Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
221222223224225226227228229230
OSF DCE Administration Guide—Core Components
16.10 Setting Up Access Control in a New Namespace
You should plan a consistent access control policy and be ready to implement the policy
as soon as you configure your first CDS server and before you create or populate any
new directories. Among the tasks you can perform are the following:
Adding members to the namespace authorization group
Creating additional authorization groups
Establishing maximum permissions for unauthenticated principals
16.10.1 Adding Members to the Namespace Authorization Group
To facilitate managing and troubleshooting your namespace, the cell configuration
process creates a namespace authorization group under the fixed name subsys/dce/cds-
admin. The configuration process then grants the group full access to the cell root
directory. This access propagates to the entire namespace as it evolves.
Immediately after its creation, the authorization group contains only the name that the
initial namespace administrator specified during the cell configuration process. You can
use the dcecp group add command to add the principal names of other individuals in
your organization who you want to administer and troubleshoot the namespace.
Because this group possesses full access to the entire namespace, its members can
intervene, whenever necessary, to solve problems for namespace users with fewer
permissions. By removing a user’s principal name from the group, the user described by
that principal loses the access assigned to the group.
(See Part 6 of this guide for complete information on how to add and delete group
members.)
16.10.2 Creating Additional Authorization Groups
Authorization groups can provide a convenient and flexible way to control access to
your namespace. You can combine users according to organization, work type, security
status, and so on, and then grant each group a specific set of permissions to specific
directories or other names in the namespace.
To delegate authority locally, you can create an authorization group for each of the
functional directories that you plan to create in your namespace. For example, you
could create an authorization group named subsys/dce/sales-admin and include, as
members, the individuals who are responsible for managing the /.:/sales directory. Each
local authorization group could have full access to the contents of the directory for
which it is responsible.
16 12 Tandem Computers Incorporated 124243