Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Safeguard Administrator’s Manual—523317-013
1-1
1 Introduction
As a security administrator or privileged user, you have access to Safeguard features
that are not usually available to general users. This manual describes those features
and the additional responsibilities you have as a member of the system security team.
Those duties and responsibilities include:
•
Installing, configuring, and managing the Safeguard subsystem
•
Adding users to the Safeguard database, managing their user authentication
records, and assigning aliases to users
•
Establishing groups of users for file-sharing purposes
•
Securing disk volumes and nondisk devices
•
Controlling who can create authorization records for objects of a given type
•
Establishing security groups of users who can execute restricted commands
•
Adding terminal definitions so that the Safeguard software can provide exclusive
access and automatic starting of a specific command interpreter at the terminal
•
Using warning mode to test the effectiveness of your security policy
In addition to these specific duties, you are probably involved in formulating an overall
security policy for your installation and in planning the most appropriate ways to use
the Safeguard software.
Who Can Use the Safeguard Subsystem?
To use the Safeguard command interpreter, an individual must have EXECUTE
authority for the SAFECOM program. As a security administrator, you can limit this
authority to certain users by creating an access control list for the SAFECOM program
file.
Initially, SAFECOM limits what certain classes of users can do. For example:
•
By default, general users can add their own disk files, subvolumes, processes, and
subprocesses to the Safeguard database. For more information on functions, see
the Safeguard User's Guide.
•
By default, only local super-group members (user ID 255,n) can add volumes,
devices, and subdevices to the Safeguard database.
•
By default, the group manager (user ID n,255) can add and delete users, thereby
controlling all the user authentication records in the group.
Note. In earlier product versions, extended features for logon dialog, such as warning of a
pending password expiration, were available only at a Safeguard terminal. Effective with the
D30 product version, the TACL command interpreter also provides these logon features when
the Safeguard software is running on the system.