Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

571

572

573

574

575

576

577

578

579

580

Safeguard Reference Manual—520618-013

B-1

B Disk-File Access Rules

Table B-1 on page B-2 shows how disk file access rules are evaluated depending on

how the Safeguard software applies the access control lists (ACL) in disk file, volume,

and subvolume protection records.

FIRST-RULE, FIRST-ACL, and ALL are the settings allowed for the Safeguard

configuration attribute COMBINATION-DISKFILE. This attribute defines the manner in

which overlapping ACLs are resolved for access to volumes, subvolumes, and disk

files.

FIRST-RULE indicates the Safeguard software uses the first ACL that contains the

specified user ID. FIRST-ACL indicates the Safeguard software uses the first ACL it

finds regardless of whether the ACL contains the specified user ID. ALL indicates the

Safeguard software uses all available ACLs.

CHECK-DISKFILE-PATTERN establishes whether ACLs from a disk file pattern’s

protection record can be used to determine disk file access. The FIRST value says to

first perform a disk file pattern search for a matching pattern, and only if the result of

the search is NORECORD, then will a normal search of remaining object protection

records occur. The LAST value says to first perform a normal search of all object

protection records (except diskfile pattern), and only if the result of the search is

NORECORD, then will a disk file pattern search for a matching pattern be performed.

The OFF value says to not perform any disk file pattern searches to determine disk file

access. The ONLY value says to perform only the pattern search and do not do the

normal search. OFF is the initial value. This attribute defines part of the SAFEGUARD

global configuration. For more diskfile-pattern information, see the Safeguard User’s

Guide.

In Table B-1 on page B-2, Level refers to the direction in which the Safeguard

software searches ACLs. The evaluation depends on the direction of the search. The

search direction is determined by Safeguard configuration attribute DIRECTION-

DISKFILE, which can be set to either VOLUME-FIRST or FILENAME-FIRST.

If the search direction is VOLUME-FIRST, the volume ACL is searched first, subvolume

ACL second, and disk file ACL third. If the search direction is FILENAME-FIRST, the

disk file ACL is searched first, subvolume second, and volume third.

The CHECK-VOLUME, CHECK-SUBVOLUME, and CHECK-FILENAME configuration

attributes allow you to selectively enable or disable the checking of ACLs at a particular

level. For example, if CHECK-VOLUME is OFF, Safeguard does not check volume

ACLs for attempts to access a disk file. If one of these configuration attributes is set to

OFF, the access result is the same as if that level had No Record (indicated by NR in

Table B-1 on page B-2). However, if a disk file protection record exists and if CHECK-

VOLUME, CHECK-SUBVOLUME, CHECK-FILENAME and ACL-REQUIRED-

DISKFILE are OFF, this is treated as a special frozen ACL case. Only the primary

owner of the disk file, primary owner's local group manager, and the local super ID are

allowed access. As a special case, if an authorization event-exit process (SEEP) is

running, access is granted based on SEEP's decision (allow or deny access) instead of

the frozen ACL rules.