Assuming you are using LDAP-based security with Enterprise Server through the External Security Facility (ESF) and the MLDAP ESM Module, or file-based security through the VSAM ESM Module, access to various resources — programs, data files, CICS queues, and so forth — from application programs running in Enterprise Server is controlled by resource rules stored in the LDAP repository. Similar rules restrict access to administration functions under ESCWA, system services invoked by command-line utilities such as casout, and so forth.
A set of sample rules is provided with Enterprise Server in the form of LDAP Data Interchange Format (LDIF) files such as es_default_ldap.ldf, and in YAML format as es_default_security.yaml, for use with the VSAM ESM Module. For LDAP, there are a number of LDIF files to accommodate variations in repository structure, LDAP object types, and syntax among LDAP servers and configurations. You can import these rules into your LDAP repositories or use them as a basis for creating your own security configuration. For file-based security, you can customize es_default_security.yaml to suit your needs.
Many of the rules are unnecessary, inappropriate, or too permissive for most production enterprise server instances. As discussed in Removing unnecessary configuration objects, Micro Focus recommends removing rules for sample applications and some unused features.
For the rules that remain, you should review and consider tightening the permissions. In some cases that might involve adding additional permissions to the rules for some resources so that a group of users can be granted access only to those resources, rather than membership in a generally privileged group such as SYSADM. For example, an organization might create a group with permission to use some CICS system transactions such as CINS, but not others such as CFLE; that could be achieved by adding an Access Control Entry (ACE) to the rule for CINS.
With the MLDAP ESM Module and VSAM ESM Module, access to Enterprise Server resources is controlled by Access Control Lists (ACL) in determining rules. Rules are grouped into classes which correspond to particular types of resources: data files, programs, CICS transactions, administration commands, and so forth. Each rule has a name, which can contain wildcard characters.
When Enterprise Server needs to authorize a user for a particular operation (read, update, and so forth) on a particular resource, it queries ESF, passing the resource class and name, the user information, and the requested level of access. In ESF, the ESM Module will find all rules in the given class with names which match the resource name; because rule names can contain wildcards, there might be multiple matches. The module examines each of these rules from the closest match to the most general one, until it finds a rule with an ACL that applies to the user, explicitly or through group membership. That rule becomes the determining rule which grants or denies the action.
ACLs contain one or more Access Control Entries, or ACEs, each of which allows or denies a permission level or set of permissions to an actor, which is the name of a user or group, possibly specified with wildcards, so an ACE can apply to multiple users or groups. The interactions between user and group ACEs, and allow and deny ACEs, and the case where multiple ACEs apply to a given request, can be complex and are discussed at more length in the product documentation. Broadly speaking, more-specific ACEs override less-specific ones; user ACEs override group ACEs; and deny ACEs override allow ACEs. In most cases, the result of the ACE and ACL processing algorithm is what an administrator would expect, following the "principle of least surprise".
Access-control rules can be hardened by ensuring their ACLs do not grant excessive permission to any users. Sometimes this might involve changing the permissions granted by a part of the ACL; in other cases, it might be achieved by adding ACEs or changing them to refer to different actors (usually groups) created to give only certain users a type of access.
For most organizations, few or no ACEs refer to individual users. Assigning permissions at the granularity of users does not scale and makes it difficult to reassign responsibilities. Aside from generic rules which refer to all users with a wildcard (for example, allow:*:none), most ACEs will refer to groups.
There are many ways to organize users into groups for the purpose of resource access control. Groups might represent user roles; projects, departments, or functional areas; or simply sets of resource-access assignments. Micro Focus does not recommend any particular interpretation of user groups. Keep in mind that a clear, well-documented group structure will make it easier to assign and audit permissions.
The MLDAP ESM Module has a number of options for group structure, including nested groups and features for using different types of group objects. The VSAM ESM Module also supports nested groups. See your product Help for more information.
In security, the principle of least privilege states that actors, such as users, groups, and applications, should be given the minimum set of privileges they require. While this can be difficult to achieve completely, here are some guidelines to help administrators move toward this goal:
As a rule of thumb, restrict access to resources and then grant it according to specific requirements. In addition to making the security configuration more secure, it will lead to documenting access requirements and their justifications.
Micro Focus recommends the following for hardening access-control rules:
Finally, Micro Focus recommends periodically reviewing access rules to determine whether any should be tightened or removed.