Manualshelf

Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
271272273274275276277278279280
Figure 8 OSS SEEP Consultation Flow
Depending on the OSS SEEP’s response, the OSS name server either immediately responds to the
request with a security error or continues with the standard security evaluation. For examples of
final results for security evaluations, see “Final Result of the Operation” (page 277).
Considerations for OSS SEEP consultation are:
The OSS name server does not consult the OSS SEEP for access to /E and /G filesets. The
OSS SEEP consultation for /E path names happens at the target node. For /G files, the access
authorization is handled by Safeguard.
The OSS name server does not consult the OSS SEEP for search authorization on directories
in the pathname.
The directory-search authorization result on a directory in an OSS SEEP-protected fileset is
processed as follows:
If a directory-search authorization error occurs during pathname resolution due to a POSIX
ACL on a directory in an OSS SEEP-protected fileset, the operation is failed immediately,
as is done for a normal fileset.
If a directory-search authorization error occurs during pathname resolution due to standard
OSS permissions on a directory in an OSS SEEP-protected fileset, the OSS name server
remembers the error and proceeds with the rest of the pathname resolution and the OSS
SEEP consultation. The directory-search authorization error is returned as the result of the
operation if any of the following conditions occurs:
A fileset that is not OSS SEEP-protected is entered during pathname resolution
The OSS SEEP replies with NORECORD
A path error (PATHDOWN error) is encountered while communicating with the OSS
SEEP
The request to the OSS SEEP times out
For all other cases, any directory-search authorization error is overridden by the OSS
SEEP’s ruling.
OSS SEEP System and Library Calls
The OSS SEEP returns access-authorization rulings for file operations in Version 3 catalog filesets
that are OSS SEEP-protected, if the OSS SEEP is running. For operations that include multiple
pathnames, the OSS SEEP is consulted once per system or library call. The following OSS system
calls, library calls, and Guardian procedure calls consult the OSS SEEP for access authorization.
Note that the operation type passed to the OSS SEEP for each function and procedure is also
listed.
276 Managing OSS Security