Safeguard Reference Manual (G06.29+, H06.08+, J06.03+)
Table Of Contents
- Safeguard Reference Manual
- Legal Notices
- Contents
- What is New in this Manual
- Manual Information
- New and Changed Information
- Changes to the 520618-030 manual
- Changes to the 520618-029 manual
- Changes to the 520618-028 manual
- Changes to the 520618-027 manual
- Changes to the 520618-026 manual
- Changes to the 520618-025 manual
- Changes to the H06.22/J06.11 manual
- Changes to the H06.21/J06.10 Manual
- Changes to the H06.20/J06.09 Manual
- Changes to the 520618-020 Manual
- Changes to the H06.19/J06.08 Manual
- About This Manual
- 1 Introduction
- 2 Common SAFECOM Language Elements
- 3 The Command to Run SAFECOM
- 4 SAFECOM Session-Control Commands
- 5 User Security Commands
- 6 User Alias Security Commands
- 7 Group Commands
- 8 Disk-File Security Commands
- Disk-File Ownership
- Disk-File Access Authorities
- Disk-File Access Authorization
- Disk-File Security Command Summary
- Syntax of Disk-File Security Commands
- ADD DISKFILE Command
- ADD DISKFILE-PATTERN Command
- ALTER DISKFILE Command
- ALTER DISKFILE-PATTERN Command
- DELETE DISKFILE Command
- DELETE DISKFILE-PATTERN Command
- FREEZE DISKFILE Command
- FREEZE DISKFILE-PATTERN Command
- INFO DISKFILE Command
- INFO DISKFILE-PATTERN Command
- RESET DISKFILE Command
- RESET DISKFILE-PATTERN Command
- SET DISKFILE Command
- SET DISKFILE-PATTERN Command
- SHOW DISKFILE Command
- SHOW DISKFILE-PATTERN Command
- THAW DISKFILE Command
- THAW DISKFILE-PATTERN Command
- SAFECOM Saved Diskfile Pattern Commands
- ADD SAVED-DISKFILE-PATTERN Command
- ALTER SAVED-DISKFILE-PATTERN Command
- DELETE SAVED-DISKFILE-PATTERN Command
- FREEZE SAVED-DISKFILE-PATTERN Command
- INFO SAVED-DISKFILE-PATTERN Command
- RESET SAVED-DISKFILE-PATTERN Command
- SET SAVED-DISKFILE-PATTERN Command
- SHOW SAVED-DISKFILE-PATTERN Command
- THAW SAVED-DISKFILE-PATTERN Command
- 9 Disk Volume and Subvolume Security Commands
- Volume Authorization Record Ownership
- Subvolume Authorization Record Ownership
- Volume and Subvolume Access Authorities
- Volume and Subvolume Access Authorization
- Volume and Subvolume Security Command Summary
- Syntax of Disk Volume and Subvolume Security Commands
- ADD VOLUME and SUBVOLUME Commands
- ALTER VOLUME and SUBVOLUME Commands
- DELETE VOLUME and SUBVOLUME Commands
- FREEZE VOLUME and SUBVOLUME Commands
- INFO VOLUME and SUBVOLUME Commands
- RESET VOLUME and SUBVOLUME Commands
- SET VOLUME and SUBVOLUME Commands
- SHOW VOLUME and SUBVOLUME Commands
- THAW VOLUME and SUBVOLUME Commands
- 10 Device and Subdevice Security Commands
- Device and Subdevice Authorization Record Ownership
- Device and Subdevice Access Authorities
- Device and Subdevice Access Authorization
- Device and Subdevice Security Command Summary
- Syntax of Device and Subdevice Security Commands
- ADD DEVICE and SUBDEVICE Commands
- ALTER DEVICE and SUBDEVICE Commands
- DELETE DEVICE and SUBDEVICE Commands
- FREEZE DEVICE and SUBDEVICE Commands
- INFO DEVICE and SUBDEVICE Commands
- RESET DEVICE and SUBDEVICE Commands
- SET DEVICE and SUBDEVICE Commands
- SHOW DEVICE and SUBDEVICE Commands
- THAW DEVICE and SUBDEVICE Commands
- 11 Process and Subprocess Security Commands
- Process and Subprocess Security
- Process and Subprocess Access Authorities
- Special NAMED and UNNAMED Process Protection Records
- Process and Subprocess Security Command Summary
- Syntax of the Process and Subprocess Security Commands
- ADD PROCESS and SUBPROCESS Commands
- ALTER PROCESS and SUBPROCESS Commands
- DELETE PROCESS and SUBPROCESS Commands
- FREEZE PROCESS and SUBPROCESS Commands
- INFO PROCESS and SUBPROCESS Commands
- RESET PROCESS and SUBPROCESS Commands
- SET PROCESS and SUBPROCESS Commands
- SHOW PROCESS and SUBPROCESS Commands
- THAW PROCESS and SUBPROCESS Commands
- 12 OBJECTTYPE Security Commands
- 13 Security Group Commands
- 14 Terminal Security Commands
- 15 Event-Exit-Process Commands
- 16 Safeguard Subsystem Commands
- 17 Running Other Programs From SAFECOM
- A SAFECOM Error and Warning Messages
- B Disk-File Access Rules
- Index
Safeguard Reference Manual — 520618-030
10 - 1
10
Device and Subdevice Security
Commands
With SAFECOM device and subdevice security commands, any user whose ID
appears in the access control list (ACL) as owner of a protected device or subdevice
can control access to that device or subdevice.
By default, only a local super-group user can add a device or subdevice authorization
record to the Safeguard object data base. After an authorization record is added for a
device or subdevice, all attempts to open the device or subdevice are subject to a
Safeguard authorization check and, optionally, to Safeguard auditing. However, this
behavior is configurable by creating or changing the ACL for OBJECTTYPE DEVICE
or SUBDEVICE. For more information, see Section 12, OBJECTTYPE Security
Commands.
The owner of a device or subdevice authorization record can control access to the
device or subdevice by managing the ACL for that device. A device authorization
record owner can also specify when the Safeguard software is to audit attempts to
access the device or subdevice as well as attempts to manage the device or subdevice
authorization record.
This section describes device and subdevice ownership and explains how the
Safeguard software authorizes attempts to access protected devices and subdevices.
It also summarizes the device and subdevice security commands. Following the
command summary, the commands are described in detail.
Device and Subdevice Authorization Record
Ownership
A device or subdevice has no authorization record until the device or subdevice is
placed under the control of the Safeguard software facility by a super-group user. (For
more information on adding authorization records, see
DEVICE on page 12-2 or
SUBDEVICE on page 12-2.) Every authorization record has an OWNER attribute that
contains the user ID of the user who can manage the Safeguard access controls for
the device or subdevice.
However, the user who adds the record can set the OWNER attribute to the user ID of
any user (by including an OWNER specification in a SET DEVICE or SET
SUBDEVICE or ADD DEVICE or ADD SUBDEVICE command). The owner of a
protected authorization record can also transfer ownership to another user by changing
the OWNER attribute with the ALTER DEVICE or ALTER SUBDEVICE command.
Because the primary owner can add owners to an ACL, additional ownership is define
d
by the OWNER authority code for ACL entries and is an independent extension of the
primary owner. Additional owners can do anything that the primary owner is permitted