Safeguard Reference Manual (G06.24+, H06.03+ )
Safeguard Reference Manual—520618-013
10-1
10
Device and Subdevice Security
Commands
With SAFECOM device and subdevice security commands, any user whose ID
appears in the access control list (ACL) as owner of a protected device or subdevice
can control access to that device or subdevice.
By default, only a local super-group user can add a device or subdevice authorization
record to the Safeguard object data base. After an authorization record is added for a
device or subdevice, all attempts to open the device or subdevice are subject to a
Safeguard authorization check and, optionally, to Safeguard auditing. However, this
behavior is configurable by creating or changing the ACL for OBJECTTYPE DEVICE
or SUBDEVICE. For more information, see Section 12, OBJECTTYPE Security
Commands.
The owner of a device or subdevice authorization record can control access to the
device or subdevice by managing the ACL for that device. A device authorization
record owner can also specify when the Safeguard software is to audit attempts to
access the device or subdevice as well as attempts to manage the device or subdevice
authorization record.
This section describes device and subdevice ownership and explains how the
Safeguard software authorizes attempts to access protected devices and subdevices.
It also summarizes the device and subdevice security commands. Following the
command summary, the commands are described in detail.
Device and Subdevice Authorization Record
Ownership
A device or subdevice has no authorization record until the device or subdevice is
placed under the control of the Safeguard software facility by a super-group user. (For
more information on adding authorization records, see DEVICE
on page 12-2 or
SUBDEVICE on page 12-2.) Every authorization record has an OWNER attribute that
contains the user ID of the user who can manage the Safeguard access controls for
the device or subdevice.
However, the user who adds the record can set the OWNER attribute to the user ID of
any user (by including an OWNER specification in a SET DEVICE or SET
SUBDEVICE or ADD DEVICE or ADD SUBDEVICE command). The owner of a
protected authorization record can also transfer ownership to another user by changing
the OWNER attribute with the ALTER DEVICE or ALTER SUBDEVICE command.
Because the primary owner can add owners to an ACL, additional ownership is defined
by the OWNER authority code for ACL entries and is an independent extension of the
primary owner. Additional owners can do anything that the primary owner is permitted