Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP NonStop G-Series

371

372

373

374

375

376

377

378

379

380

Process and Subprocess Security Commands

Safeguard Reference Manual—520618-013

11-4

Special NAMED and UNNAMED Process Protection

Records

another user by changing the OWNER attribute with the ALTER PROCESS or ALTER

SUBPROCESS command.

Because the primary owner can add owners to an ACL, that individual can specify

additional ownership by the OWNER authority code for ACL entries. Such OWNER

authority is an independent extension of the primary owner. Additional owners can do

anything that the primary owner is permitted to do. They are equal, in every way, to the

primary owner. For example, they can modify the Safeguard authorization records of

any process or subprocess for which they own the authorization record, and they can

access any process for which they own the authorization record when that process or

subprocess has been frozen.

Any user with OWNER authority on the ACL can explicitly deny a local super ID any of

the authorities (including OWNER) implicitly granted to that user ID and have this

denial actively enforced all of the time.

OWNER authority can be specified for all protected processes. The OWNER authority

is always included whenever the * authority code is used. It can also be abbreviated as

With the Safeguard software, the owner of a process or subprocess can also be

defined as a network user. A network user who owns an authorization record can use

the Safeguard software from a remote node to control access to that process or

subprocess (provided the user has remote passwords set up between the two

systems).

Special NAMED and UNNAMED Process

Protection Records

The process security commands allow you to create two special protection records that

control who can create or stop any named or unnamed process regardless of

Safeguard protection. When you create a protection record specifying NAMED as the

process name, that record applies to all named processes. Similarly, UNNAMED

applies to all unnamed processes. This feature is intended to allow a special group of

users, such as system operators, the ability to create or stop any process.

If Safeguard's global configuration DIRECTION-PROCESS attribute has the value

PROCESS-FIRST, then NAMED and UNNAMED protection records are checked first

(first named/unnamed, then process, then subprocess). This is a top-down evaluation

direction.

If Safeguard's global configuration DIRECTION-PROCESS attribute has the value

SUBPROCESS-FIRST, then NAMED and UNNAMED protection records are checked

last (first subprocess, then process, then named/unnamed). This is a bottom-up

evaluation direction.

If you create the UNNAMED protection record, be aware that no users will be able to

create and stop unnamed processes except users specified on the UNNAMED ACL.