Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Controlling User Access
Safeguard Administrator’s Manual—523317-013
2-26
Using SAFECOM to Establish a Network of Users
Using SAFECOM to Establish a Network of
Users
Users can be granted access to nodes other than their own and can have access
authority for remote objects. A user who can access objects on one or more remote
nodes is called a network user.
Being a system user on one node of a network of HP NonStop systems does not make
you a network user. Before you can access objects on a remote node, you must be
defined as a network user on your local node and on the remote node.
This requirement is an important feature of both the Safeguard subsystem and the
standard security system. Defining a network user requires that the user be given the
same user name, user ID, and remote password at both nodes. A user alias can also
be defined as a network user by giving the same alias the same user ID and remote
passwords at both nodes. Once a network user has been given the ability to access a
remote node, that ability can be revoked at either the user's local node or at the remote
node.
Using Safeguard With Nodes With Standard Security
The Safeguard subsystem is fully integrated with the standard security system. Thus,
some nodes can be protected by Safeguard software, while other nodes are protected
by the standard security system. On the nodes with only the standard security system,
system managers must use the TACL command interpreter to add users and define
remote passwords. On the nodes protected by Safeguard software, system managers
can use either SAFECOM or TACL to add users and define remote passwords for
users. However, the Safeguard software gives system managers more control over
user access to their system than they would have with the standard security system.
On a system protected only by the standard security system, any local user can define
his or her own remote passwords (provided the user has execute access to the
RPASSWRD program object file). On a system protected by Safeguard software, the
RPASSWRD program can be removed. Then only the owner of a user authentication
record, the owner's group manager, and the local super ID can define a remote
password for a user.
User aliases are supported only between nodes on which D30 or later Safeguard is
running. In addition, standard security programs cannot be used to manage user
aliases.
Table 2-3 shows the relationship between the SAFECOM and standard security
programs that manage user access to a network of HP NonStop systems.