Safeguard Reference Manual (G06.24+, H06.03+ )
Safeguard Reference Manual—520618-013
12-1
12
OBJECTTYPE Security Commands
Safeguard OBJECTTYPE security allows a security administrator to define the user or
groups of users who can add new subjects or objects to the Safeguard database.
Each kind of subject and object (such as DISKFILE, DEVICE, or USER) can be given a
corresponding OBJECTTYPE protection record. For example, the protection record to
control adding new DISKFILEs is an entry for OBJECTTYPE DISKFILE. However,
authorities granted on the access control list (ACL) for OBJECTTYPE DISKFILE do not
represent permissions for individual disk files but rather the ability to add new disk files
to the Safeguard database.
When a user attempts an ADD command (for example, ADD DISKFILE), the
Safeguard software first checks for the presence of an authorization record for the
corresponding OBJECTTYPE (in this case, OBJECTTYPE DISKFILE). If no record
exists, the Safeguard software proceeds according to default rules, which are shown in
Table 12-1 on page 12-2. However, if a record exists for the corresponding
OBJECTTYPE, the Safeguard software consults the ACL for that OBJECTTYPE. If the
user has not been granted C (CREATE) authority on the ACL, the ADD command fails
with a security violation (file error 48).
Protection records for OBJECTTYPEs are similar to protection records for individual
objects: the initial owner can grant additional ownership (through the O authority on the
ACL), the owner can give ownership away, the owner can freeze or thaw the protection
record, and the owner can establish selective auditing criteria. Owners can even delete
the protection record for an OBJECTTYPE to restore the operation of the ADD
command for that OBJECTTYPE back to the default rules.
Because the OBJECTTYPE records alter the behavior of the Safeguard ADD
command, consider carefully the consequences of changing the Safeguard software
from the default behavior by adding an OBJECTTYPE record. Table 12-1 lists the
default behaviors.
Because the OBJECTTYPE records are in themselves pseudo-objects, an
additional OBJECTTYPE record exists to control the creation of new OBJECTTYPE
records. This additional record is the OBJECTTYPE OBJECTTYPE record. Only users
granted CREATE authority on the OBJECTTYPE OBJECTTYPE ACL (if present) can
create other OBJECTTYPE records. Only the owner and other users granted OWNER
authority on the OBJECTTYPE OBJECTTYPE ACL can manage the OBJECTTYPE
OBJECTTYPE record.
OBJECTTYPE DISKFILE has no effect on default protection for a user’s disk files. It
only controls who can execute the ADD DISKFILE command.