Safeguard Administrator's Manual (G06.24+, H06.03+)
Table Of Contents
- What’s New in This Manual
- About This Manual
- 1 Introduction
- 2 Controlling User Access
- Introduction
- Using SAFECOM to Establish a Local User Community
- Using SAFECOM to Manage User Access to Your System
- Changing the Owner of a User Authentication Record
- Granting a User Temporary Access to Your System
- Requiring Users to Change Their Passwords
- Granting a Grace Period for Changing an Expired Password
- Forcing Immediate Expiration of a User’s Password
- Freezing a User's Ability to Access the System
- Specifying Auditing for a User ID
- Deleting Users
- Deleting Administrative Groups
- Using SAFECOM to Establish a Network of Users
- Using Safeguard With Nodes With Standard Security
- Identifying Network Users
- Granting a Network User Access to Objects on Your System
- Establishing a Community of Network Users
- Changes to the PAID During a User’s Session
- Additional Considerations for Aliases and Groups
- Additional Considerations for ACCESS with Network Specific Subject IDs
- Establishing Default Protection for a User's Disk Files
- Specifying a Default Command Interpreter for a User
- Establishing Guardian Defaults
- Assigning an Alias to a User
- 3 Managing User Groups
- 4 Securing Volumes and Devices
- 5 OBJECTTYPE Control
- 6 Managing Security Groups
- 7 Securing Terminals
- 8 Warning Mode
- 9 Configuration
- Safeguard Attributes
- Configuring User Authentication
- Configuring Password Control
- Configuring Device Control
- Configuring Process Control
- Configuring Disk-File Control
- Configuring Safeguard Auditing
- Configuring a Default Command Interpreter
- Configuring Communication With $CMON
- Configuring Logon Dialog
- Configuring Exclusive Access at Safeguard Terminals
- Configuring Warning Mode
- Configuring Persistence
- Configuring Attributes for Node Specific Subjects in ACLs
- 10 Installation and Management
- Safeguard Components
- Process Considerations for the SMP and SAFECOM
- Safeguard Subsystem Management Commands
- General Installation Procedure
- Installing the Safeguard Software
- Starting the SMP
- Converting to the Safeguard Subsystem
- Updating the Safeguard Software
- Guidelines for Securing the Safeguard Subsystem
- Monitoring the Safeguard Subsystem
- A SAFECOM Command Syntax
- Index
Managing Security Groups
Safeguard Administrator’s Manual—523317-013
6-4
Adding Security Groups
You also define membership in the SYSTEM-OPERATOR security group by adding an
authorization record for that group. For example, this command creates the
authorization record for the SYSTEM-OPERATOR security group and gives all
authorities to SYSOP.DALE (user ID 255,12):
=ADD SECURITY-GROUP SYSTEM-OPERATOR, ACCESS 255,12 *
Verify the results of the command:
=INFO SECURITY-GROUP SYS-OPER
The display shows:
Except for SYSOP.DALE and the super ID, all super-group members are now
prohibited from using the commands reserved for the SYSTEM-OPERATOR security
group. Because SYSOP.DALE has both EXECUTE and OWNER authority on the
access control list, he can execute these commands and also add other users to the
SYSTEM-OPERATOR security group.
You can define membership in the SECURITY-OSS-ADMINISTRATOR security group
by adding an authorization record for that group. For example, this command creates
the authorization record for the SECURITY-OSS-ADMINISTRATOR security group and
gives all authorities to TEST1.USER1 (204,001), TEST2.USER2 (240,002),
TEST3.USER3 (240,003), and TEST4.USER4 (240,004):
=ADD SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR, &
OWNER SUPER.TEST, AUDIT-ACCESS NONE, &
AUDIT-MANAGE-PASS ALL, &
ACCESS TEST1.USER1 (E,O); TEST1.USER2 (E); TEST1.USER3(O)
Verify the results of the command:
=INFO SECURITY-GROUP SECURITY-OSS-ADMINISTRATOR
The display shows:
AUDIT-ACCESS-PASS = NONE AUDIT-MANAGE-PASS = ALL
AUDIT-ACCESS-FAIL = NONE
LAST-MODIFIED OWNER STATUS
GROUP SYSTEM-OPERATOR
26JAN93, 11:12 255,255 THAWED
255,12 E,O
LAST-MODIFIED OWNER STATUS
SECURITY-OSS-ADMINISTRATOR
24MAY06, 1:29 255,5 THAWED
240,001 E O
240,002 E
240,003 O
Note. The SECURITY-OSS-ADMINISTRATOR security group is supported only on systems
running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs.