Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
OBJECTTYPE Control
Safeguard Administrator’s Manual—523317-013
5-3
Controlling an Entire Object Type
An OBJECTTYPE authorization record can have only two access authorities:
Controlling an Entire Object Type
Normally, only super-group users can add authorization records for volumes, devices,
and subdevices. However, all users can add authorization records for disk files that
they own as well as authorization records for any subvolumes, processes, or
subprocesses.
If you want to change who has authority to add objects of a certain type, add the object
type to the Safeguard database. Then create an access control list that gives CREATE
authority to specific users.
After you add an object type to the Safeguard database, you can give ownership of the
OBJECTTYPE authorization record to someone else by changing the OWNER
attribute. Like other objects, OBJECTTYPE authorization records can only be changed
by the primary owner, the primary owner's group manager, the super ID, or a user who
has owner authority on the access control list.
The OBJECTTYPE command restricts who can use SAFECOM to create protection
records for a given type of object. For example, an OBJECTTYPE DISKFILE
authorization record restricts who can use SAFECOM to create disk-file authorization
records. However, OBJECTTYPE DISKFILE does not affect any default protection
specified for a user's disk files. That is, the Safeguard software automatically creates
these protection records regardless of the access control list associated with the
OBJECTTYPE DISKFILE authorization record.
The following sample procedure shows how to add an object type to the Safeguard
database with a simple access control list. In this case, only group 12 is given authority
to add individual device names to the Safeguard database. After the access control list
is created, ownership of the authorization record is transferred to user ID 12,8.
1. Create an authorization record for OBJECTTYPE DEVICE with an access control
list that grants CREATE authority to all users who have group 12 as their
administrative group:
=ADD OBJECTTYPE DEVICE, ACCESS 12,* C
CREATE The authority to add individual authorization records for that type of
object
OWNER The authority to modify the OBJECTTYPE record
Note. Users with CREATE authority on an OBJECTTYPE access control list can add any
object of that type regardless of the object's ownership. For example, a user with CREATE
authority on OBJECTTYPE DISKFILE can create authorization records for any user's files that
are not already protected by the Safeguard software. Normally, users can add only their own
files. Therefore, you should not add an object type to the Safeguard database unless you are
sure you do not want to use the standard Safeguard restrictions.