Securing ADDUSER

RISK Adding users to the system is a primary gateway through which unauthorized users could gain access.

AP-ADVICE-ADDUSER-01 Control who is allowed to add or delete users at the maximum level.

Without the Safeguard Subsystem

If Safeguard software is not in use on the system, then the ADDUSER program is used to create userids.

How the ADDUSER program is secured depends on who is allowed to perform this function as defined by the Corporate Security Policy and Standards.

If only SUPER.SUPER is allowed to ADD users, the ADDUSER program must be secured for SUPER.SUPER access only and the ADDUSER object file need not be LICENSED. This is the most secure methodology to control the function of adding and deleting users.

BP-FILE-ADDUSER-01 ADDUSER should be secured "- - - -".

BP-OPSYS-LICENSE-01 ADDUSER must NOT be LICENSED.

BP-OPSYS-OWNER-01 ADDUSER should be owned by SUPER.SUPER.

BP-OPSYS-FILELOC-01 ADDUSER must reside in $SYSTEM.SYSnn

If the policy authorizes Group Managers to ADD users to their own groups, then all local groups need to be granted EXECUTE access. The Guardian environment will prevent users other than the 255 member of any group from adding users to existing groups. Only SUPER.SUPER will be able to add to a new group or add users...