DSM/Tape Catalog User's Guide
Role-based flexibility
DSM/Tape Catalog User’s Guide—520233-008
4-2
Guidelines
This command provides all the permissions to the users of the group 121,*. The
security levels can be altered by specifying R, W, E, P, C, or O.
For more information on ADD GROUP, ALTER GROUP, or ADD USER, see
Safeguard Reference Manual.
Guidelines
Ensure that the latest MEDIACOM objects along with the requisite Safeguard and
standard security objects are installed on the system.
Add only those users who must perform the MEDIACOM operations listed in
Table 4-1 to the SECURITY-MEDIA-ADMIN group.
To explicitly deny permission to few members of a group, add that group to the
SECURITY-MEDIA-ADMIN group, and then set DENY ACL for the users to be
denied.
For example, all members of the SQL group are required to execute the
MEDIACOM commands listed in Table 4-1 except for users SQL.TEST1 and
SQL.TEST2. Add the SQL group to the SECURITY-MEDIA-ADMIN group, and
then set DENY ACL for users SQL.TEST1 and SQL.TEST2.
To restrict the MEDIACOM operations listed in Table 4-1 only to the super user,
add the SECURITY-MEDIA-ADMIN group. This addition allows only the super user
to execute the MEDIACOM operations, irrespective of whether the super user is
configured as DENIABLE or UNDENIABLE.
To deny a super user the authority to execute the MEDIACOM commands listed in
Table 4-1
, add the SECURITY-MEDIA-ADMIN group. Configure the super user as
DENIABLE and explicitly set a DENY ACL for the super user in the SECURITY-
MEDIA-ADMIN group.
Troubleshooting
This section describes the troubleshooting steps for role-based flexibility for the
following scenarios:
Scenario 1: A non-super user is denied permission to execute the commands,
DELETE TAPEFILE, ALTER TAPEFILE, and ALTER MEDIADEFS.
To troubleshoot this issue, verify the following:
Safeguard is running on the system. For more information, see Safeguard
Reference Manual.
The SECURITY-MEDIA-ADMIN group exists. If it does not exist, add the
group.
Note. If the SECURITY-MEDIA-ADMIN group is frozen, then the users having both O and E
permissions are only permitted to execute these MEDIACOM commands.