Safeguard Reference Manual (G06.29+, H06.08+, J06.03+)
Table Of Contents
- Safeguard Reference Manual
- Legal Notices
- Contents
- What is New in this Manual
- Manual Information
- New and Changed Information
- Changes to the 520618-030 manual
- Changes to the 520618-029 manual
- Changes to the 520618-028 manual
- Changes to the 520618-027 manual
- Changes to the 520618-026 manual
- Changes to the 520618-025 manual
- Changes to the H06.22/J06.11 manual
- Changes to the H06.21/J06.10 Manual
- Changes to the H06.20/J06.09 Manual
- Changes to the 520618-020 Manual
- Changes to the H06.19/J06.08 Manual
- About This Manual
- 1 Introduction
- 2 Common SAFECOM Language Elements
- 3 The Command to Run SAFECOM
- 4 SAFECOM Session-Control Commands
- 5 User Security Commands
- 6 User Alias Security Commands
- 7 Group Commands
- 8 Disk-File Security Commands
- Disk-File Ownership
- Disk-File Access Authorities
- Disk-File Access Authorization
- Disk-File Security Command Summary
- Syntax of Disk-File Security Commands
- ADD DISKFILE Command
- ADD DISKFILE-PATTERN Command
- ALTER DISKFILE Command
- ALTER DISKFILE-PATTERN Command
- DELETE DISKFILE Command
- DELETE DISKFILE-PATTERN Command
- FREEZE DISKFILE Command
- FREEZE DISKFILE-PATTERN Command
- INFO DISKFILE Command
- INFO DISKFILE-PATTERN Command
- RESET DISKFILE Command
- RESET DISKFILE-PATTERN Command
- SET DISKFILE Command
- SET DISKFILE-PATTERN Command
- SHOW DISKFILE Command
- SHOW DISKFILE-PATTERN Command
- THAW DISKFILE Command
- THAW DISKFILE-PATTERN Command
- SAFECOM Saved Diskfile Pattern Commands
- ADD SAVED-DISKFILE-PATTERN Command
- ALTER SAVED-DISKFILE-PATTERN Command
- DELETE SAVED-DISKFILE-PATTERN Command
- FREEZE SAVED-DISKFILE-PATTERN Command
- INFO SAVED-DISKFILE-PATTERN Command
- RESET SAVED-DISKFILE-PATTERN Command
- SET SAVED-DISKFILE-PATTERN Command
- SHOW SAVED-DISKFILE-PATTERN Command
- THAW SAVED-DISKFILE-PATTERN Command
- 9 Disk Volume and Subvolume Security Commands
- Volume Authorization Record Ownership
- Subvolume Authorization Record Ownership
- Volume and Subvolume Access Authorities
- Volume and Subvolume Access Authorization
- Volume and Subvolume Security Command Summary
- Syntax of Disk Volume and Subvolume Security Commands
- ADD VOLUME and SUBVOLUME Commands
- ALTER VOLUME and SUBVOLUME Commands
- DELETE VOLUME and SUBVOLUME Commands
- FREEZE VOLUME and SUBVOLUME Commands
- INFO VOLUME and SUBVOLUME Commands
- RESET VOLUME and SUBVOLUME Commands
- SET VOLUME and SUBVOLUME Commands
- SHOW VOLUME and SUBVOLUME Commands
- THAW VOLUME and SUBVOLUME Commands
- 10 Device and Subdevice Security Commands
- Device and Subdevice Authorization Record Ownership
- Device and Subdevice Access Authorities
- Device and Subdevice Access Authorization
- Device and Subdevice Security Command Summary
- Syntax of Device and Subdevice Security Commands
- ADD DEVICE and SUBDEVICE Commands
- ALTER DEVICE and SUBDEVICE Commands
- DELETE DEVICE and SUBDEVICE Commands
- FREEZE DEVICE and SUBDEVICE Commands
- INFO DEVICE and SUBDEVICE Commands
- RESET DEVICE and SUBDEVICE Commands
- SET DEVICE and SUBDEVICE Commands
- SHOW DEVICE and SUBDEVICE Commands
- THAW DEVICE and SUBDEVICE Commands
- 11 Process and Subprocess Security Commands
- Process and Subprocess Security
- Process and Subprocess Access Authorities
- Special NAMED and UNNAMED Process Protection Records
- Process and Subprocess Security Command Summary
- Syntax of the Process and Subprocess Security Commands
- ADD PROCESS and SUBPROCESS Commands
- ALTER PROCESS and SUBPROCESS Commands
- DELETE PROCESS and SUBPROCESS Commands
- FREEZE PROCESS and SUBPROCESS Commands
- INFO PROCESS and SUBPROCESS Commands
- RESET PROCESS and SUBPROCESS Commands
- SET PROCESS and SUBPROCESS Commands
- SHOW PROCESS and SUBPROCESS Commands
- THAW PROCESS and SUBPROCESS Commands
- 12 OBJECTTYPE Security Commands
- 13 Security Group Commands
- 14 Terminal Security Commands
- 15 Event-Exit-Process Commands
- 16 Safeguard Subsystem Commands
- 17 Running Other Programs From SAFECOM
- A SAFECOM Error and Warning Messages
- B Disk-File Access Rules
- Index
Safeguard Reference Manual — 520618-030
5 - 1
5 User Security Commands
SAFECOM user security commands are restricted such that, only specific users can
execute the commands and thereby control user security. These users include system
managers, security administrators, and group managers, as qualified by the list of
users specified with OBJECTTYPE USER.
SAFECOM commands can add user IDs to the system, delete user IDs from the
system, and suspend user IDs ability to log on to the system. They can also specify
auditing for attempts to authenticate users, attempts by the user to perform certain
actions, and attempts to manage user authentication records.
This section contains:
•
A description of who can add new users to the system and who can manage the
Safeguard security controls for system users
•
A summary table of the user security commands
•
Detailed syntax for each user security command
Who Can Manage User Security
If no access control list has been defined for OBJECTTYPE USER, only the super ID
can initially add user IDs to the system. When the super ID (with the user ID 255,255)
adds the first user to a group, that group is created implicitly. A group created in this
manner is known as an administrative group because it is used to administer user
authentication records. Groups can also be created with the ADD GROUP command.
For more information about groups, see Section 7, Group Commands.
Frequently, the first user added to an administrative group is the group manager (with
user ID n,255). Then the group manager ID can add other users to form that
administrative group. The super ID also can add users to any group, but only the super
ID can add group managers. However, the access control list for OBJECTTYPE USER
can specify a list of users who can add other users. For more information, see
Section
12, OBJECTTYPE Security Commands.
A user authentication record can have multiple owners. The OWNER attribute in a user
authentication record designates the record’s primary owner. The OWNER-LIST
attribute optionally designates one or more secondary owners. By default, the OWNER
attribute contains the user ID of the user who first created the user authentication
record. The OWNER and OWNER-LIST attributes can be changed with a SET USER
command before the record is created, or they can be changed with an ALTER USER
command after the record is created. These record owners can change the security
attributes in the user’s authentication record and therefore control the user’s ability to
log on to the system.
Only the primary and secondary record owners, the primary owner’s group manager,
and the super ID can change a user’s security attributes, suspend and restore the