Safeguard Reference Manual (G06.29+, H06.08+, J06.03+)
Table Of Contents
- Safeguard Reference Manual
- Legal Notices
- Contents
- What is New in this Manual
- Manual Information
- New and Changed Information
- Changes to the 520618-030 manual
- Changes to the 520618-029 manual
- Changes to the 520618-028 manual
- Changes to the 520618-027 manual
- Changes to the 520618-026 manual
- Changes to the 520618-025 manual
- Changes to the H06.22/J06.11 manual
- Changes to the H06.21/J06.10 Manual
- Changes to the H06.20/J06.09 Manual
- Changes to the 520618-020 Manual
- Changes to the H06.19/J06.08 Manual
- About This Manual
- 1 Introduction
- 2 Common SAFECOM Language Elements
- 3 The Command to Run SAFECOM
- 4 SAFECOM Session-Control Commands
- 5 User Security Commands
- 6 User Alias Security Commands
- 7 Group Commands
- 8 Disk-File Security Commands
- Disk-File Ownership
- Disk-File Access Authorities
- Disk-File Access Authorization
- Disk-File Security Command Summary
- Syntax of Disk-File Security Commands
- ADD DISKFILE Command
- ADD DISKFILE-PATTERN Command
- ALTER DISKFILE Command
- ALTER DISKFILE-PATTERN Command
- DELETE DISKFILE Command
- DELETE DISKFILE-PATTERN Command
- FREEZE DISKFILE Command
- FREEZE DISKFILE-PATTERN Command
- INFO DISKFILE Command
- INFO DISKFILE-PATTERN Command
- RESET DISKFILE Command
- RESET DISKFILE-PATTERN Command
- SET DISKFILE Command
- SET DISKFILE-PATTERN Command
- SHOW DISKFILE Command
- SHOW DISKFILE-PATTERN Command
- THAW DISKFILE Command
- THAW DISKFILE-PATTERN Command
- SAFECOM Saved Diskfile Pattern Commands
- ADD SAVED-DISKFILE-PATTERN Command
- ALTER SAVED-DISKFILE-PATTERN Command
- DELETE SAVED-DISKFILE-PATTERN Command
- FREEZE SAVED-DISKFILE-PATTERN Command
- INFO SAVED-DISKFILE-PATTERN Command
- RESET SAVED-DISKFILE-PATTERN Command
- SET SAVED-DISKFILE-PATTERN Command
- SHOW SAVED-DISKFILE-PATTERN Command
- THAW SAVED-DISKFILE-PATTERN Command
- 9 Disk Volume and Subvolume Security Commands
- Volume Authorization Record Ownership
- Subvolume Authorization Record Ownership
- Volume and Subvolume Access Authorities
- Volume and Subvolume Access Authorization
- Volume and Subvolume Security Command Summary
- Syntax of Disk Volume and Subvolume Security Commands
- ADD VOLUME and SUBVOLUME Commands
- ALTER VOLUME and SUBVOLUME Commands
- DELETE VOLUME and SUBVOLUME Commands
- FREEZE VOLUME and SUBVOLUME Commands
- INFO VOLUME and SUBVOLUME Commands
- RESET VOLUME and SUBVOLUME Commands
- SET VOLUME and SUBVOLUME Commands
- SHOW VOLUME and SUBVOLUME Commands
- THAW VOLUME and SUBVOLUME Commands
- 10 Device and Subdevice Security Commands
- Device and Subdevice Authorization Record Ownership
- Device and Subdevice Access Authorities
- Device and Subdevice Access Authorization
- Device and Subdevice Security Command Summary
- Syntax of Device and Subdevice Security Commands
- ADD DEVICE and SUBDEVICE Commands
- ALTER DEVICE and SUBDEVICE Commands
- DELETE DEVICE and SUBDEVICE Commands
- FREEZE DEVICE and SUBDEVICE Commands
- INFO DEVICE and SUBDEVICE Commands
- RESET DEVICE and SUBDEVICE Commands
- SET DEVICE and SUBDEVICE Commands
- SHOW DEVICE and SUBDEVICE Commands
- THAW DEVICE and SUBDEVICE Commands
- 11 Process and Subprocess Security Commands
- Process and Subprocess Security
- Process and Subprocess Access Authorities
- Special NAMED and UNNAMED Process Protection Records
- Process and Subprocess Security Command Summary
- Syntax of the Process and Subprocess Security Commands
- ADD PROCESS and SUBPROCESS Commands
- ALTER PROCESS and SUBPROCESS Commands
- DELETE PROCESS and SUBPROCESS Commands
- FREEZE PROCESS and SUBPROCESS Commands
- INFO PROCESS and SUBPROCESS Commands
- RESET PROCESS and SUBPROCESS Commands
- SET PROCESS and SUBPROCESS Commands
- SHOW PROCESS and SUBPROCESS Commands
- THAW PROCESS and SUBPROCESS Commands
- 12 OBJECTTYPE Security Commands
- 13 Security Group Commands
- 14 Terminal Security Commands
- 15 Event-Exit-Process Commands
- 16 Safeguard Subsystem Commands
- 17 Running Other Programs From SAFECOM
- A SAFECOM Error and Warning Messages
- B Disk-File Access Rules
- Index
Safeguard Reference Manual — 520618-030
12 - 1
12
OBJECTTYPE Security Commands
Safeguard OBJECTTYPE security allows a security administrator to define the user or
groups of users who can add new subjects or objects to the Safeguard database.
Each kind of subject and object (such as DISKFILE, DEVICE, or USER) can be given a
corresponding OBJECTTYPE protection record. For example, the protection record to
control adding new DISKFILEs is an entry for OBJECTTYPE DISKFILE. However,
authorities granted on the access control list (ACL) for OBJECTTYPE DISKFILE do not
represent permissions for individual disk files but rather the ability to add new disk files
to the Safeguard database.
When a user attempts an ADD command (for example, ADD DISKFILE), the
Safeguard software first checks for the presence of an authorization record for the
corresponding OBJECTTYPE (in this case, OBJECTTYPE DISKFILE). If no record
exists, the Safeguard software proceeds according to default rules, which are shown in
Table 12-1 on page 12-2. However, if a record exists for the corresponding
OBJECTTYPE, the Safeguard software consults the ACL for that OBJECTTYPE. If the
user has not been granted C (CREATE) authority on the ACL, the ADD command fails
with a security violation (file error 48).
Protection records for OBJECTTYPEs are similar to protection records for individual
objects: the initial owner can grant additional ownership (through the O authority on the
ACL), the owner can give ownership away, the owner can freeze or thaw the protection
record, and the owner can establish selective auditing criteria. Owners can even delete
the protection record for an OBJECTTYPE to restore the operation of the ADD
command for that OBJECTTYPE back to the default rules.
Because the OBJECTTYPE records alter the behavior of the Safeguard ADD
command, consider carefully the consequences of changing the Safeguard software
from the default behavior by adding an OBJECTTYPE record. Table 12-1 lists the
default behaviors.
Because the OBJECTTYPE records are in themselves pseudo-objects, an
additional OBJECT
TYPE record exists to control the creation of new OBJECTTYPE
records. This additional record is the OBJECTTYPE OBJECTTYPE record. Only users
granted CREATE authority on the OBJECTTYPE OBJECTTYPE ACL (if present) can
create other OBJECTTYPE records. Only the owner and other users granted OWNER
authority on the OBJECTTYPE OBJECTTYPE ACL can manage the OBJECTTYPE
OBJECTTYPE record.
OBJECTTYPE DISKFILE has no ef
fect on default protection for a user’s disk files. It
only controls who can execute the ADD DISKFILE command.