Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

101

102

103

104

105

106

107

108

109

110

Safeguard Reference Manual—520618-013

5-1

5 User Security Commands

SAFECOM user security commands are restricted such that, only specific users can

execute the commands and thereby control user security. These users include system

managers, security administrators, and group managers, as qualified by the list of

users specified with OBJECTTYPE USER.

SAFECOM commands can add user IDs to the system, delete user IDs from the

system, and suspend user IDs ability to log on to the system. They can also specify

auditing for attempts to authenticate users, attempts by the user to perform certain

actions, and attempts to manage user authentication records.

This section contains:

•

A description of who can add new users to the system and who can manage the

Safeguard security controls for system users

•

A summary table of the user security commands

•

Detailed syntax for each user security command

Who Can Manage User Security

If no access control list has been defined for OBJECTTYPE USER, only the super ID

can initially add user IDs to the system. When the super ID (with the user ID 255,255)

adds the first user to a group, that group is created implicitly. A group created in this

manner is known as an administrative group because it is used to administer user

authentication records. Groups can also be created with the ADD GROUP command.

For more information about groups, see Section 7, Group Commands.

Frequently, the first user added to an administrative group is the group manager (with

user ID n,255). Then the group manager ID can add other users to form that

administrative group. The super ID also can add users to any group, but only the super

ID can add group managers. However, the access control list for OBJECTTYPE USER

can specify a list of users who can add other users. For more information, see

Section 12, OBJECTTYPE Security Commands.

A user authentication record can have multiple owners. The OWNER attribute in a user

authentication record designates the record’s primary owner. The OWNER-LIST

attribute optionally designates one or more secondary owners. By default, the OWNER

attribute contains the user ID of the user who first created the user authentication

record. The OWNER and OWNER-LIST attributes can be changed with a SET USER

command before the record is created, or they can be changed with an ALTER USER

command after the record is created. These record owners can change the security

attributes in the user’s authentication record and therefore control the user’s ability to

log on to the system.

Only the primary and secondary record owners, the primary owner’s group manager,

and the super ID can change a user’s security attributes, suspend and restore the