Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Configuration
Safeguard Administrator’s Manual—523317-013
9-11
Configuring Disk-File Control
ACL-REQUIRED-PROCESS
If no access control list is found, access is denied. If this attribute is OFF, and no
access control list is found, Guardian rules apply. The initial value is OFF.
To change any of these values, issue the ALTER SAFEGUARD command from
SAFECOM. For example, to check access control lists at both the subprocess and
process levels:
=ALTER SAFEGUARD, CHECK-PROCESS ON, CHECK-SUBPROCESS ON
This command tells the Safeguard software to check at the process level first and to
search until it finds an ACL with the user ID of the user requesting access:
=ALTER SAFEGUARD, DIRECTION-PROCESS PROCESS-FIRST, &
=COMBINATION-PROCESS FIRST-RULE
Configuring Disk-File Control
If access control lists exist for volumes, subvolumes, and disk files, the Safeguard
software must know which one to use. You can set the attributes that control how this
is determined.
These Safeguard attributes relate to disk-file access control lists:
CHECK-VOLUME
Access control lists are checked at the volume level. The initial value is OFF. The
Safeguard software checks for CREATE authority at the volume level even when
CHECK -VOLUME is OFF.
CHECK-SUBVOLUME
Access control lists are checked at the subvolume level. The initial value is OFF.
The Safeguard software checks for CREATE authority at the subvolume level even
when CHECK-SUBVOLUME is OFF.
CHECK-FILENAME
Access control lists are checked at the disk-file level. The initial value is ON.
Note. COMBINATION-PROCESS resolves conflicts between access control lists if
CHECK-PROCESS and CHECK-SUBPROCESS are both ON. The Safeguard software
searches for an access control list in the order determined by DIRECTION-PROCESS. If you
want to use the first access control list it finds, specify FIRST-ACL. If you want the search the
search to continue until it finds an access control list that involves the user ID (either ACCESS
or DENY), specify FIRST-RULE. If you want to allow access only if specified on both access
control lists, specify ALL.
If you use the special NAMED and UNNAMED process protection records, specify
FIRST-RULE to ensure this feature functions as intended.