Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Controlling User Access
Safeguard Administrator’s Manual—523317-013
2-4
Using SAFECOM to Establish a Local User
Community
•
Automatic starting of a command interpreter for a user after logon at a Safeguard
terminal (CI-PROG)
Using SAFECOM to Establish a Local User
Community
Before a new user can log on to a system, a group manager or the local super ID must
use SAFECOM commands to create a user authentication record in the Safeguard
subject database. This user authentication record contains the user ID and user name,
password, and other security attributes defined for the user. The Safeguard software
uses these security attributes to control access to the system. This subsection
describes the user security attributes and the SAFECOM user security commands, and
gives examples of adding and deleting users in a system.
Defining Administrative Groups
The first step to perform in establishing a local user community is to define group
names and group numbers for the administrative groups you will use for managing
user authentication records. The second step is to add users to those administrative
groups.
Each administrative group has a name and number. An administrative group name is
from one to eight alphanumeric characters. The first character must be alphabetic. An
administrative group number is a number from 0 through 255.
A particular user’s user name and user ID are derived from the group name and group
number of the administrative group to which the user was added with the ADD USER
command. This group is known as the user’s administrative group.
A user can be made a member of other administrative groups with the ADD and
ALTER GROUP commands. This form of group membership is used for file-sharing
purposes, not administrative purposes. For more information, see Section 3, Managing
User Groups.
Note. When the Safeguard software is installed on a system with an existing user community,
it takes over the USERID file as its subject database. When a user logs on, that user's record
in the USERID file is expanded to include Safeguard security attributes. You do not have to
add existing users individually.
For these users, the Safeguard software retains the existing security attributes that are
common to both Safeguard security and the standard Guardian security system. In addition,
the Safeguard software assigns values for user security attributes that are unique to Safeguard
security (described in Table 2-1
on page 2-6).
Users added through the Safeguard software are recognized by the operating system if the
Safeguard subsystem is shut down. However, the extra capabilities that the Safeguard software
provides are no longer active.