IBM 2 Computer Hardware User Manual


 
CCA Release 2.54
A role-based system is more efficient than one in which the authority is assigned
individually for each user. In general, users can be segregated into just a few
different categories of access rights. The use of roles allows the administrator to
define each of these categories just once, in the form of a role.
Understanding Roles
Each role defines the permissions and other characteristics associated with users
having that role. The role contains the following information:
Role ID A character string which defines the name of the role. This name is
referenced in user profiles, to show which role defines the user's authority.
Required User-Authentication Strength Level The access-control system is
designed to allow a variety of user authentication mechanisms. Although the
only one supported today is passphrase authentication, the design is ready for
others that may be used in the future.
All user-authentication mechanisms are given a strength rating, namely an
integer value where zero is the minimum strength corresponding to no
authentication at all. If the strength of the user's authentication mechanism is
less than the required strength for the role, the user is not permitted to log on.
Valid Time and Valid Days-of-Week These values define the times of the day and
the days of the week when the users with this role are permitted to log on. If
the current time is outside the values defined for the role, logon is not allowed.
It is possible to choose values that let users log on at any time on any day of
the week.
Notes:
1. Times are specified in Greenwich Mean Time (GMT).
2. If you physically move a Coprocessor between time zones, remember that
you must resynchronize the CCA-managed clock with the host-system
clock.
Permitted Commands A list defining which commands the user is allowed to
perform in the Coprocessor. Each command corresponds to one of the
primitive functions which collectively comprise the CCA implementation.
Comment A 20-byte comment can be incorporated into the role for future
reference.
In addition, the role contains control and error-checking fields. The detailed layout
of the role data-structure can be found in “Role Structure” on page B-29.
The Default Role: Every CCA Coprocessor must have at least one role, called
the default role. Any user who has not logged on and been authenticated will
operate with the capabilities and restrictions defined in the default role.
Note: Since unauthenticated users have authentication strength equal to zero, the
Required User-Authentication Strength Level of the Default Role must also be zero.
The Coprocessor can have a variable number of additional roles, as needed and
defined by the customer. For simple applications, the default role by itself may be
sufficient. Any number of roles can be defined, as long as the Coprocessor has
enough available storage to hold them.
Chapter 2. CCA Node-Management and Access-Control 2-3