Safeguard Reference Manual (G06.29+, H06.08+, J06.03+)
Table Of Contents
- Safeguard Reference Manual
- Legal Notices
- Contents
- What is New in this Manual
- Manual Information
- New and Changed Information
- Changes to the 520618-030 manual
- Changes to the 520618-029 manual
- Changes to the 520618-028 manual
- Changes to the 520618-027 manual
- Changes to the 520618-026 manual
- Changes to the 520618-025 manual
- Changes to the H06.22/J06.11 manual
- Changes to the H06.21/J06.10 Manual
- Changes to the H06.20/J06.09 Manual
- Changes to the 520618-020 Manual
- Changes to the H06.19/J06.08 Manual
- About This Manual
- 1 Introduction
- 2 Common SAFECOM Language Elements
- 3 The Command to Run SAFECOM
- 4 SAFECOM Session-Control Commands
- 5 User Security Commands
- 6 User Alias Security Commands
- 7 Group Commands
- 8 Disk-File Security Commands
- Disk-File Ownership
- Disk-File Access Authorities
- Disk-File Access Authorization
- Disk-File Security Command Summary
- Syntax of Disk-File Security Commands
- ADD DISKFILE Command
- ADD DISKFILE-PATTERN Command
- ALTER DISKFILE Command
- ALTER DISKFILE-PATTERN Command
- DELETE DISKFILE Command
- DELETE DISKFILE-PATTERN Command
- FREEZE DISKFILE Command
- FREEZE DISKFILE-PATTERN Command
- INFO DISKFILE Command
- INFO DISKFILE-PATTERN Command
- RESET DISKFILE Command
- RESET DISKFILE-PATTERN Command
- SET DISKFILE Command
- SET DISKFILE-PATTERN Command
- SHOW DISKFILE Command
- SHOW DISKFILE-PATTERN Command
- THAW DISKFILE Command
- THAW DISKFILE-PATTERN Command
- SAFECOM Saved Diskfile Pattern Commands
- ADD SAVED-DISKFILE-PATTERN Command
- ALTER SAVED-DISKFILE-PATTERN Command
- DELETE SAVED-DISKFILE-PATTERN Command
- FREEZE SAVED-DISKFILE-PATTERN Command
- INFO SAVED-DISKFILE-PATTERN Command
- RESET SAVED-DISKFILE-PATTERN Command
- SET SAVED-DISKFILE-PATTERN Command
- SHOW SAVED-DISKFILE-PATTERN Command
- THAW SAVED-DISKFILE-PATTERN Command
- 9 Disk Volume and Subvolume Security Commands
- Volume Authorization Record Ownership
- Subvolume Authorization Record Ownership
- Volume and Subvolume Access Authorities
- Volume and Subvolume Access Authorization
- Volume and Subvolume Security Command Summary
- Syntax of Disk Volume and Subvolume Security Commands
- ADD VOLUME and SUBVOLUME Commands
- ALTER VOLUME and SUBVOLUME Commands
- DELETE VOLUME and SUBVOLUME Commands
- FREEZE VOLUME and SUBVOLUME Commands
- INFO VOLUME and SUBVOLUME Commands
- RESET VOLUME and SUBVOLUME Commands
- SET VOLUME and SUBVOLUME Commands
- SHOW VOLUME and SUBVOLUME Commands
- THAW VOLUME and SUBVOLUME Commands
- 10 Device and Subdevice Security Commands
- Device and Subdevice Authorization Record Ownership
- Device and Subdevice Access Authorities
- Device and Subdevice Access Authorization
- Device and Subdevice Security Command Summary
- Syntax of Device and Subdevice Security Commands
- ADD DEVICE and SUBDEVICE Commands
- ALTER DEVICE and SUBDEVICE Commands
- DELETE DEVICE and SUBDEVICE Commands
- FREEZE DEVICE and SUBDEVICE Commands
- INFO DEVICE and SUBDEVICE Commands
- RESET DEVICE and SUBDEVICE Commands
- SET DEVICE and SUBDEVICE Commands
- SHOW DEVICE and SUBDEVICE Commands
- THAW DEVICE and SUBDEVICE Commands
- 11 Process and Subprocess Security Commands
- Process and Subprocess Security
- Process and Subprocess Access Authorities
- Special NAMED and UNNAMED Process Protection Records
- Process and Subprocess Security Command Summary
- Syntax of the Process and Subprocess Security Commands
- ADD PROCESS and SUBPROCESS Commands
- ALTER PROCESS and SUBPROCESS Commands
- DELETE PROCESS and SUBPROCESS Commands
- FREEZE PROCESS and SUBPROCESS Commands
- INFO PROCESS and SUBPROCESS Commands
- RESET PROCESS and SUBPROCESS Commands
- SET PROCESS and SUBPROCESS Commands
- SHOW PROCESS and SUBPROCESS Commands
- THAW PROCESS and SUBPROCESS Commands
- 12 OBJECTTYPE Security Commands
- 13 Security Group Commands
- 14 Terminal Security Commands
- 15 Event-Exit-Process Commands
- 16 Safeguard Subsystem Commands
- 17 Running Other Programs From SAFECOM
- A SAFECOM Error and Warning Messages
- B Disk-File Access Rules
- Index
Safeguard Reference Manual — 520618-030
B - 1
B Disk-File Access Rules
Table B-1 on page B-2 shows how disk file access rules are evaluated depending on
how the Safeguard software applies the access control lists (ACL) in disk file, volume,
and subvolume protection records.
FIRST-RULE, FIRST-ACL, and ALL are the settings allowed for the Safeguard
configuration attribute COMBINATION-DISKFILE. This attribute defines the manner in
which overlapping ACLs are resolved for access to volumes, subvolumes, and disk
files.
FIRST-RULE indicates the Safeguard software uses the first ACL that contains the
specified user ID. FIRST-ACL indicates the Safeguard software uses the first ACL it
finds regardless of whether the ACL contains the specified user ID. ALL indicates the
Safeguard software uses all available ACLs.
CHECK-DISKFILE-PATTERN establishes whether ACLs from a disk file pattern’s
protection record can be used to determine disk file access. The FIRST value says to
first perform a disk file pattern search for a matching pattern, and only if the result of
the search is NORECORD, then will a normal search of remaining object protection
records occur. The LAST value says to first perform a normal search of all object
protection records (except diskfile pattern), and only if the result of the search is
NORECORD, then will a disk file pattern search for a matching pattern be performed.
The OFF value says to not perform any disk file pattern searches to determine disk file
access. The ONLY value says to perform only the pattern search and do not do the
normal search. OFF is the initial value. This attribute defines part of the SAFEGUARD
global configuration. For more diskfile-pattern information, see the Safeguard User’s
Guide.
In Table B-1 on page B-2, Level refers to the direction in which the Safeguard
software searches ACLs. The evaluation depends on the direction of the search. The
search direction is determined by Safeguard configuration attribute DIRECTION-
DISKFILE, which can be set to either VOLUME-FIRST or FILENAME-FIRST.
If the search direction is VOLUME-FIRST, the volume ACL is searched first, subvolume
ACL second, and disk file ACL third. If the search direction is FILENAME-FIRST, the
disk file ACL is searched first, subvolume second, and volume third.
The CHECK-VOLUME, CHECK-SUBVOLUME, and CHECK-FILENAME configuration
attributes allow you to selectively enable or disable the checking of ACLs at a particular
level. For example, if CHECK-VOLUME is OFF, Safeguard does not check volume
ACLs for attempts to access a disk file. If one of these configuration attributes is set to
OFF, the access result is the same as if that level had No Record (indicated by NR in
Table B-1 on page B-2). However, if a disk file protection record exists and if CHECK-
VOLUME, CHECK-SUBVOLUME, CHECK-FILENAM
E and ACL-REQUIRED-
DISKFILE are OFF, this is treated as a special frozen ACL case. Only the primary
owner of the disk file, primary owner's local group manager, and the local super ID are
allowed access. As a special case, if an authorization event-exit process (SEEP) is
running, access is granted based on SEEP's decision (allow or deny access) instead of
the frozen ACL rules.