Manualshelf

Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP NonStop G-Series
211212213214215216217218219220
Group Commands
Safeguard Reference Manual520618-013
7-2
Group Names and Access Control Lists
Group Names and Access Control Lists
Currently, only administrative group names and numbers are allowed on Safeguard
ACLs. File-sharing group names and numbers are not permitted in ACLs.
However, the Safeguard software’s method of evaluating ACLs recognizes extended
group membership. An ACL entry in the form group-name.* is now interpreted to
include all members of the specified group, not just users who have the specified group
as their administrative group. Similarly, an entry in the form group-number,* is
interpreted to include all members of the specified group number.
For example, assume that the ALTER GROUP command has been used to add the
user with the user name GROUPB.JOE to the group named GROUPA. An ACL that
specifies GROUPA.* now includes the user GROUPB.JOE as well as all users whose
GROUPA is their administrative group.
Guardian file security also recognizes group membership. The Guardian file-security
settings G and C encompass all users whose group list includes the file owners
administrative group.
The Super Group and File-Sharing
Membership
Although GROUP commands can be used to add file-sharing members to the super
group (group number 255), it is generally not advisable to do so.
Making a user a file-sharing member of the super group does not allow that user to
assume all privileges of super-group membership. A file-sharing member is granted a
super-group privilege only when granting that privilege is based on the evaluation of a
Guardian security string, a Safeguard access control list, or an OSS file permission
code. For example, if a Safeguard OBJECTTYPE USER record exists with an entry
that grants all super group members (SUPER.*) the authority to execute the ADD
USER command, file-sharing members of the super group are also granted this
authority.
However, many super-group privileges are based on a check of the specific user ID of
the user attempting to execute the privileged command. File-sharing members of the
super group are not allowed to perform these types of operations.
Group Command Summary
Table 7-1 on page 7-3 lists the group commands and gives a brief description of each.
The remainder of this section describes these commands in detail.