain of control, even with the cross streaming restriction in effect. On the other hand, they do not have the right to bypass password authentication when the Stream Privilege feature is not enabled.

Stream privilege can be granted at two levels:

  1. System Managers, Account Managers, and job owners only, this is the more restrictive of the two.

  2. Additional authorization on protected jobs, this extends the privilege to other users when streaming protected jobs to which they have EXECUTE access.

Recommendation:.

If nested jobs (jobs that are streamed from within another job) are used, Stream Privilege should be enabled. This lets System Managers, Account Managers, and job owners stream the nested job without passwords. (Make sure any passwords are removed, and ensure the outer job has proper capability to stream the nested job).

Similarly, enable the Stream Privilege when running device-direct jobs, such as those that come directly from tapes. This lets these jobs run without passwords.

When enabled, the Stream Privilege option also applies to system processes. This is the case because system processes are associated with MANAGER.SYS and therefore, share the same attributes and capabilities.



Restricting Job Cross Streaming
  		 


Chapter 3 Protecting Your System with Access Control Definitions (ACDs)  
Feedback to webmaster