A proxy login enables a user logged in at a remote node to be logged in automatically to a specific account at the local node, without having to supply any access control information, to perform specific non-interactive file operations such as copying files. This can be used to increase security because it minimizes the need to specify explicit access control information in node specifications passed over the network or stored in command procedures.
Copying files from a remote node with proxy login:
COPY remotenode::file-spec file-spec
Without proxy login:
COPY remotenode"proxyacct"::file-spec file-spec
Proxy logins vs interactive logins
Note that a proxy login is not the same as an interactive login. A proxy login means that specific network access operations can be executed, such as a copy operation. By contrast, an interactive login requires a user to supply a user name and password before the user can perform any interactive operations.
Proxy login accounts
To establish a proxy login on the local node, the remote user must have a default proxy account on the local node that maps to a local user name. The remote user assumes the same file access, rights, and privileges as the local user name.
Creating proxy login accounts
For maximum security:
- define proxy login accounts as restricted
- remove interactive, batch and network access
- avoid granting privileges to proxy login accounts
- check the default protection on the directory and customize it if necessary
- examine the login command procedure specified on the account and security settings of the command procedure file
Enabling proxy login accounts
Proxy logins are established in the AUTHORIZE utility using the proxy database file. If no proxy database file exists, you may need to create one using CREATE/PROXY. To add a proxy, use ADD/PROXY remote_node::remote_user local_user/default. You can add as many proxies on the same local account as necessary. To display a proxy, use SHOW/PROXY remote_node::remote_user. To modify a proxy, use MODIFY/PROXY remote_node::remote_user. To delete a proxy, use REMOVE/PROXY remote_node::remote_user.