SECURITY


ONECase security functions control unauthorized access to sensitive data. They grant access only to those specific workers who need it.

Access can be limited to various levels depending upon the needs of the individual worker. For example, one worker might be granted the ability to change a piece of data, while another worker might be granted only the ability to view that piece of data, and still another worker might be denied access altogether.

ONECase incorporates some specific rules that govern access to data.

There are six different levels of access to data.

(0) No access
(2) View the data only
(3) Extract the data for other uses
(4) Change existing data records
(5) Add records to the data file
(6) Flag data records to be deleted

Each level of access assumes that all levels of access below it are granted also. For example, if a worker was granted the ability to change data (Level 3), that worker could also view the data (Level 1) and extract the data (Level 2).

No worker in one provider/agency can be granted the ability to change data that belongs to another provider/agency unless that individual worker was specifically assigned the responsibility for updating that piece of data(i.e. - activity record).


Security Philosophy


Security in ONECase consists of those management procedures and software tools that prevent unauthorized viewing or updating of sensitive data. ONECase's philosophy is to grant access to certain programs and functions only to users you have designated.

We have inserted security control routines into certain programs, menu options, and functions which we have designated as needing ID or password protection. Your Security Administrator defines through ONECase tables the user(s) that may execute each protected feature.

AS/400 Security

ONECase uses standard AS/400 security routines to restrict both sign-on and data file access. 

Procedure Security

ONECase uses its own user-defined Procedure Security and the AS/400 sign-on User ID to control access to certain menu procedures and programs. The system permits Yes/No execution of certain programs called from a menu or by function keys. It does not protect every program, only those included in a table shipped with and maintained by ONECase. It limits access only to users authorized in the table provided by ONECase and maintained by your Security Administrator.

You can find more information about AS/400 Security and Procedure Security on the following pages and elsewhere in the ONECase guides.

One final point -- ultimately a secure system is your responsibility. ONECase provides tools which, when properly administered, are sufficient to satisfy data security requirements requested by its users and normally applied by most outside auditing firms.

Security Implementation

Until your system administrator sets the flag in the ONECase Controls table, neither Procedure nor Password Security is active. Therefore, before setting the control flag, you must complete the required maintenance through the following ONECase procedures:

"Maintain Workers"
"Authorize Users to Procedures"
"Maintain Function Security Levels"

"Maintain Workers"

Set up each worker in the Tax Security table. Sign-on to the AS/400 using the 'G400SEC' User ID.

"Authorize Users to ID-Protected Procedures"

Key the User ID for each worker you want to be able to execute the procedures displayed. To grant access to the procedure to all users, key '*ALL.' Sign-on to the AS/400 using the 'G400SEC' User ID. 

"Maintain Function Security Levels"

Key the appropriate threshold Security Level for each protected function. Sign-on to the AS/400 using the 'G400SEC' User ID.

After completing the required maintenance, sign-on as the 'G400SEC' user and activate ONECase security by setting the security control flag.

Working with a User ID and password combination, AS/400 security software lets you sign-on to the system. It also controls the data files and libraries you may access as you execute ONECase procedures.

Sign-on control

Without the proper combination of User ID and password, the AS/400 will not let a would-be user sign-on to the AS/400. The system can lock your terminal if you do not provide a valid ID/password combination after a certain number of attempts.

Your MIS contact should assign each ONECase user a unique User ID and an initial password. In some cases a user will need multiple ID/password pairs. The syntax of these IDs and passwords will conform to the standards MIS has adopted. Normally you keep the same User ID for as long as you are an AS/400 user.

When it adds your User ID, MIS sets many system values that affect how the AS/400 and you relate to each other -- eg, the default printer, library list, your initial menu, and many more. You will want to ensure that these values are specified according to your needs.

You define your own password. The AS/400 may require you to change your password at defined time intervals, and it may require that the new password conform to standards defined for all AS/400 users. These standards are usually designed to frustrate potential "hackers".

Access to files and libraries

Once you have successfully signed-on to the AS/400, the IBM routines use the same User ID to control access to certain files and/or libraries. That is, they ensure that you have what is called "object authority" to the data used by a given procedure. If your ID does not have such authority, the system will give you an error message. 
This is common, especially in new installations or for new users. Call MIS so that they can perform a function called "grant object authority" to get you past the error.




Procedure Security


Based upon a special Procedure Security table and your sign-on User ID, ONECase grants or denies the execution of certain menu procedures and programs. ONECase refers to these programs and procedures as being ID-protected. 

Not every ONECase program or procedure is ID-protected -- only those ONECase has designated. Over time ONECase will add others to the ID-protected list. In general, ID-protected programs and procedures are those
that update critical data. Look for a list of them on the following pages. The list also indicates the month in which ONECase will activate the ID-protection.

A procedure is a menu option. There are over 100 procedures in ONECase. Some are simple but others are very complex maintenance programs. By selecting a procedure from a menu, you are asking ONECase to execute a program linked to that procedure number. Thus a procedure is really the menu front-end to a program. We use the terms interchangeably.

You activate Procedure Security by setting a flag in the ONECase Controls table. Refer to the procedure guide on "Maintain ONECase Controls" for information about maintaining the Controls table. Ensure that you complete all the required maintenance on the Procedure Security table before you turn on the flag.

The Procedure Security table contains one record for each User ID (or group of IDs) authorized to execute an ID-protected program. You must set up an entry in the Procedure table for each User ID authorized to execute each ID-protected procedure. You can specify '*ALL' as the User ID to let all users access an ID-protected procedure. "Maintain Procedure Security" is Procedure 103.

ONECase may define in its list of ID-protected programs a program that never appears as a procedure on any menu. These are programs that will only be called from another program, usually by pressing a function key. 
You must grant authority to these programs as well. You perform Procedure Security maintenance in the same manner as a procedure that appears on a menu.

A user may have authority to execute a procedure and still not have authority to execute an ID-protected program called from the authorized one. 

ONECase presents an error message when a user without authorization attempts to execute an ID-protected program either from a menu or from another program.