DSM/Tape Catalog User's Guide

DSM/Tape Catalog User’s Guide—520233-008

4-1

4 Role-based flexibility

The authority to execute the sensitive MEDIACOM commands DELETE TAPEFILE,

ALTER TAPEFILE, and ALTER MEDIADEFS is restricted only to the super group.

H06.26/J06.15 RVU onwards, support for role-based flexibility enables you to authorize

non-super group users to execute these MEDIACOM commands. With this support,

you can also deny permissions to specific users to execute these commands.

To authorize users to execute these MEDIACOM commands, configure an optional

Safeguard security group SECURITY-MEDIA-ADMIN. Add the users who are required

to perform the MEDIACOM commands listed in Table 4-1 to the SECURITY-MEDIA-

ADMIN group. Only the members of the SECURITY-MEDIA-ADMIN group are allowed

to execute these MEDIACOM commands. If the SECURITY-MEDIA-ADMIN group

does not exist, then by default, only the super group users can execute these

commands.

Table 4-1. MEDIACOM commands supported by role-based flexibility

Configuring the SECURITY-MEDIA-ADMIN

group

To add the SECURITY-MEDIA-ADMIN group through Safecom, use the following

command:

TACL> SAFECOM

SAFEGUARD COMMAND INTERPRETER - T9750H05 - (20JUL2012) SYSTEM

\DMR01

=ADD SEC-GROUP SEC-MEDIA-ADMIN, ACCESS 121,07 E

This command adds the user with ID 121, 07 to the SEC-MEDIA-ADMIN group with

the permission E. The E permission is required to execute these MEDIACOM

commands.

To alter permissions in the SECURITY-MEDIA-ADMIN group, use the following

command:

=ALTER SEC-GROUP SEC-MEDIA-ADMIN, ACCESS \DMR06.121,* *

Note. A super user is always allowed to execute the MEDIACOM commands listed in

Table 4-1

, even though the SECURITY-MEDIA-ADMIN group exists. To deny a super user,

configure the super user as DENIABLE and explicitly set a DENY ACL for the super user in the

SECURITY MEDIA ADMIN group.

Sr. No. MEDIACOM commands

1. DELETE TAPEFILE

2. ALTER TAPEFILE

3. ALTER MEDIADEFS