Safeguard Reference Manual (G06.24+, H06.03+ )
Event-Exit-Process Commands
Safeguard Reference Manual—520618-013
15-26
Processing of Authorization Requests
Processing of Authorization Requests
When ENABLE-AUTHORIZATION-EVENT is ON, authorization requests are routed to
the event-exit process. When a subject attempts to access an object, the request flows
through the application to the appropriate subsystem software, which calls the
privileged library procedure PROTECTION_CHECK_. This request is forwarded by
PROTECTION_CHECK_ to the Safeguard SMON, which in turn routes the request to
the event-exit process for evaluation. The message links between the SMON and the
event-exit process are file-system messages (WRITEREAD[X]) in the format shown in
Table 15-2 on page 15-14 through Table 15-8 on page 15-23.
For the event-exit and Safeguard security policies to interact in a meaningful manner,
both policies must support the same types of rulings. Safeguard authorization supports
rulings of YES, NO, or NORECORD (no opinion). The event-exit process must support
these same rulings. If the event-exit process has no opinion on the ruling for a given
object, it must respond with NORECORD in the Status field of the Header_Data
message. If the event exit responded YES in this instance, a false positive would be
passed to the Safeguard software, and Safeguard might grant access to a disk file that
should have been controlled by Guardian security.
If the event-exit process rules NO on the access attempt, the SMON returns the denial
to PROTECTION_CHECK_ without further processing.
If the event-exit process rules YES or NORECORD on the access attempt, the
Safeguard software performs its own access check and returns the combination of the
two results to PROTECTION_CHECK_. Therefore, the event-exit process cannot
unilaterally grant access to an object if that access is denied by a Safeguard protection
record. If the Safeguard access check also results in NORECORD, Guardian security
applies.
Table 15-11 shows results of access attempts based on different rulings from the
event-exit process and the Safeguard subsystem. The final access control result
appears in the PROTECTION_CHECK_ column for all cases except those in which the
PROTECTION_CHECK_ result is NORECORD. When NORECORD is the
PROTECTION_CHECK result, the final result appears in the Guardian column.
Table 15-11. Decision Table for Event Exit, Safeguard, and Guardian
Results (page 1 of 2)
Event Exit Ruling Safeguard
Ruling
Protection_Check
_Result
Guardian Security
Ruling
YES YES YES Not consulted
YES NO NO Not consulted
YES NORECORD YES Not consulted
NO Not consulted NO Not consulted
NO Not consulted NO Not consulted
* If an object has a Safeguard protection record and the Safeguard subsystem is disabled, access rulings
for that object are as described for the STOP SAFEGUARD command in Section 16, Safeguard
Subsystem Commands.