This security arrangement is not only the most effective, it is a requirement at several large shops and is considered necessary at many sites for auditing compliance. By externalizing the security interface, VIP leverages existing security and maintains an audit trail.
- The VIP security interface leverages existing security. Group rules can be put in place such that when a new user is added to a group, he or she automatically has the proper access.
- Because VIP uses SAF security, it supports the wildcards that are possible within SAF-based security products (ACF2, Top Secret, and RACF).
- Access control over console commands and commands to drop connections and activate LUs will take advantage of security that is already in place. These commands are now issued in the user’s context. Executing in the user’s context avoids security changes, providing a better audit trail and more robust security.
- VIP security is multi-layered. In addition to a first level of security restricting access to resources like the command tool, executing in the user’s context means that execution of the command itself is based on user’s access to the command–thus providing a second and more granular level of security.
- VIP can be more precise in IP packet tracing than the TCPIP stack itself allows. VIP can allow/disallow tracing for a user or group by LPAR or sysplex even with a shared security database. This means, for example, that a development group could use tracing to help develop and debug an application, but they could be disallowed access to restricted production data.
- Securing VIP’s remote host, TN3270, and HTTP monitors allows sites to make sure that only authorized users are able to create, delete, alter, or initiate these monitors. This ability is important for sites wishing to roll out VIP beyond the systems programming staff to groups such as Help Desk, Operations, Level 1, etc.
- VIP security configuration is generally low maintenance. Once installed and implemented, the number of users tends to be fairly static.