Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Safeguard Administrator’s Manual—523317-013
5-1
5 OBJECTTYPE Control
So far, you have seen how to protect an individual object such as a disk volume by
creating an authorization record for it. This section describes how to use the
OBJECTTYPE commands to control who can create authorization records for objects
of a given type.
By default, only super-group users can create authorization records for volumes,
devices, and subdevices, but any user can create authorization records for processes,
subprocesses, subvolumes, and disk files. The OBJECTTYPE commands allow you to
change these restrictions by designating a specific set of users who can add new
subjects and objects to the Safeguard database.
With the OBJECTTYPE commands, you can specify:
•
Who can protect individual objects of a given type
•
Who can add users, aliases, and groups to the system
•
Who can add an OBJECTTYPE record to the Safeguard database
•
Who has owner authority of an OBJECTTYPE record
•
What auditing is applied to an OBJECTTYPE
For the purposes of the OBJECTTYPE commands, the Safeguard software treats
users, aliases, and groups as a single object type–OBJECTTYPE USER. Normally,
only group managers and the super ID can add users and aliases to the system, and
super-group members can add user groups. However, by creating OBJECTTYPE
USER, you can give any designated list of users the authority to add users, aliases,
and groups. For more information, see Controlling Users as an Object Type on
page 5-4.
An OBJECTTYPE authorization record has these attributes:
ACCESS
OWNER
AUDIT-ACCESS-PASS
AUDIT-MANAGE-PASS
AUDIT-ACCESS-FAIL
AUDIT-MANAGE-FAIL
You specify these attributes with the commands listed in Table 5-1.
The OBJECTTYPE commands must be followed by a valid object type. For example, if
you want to add an authorization record for the object type VOLUME, use the ADD
OBJECTTYPE VOLUME command. The valid object types are:
DISKFILE
DISKFILE-PATTERN
SUBVOLUME
VOLUME
DEVICE
SUBDEVICE
PROCESS