Appended at 14:09:54 on 92/07/21 GMT (by TARNOLD at CLTVM1)
Subject: Trusted OS/2 Workstation?????
Ref: Append at 13:13:44 on 92/07/16 GMT (by UST1013 at OS2CUST)
*** Long append ***
There was an announcement today of a "Restricted Shell" for OS/2 2.0. Does
it meet all or some of your needs? Here's the announcement:
RESTRICTED WORKPLACE SHELL SERVICE OFFERING FOR OS/2 2.0.
IBM United Kingdom announces an offering of software and services
to assist customers who may wish to limit the ability of the end
user to access and/or modify the OS/2 2.0 system or its
interface.
HIGHLIGHTS:
-----------
OS/2 Version 2.0 provides an object-oriented user interface
through its Workplace Shell. This interface conforms to the 1991
SAA CUA Workplace Environment guidelines, and provides great
power and flexibility for the end user.
However, in certain segments of the market, such power and
flexibility is undesirable. Customers may wish to limit the
ability of the end user to access and/or modify the system or its
interface. This requirement is notable in finance and insurance
industries.
Additional components have been created to enable such
restriction of the user interface. These components allow the
user to carry out basic operations such as starting programs,
printing, etc., while preventing the user from modifying the user
interface, or modifying or deleting objects. These components are
known collectively as the RESTRICTED SHELL.
The Restricted Shell components operate as part of the Workplace
Shell and have an identical 'look and feel' to the standard
Workplace Shell objects. The Restricted Shell is offered to
customers as a service offering made up of the following parts:
o A set of basic components which enable restriction of the user
interface.
o A set of common capabilities which may be selectively applied
to any or all of the basic components, to suit customer
requirements.
o Utilities which may be used to perform operations such as the
removal of items from the Workplace Shell's Window List.
o Customisation services, providing programming expertise to
integrate these components and capabilities with the standard
Workplace Shell environment, and to incorporate any additional
customer requirements.
CONTENTS:
---------
The Restricted Shell package consists of the following basic
components:
o A PASSWORD PROTECTED FOLDER object class, which enables
folders to be locked by the user, and only opened upon entry
of the correct folder password.
o A RESTRICTED PROGRAM object class, which enables objects to be
created without a Settings view, to prevent a user from
modifying the object's settings.
o A REMOTE FOLDER object class which, upon being opened,
performs a logon to a remote system and obtains user profile
information, then populates itself according to that
information.
Each of these components consists of a number of subcomponents
which can be disabled or modified to meet specific users'
requirements. New subcomponents may also be added to further
restrict the user's environment. Certain generic capabilities
are also provided, which can be added to any of the components.
The addition of such capabilities, and customisation of the
components to meet specific customer requirements, is carried out
as part of the customisation services which are included in this
offering.
Password Protected Folder
-------------------------
The password protected folder object class (PWFolder) behaves in
the same way as the standard folder object class (WPFolder)
except for the following:
o A password protected folder has an additional item 'Lock
Folder' on its context menu.
o When in the locked state, any attempt to open the folder
results in the display of a password prompt. The user must
enter the correct folder password before the 'open' operation
may proceed.
o The user is provided with visual indication of the locked
state; the suffix <LOCKED> is added to the folder title, and a
different icon is displayed.
A password protected folder may be created in the locked state,
by supplying appropriate keywords in the setup string passed when
creating the object.
Remote Folder
-------------
The remote folder object class (RemoteFolder) is similar to the
standard folder object class (WPFolder), with the following
exceptions:
o Upon opening a folder, a logon dialog is presented to the
user. When the user completes this dialog, the folder performs
a LAN logon with the user-specified userid and password.
o Once the logon is complete, the folder populates itself based
on information stored in an ASCII file on the LAN server.
o A LOGOFF item appears on the folder's context menu. When the
user selects this item, the folder closes down any programs
which have been started from within the folder or from other
folders within the folder, deletes all its contents and
redisplays the logon dialog box.
The logon, logoff and self-population functions are designed as
separate functions which are called from the object's methods.
This approach allows these functions to be tailored to suit the
individual environment of each customer installation. Such
tailoring may form part of the customisation services included in
this offering.
This folder may also be used in a local (ie. not LAN- or
host-connected) workstation environment, in conjunction with
OS/2's user profile management facilities. In this way, the
Restricted Shell can be used to provide access to a restricted
set of objects for multiple users on the same workstation.
Restricted Program
------------------
The restricted program object class (SecProg) behaves in the same
way as the standard program object class (WPProgram) except for
the following:
o Only the OPEN submenu with the PROGRAM submenu item, and the
HELP submenu are provided in an object's context menu.
Therefore, the user cannot open a SETTINGS view of an object
in order to modify the object's settings.
o An object cannot be moved, copied, shadowed, renamed or
deleted.
o No entry for the secure program object class appears in the
TEMPLATES folder.
It is envisaged that secure program objects would be created
within objects of the password protected folder or remote folder
classes.
Optional Capabilities
---------------------
The object classes described above may be customised with the
following optional capabilities, to suit specific customer
requirements.
FOLDERS
The following optional capabilities may be applied to the remote
folder and password protected folder object classes:
o Restriction of the ability for the user to move, copy, shadow,
rename or delete an object.
o Ability to prevent the user moving or sizing a view. Note that
this is restricted to the password protected folder and remote
folder object classes only; the window created when a program
object is opened is under the control of a different process,
and cannot be directly controlled from within the Workplace
Shell.
o Ability to prevent the user maximizing or minimizing a view.
This is also restricted as above.
o Restriction of the ability to exit from a folder. This can
simply be prevented in order to restrict the user to a single
folder and its descendants, or exit can be password protected.
o Removal of the SETTINGS view for an object.
These capabilities can be added to the object classes as part of
the customisation services provided under this offering.
RESTRICTED PROGRAM
The following optional capabilities may be added to the
restricted program object class:
o Restriction of the ability for the user to move, copy, shadow,
rename or delete an object.
o Removal of the SETTINGS view for an object.
These capabilities can be added to the object classes as part of
the customisation services provided under this offering.
MISCELLANEOUS
The following additional capabilities are supplied as utilities
which may be run in the system, along with the object classes
already described:
o The ability to return the Workplace Shell to a default state
upon system startup; that is, the previously running
configuration is NOT restored at IPL-time.
o A utility to selectively remove items from the Workplace
Shell's Window List.
o A LOGOFF object, which may be added to a remote folder class
or placed on the desktop, for those customers who prefer
logoff to be initiated from an icon rather than a context menu
item.
These capabilities can be added to the system as part of the
customisation services provided under this offering.
PLANNED AVAILABILITY:
---------------------
This offering is available immediately.
PRICES:
-------
This offering will be priced by individual quote.
This announcement was in the UK, but I believe it is available elsewhere to
customers who want it. I have a contact if you're interested. Note that
services are available to customize the restricted shell, if it doesn't
entirely meet your needs.