Safeguard Reference Manual (G06.24+, H06.03+ )
Safeguard Reference Manual—520618-013
6-1
6 User Alias Security Commands
Each user can be assigned one or more additional names, called “user aliases.” An
alias is an alternate name that can be used to log on to the system. Each alias has its
own alias authentication record and set of user attributes. The values assigned to the
user attributes in the alias authentication record can differ from those values assigned
to the user attributes in the user authentication record.
SAFECOM commands can add aliases to the system, delete aliases from the system,
and suspend the ability of an alias to log on to the system. They can also specify
auditing for attempts by an alias to log on to the system and attempts to manage an
alias authentication record.
This section contains these subsections:
•
A description of who can add new aliases to the system and who can manage the
alias authentication records
•
A summary table of the user alias commands
•
Detailed syntax for each user alias command
Who Can Manage User Aliases
Because an important attribute of a user alias is an underlying user ID, special
restrictions apply to the use of ALIAS commands. In particular, the ADD ALIAS
command is subject to additional security. The general rule is that to add an alias
authentication record, you must have the authority to add the underlying user ID and
alter the record for that user ID. Specifically, the ADD ALIAS command is restricted as
follows:
•
If an OBJECTTYPE USER record exists, the person executing the ADD ALIAS
command must meet these two qualifications:
°
Have CREATE (C) authority on the OBJECTTYPE USER access control list
°
Be the owner of the underlying user ID or be the group manager of the owner
of the underlying user ID
•
If an OBJECTTYPE USER record does not exist, the person executing the ADD
ALIAS command must meet these two qualifications:
°
Be the group manager of the underlying user ID
°
Be the owner of the underlying user ID or be the group manager of the owner
of the underlying user ID
•
In addition, the local super ID can add an alias for any user, regardless of the
existence of an OBJECTTYPE USER record (unless OBJECTTYPE USER
specifically denies the super ID).