Safeguard Administrator's Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

131

132

133

134

135

136

137

138

139

140

Configuration

Safeguard Administrator’s Manual—523317-029

9-17

Configuring Process Control

information, see the following note.) The value can be FIRST-ACL, FIRST-RULE,

or ALL. The initial value is FIRST-ACL.

ACL-REQUIRED-DEVICE

If no access control list is found, access is denied. If this attribute is OFF, and no

access control list is found, Guardian rules apply. The initial value is OFF.

To change any of these values, issue the ALTER SAFEGUARD command from

SAFECOM. For example, to check access control lists at both the device and

subdevice levels:

=ALTER SAFEGUARD, CHECK-DEVICE ON, CHECK-SUBDEVICE ON

This command specifies that the Safeguard software is to use the first access control

list it finds, checking at the device level first:

=ALTER SAFEGUARD, COMBINATION-DEVICE FIRST-ACL, &

=DIRECTION-DEVICE DEVICE-FIRST

Configuring Process Control

If access control lists exist for both process and subprocess names, the Safeguard

software must know which one to use. You can set the attributes that control how this

is determined.

These Safeguard attributes relate to process access control lists:

CHECK-PROCESS

Access control lists are checked at the process level. The initial value is ON.

CHECK-SUBPROCESS

Access control lists are at the subprocess level. The initial value is OFF.

DIRECTION-PROCESS

Determines which direction to search for an access control list if both

CHECK-PROCESS and CHECK-SUBPROCESS are ON. The value can be either

PROCESS-FIRST or SUBPROCESS-FIRST. This attribute is used in conjunction

with COMBINATION-PROCESS. (See the following note.) The initial value is

PROCESS-FIRST.

Note. COMBINATION-DEVICE resolves conflicts between access control lists if

CHECK-DEVICE and CHECK-SUBDEVICE are both ON. The Safeguard software searches

for an access control list in the order determined by DIRECTION-DEVICE. If you want to use

the first access control list it finds, specify FIRST-ACL. If you want the search to continue until

it finds an access control list that involves the user ID (either ACCESS or DENY), specify

FIRST-RULE. If you want to allow access only if specified on both access control lists, specify

ALL.