Security Management Guide (G06.24+, H06.03+)
Concerns for the System Administration Team
Security Management Guide—522283-008
7-2
File-Sharing Groups
entries allowed by the Safeguard implementation. The list can also be so large that
determining the proper changes to the list when a user is added or deleted can be
difficult or impossible. Proper selection of administrative groups and file-sharing groups
can reduce this problem by having some of the ACLs refer to group permission rather
than to individuals.
Two common ways of assigning administrative groups:
•
By function. Create distinct administrative groups for system programmers,
application programmers, quality assurance testers, and data-entry clerks.
•
By project. Create an administrative group for each project, and assign member
names within that group for all designers, testers, and other project participants.
This approach can be difficult when people work on more than one project or
switch from one project to another. Also, some system users do not belong to one
project (for example, administrative assistants).
A production environment is likely to have few individual users (although the
application programs can define many users that are not represented by distinct user
IDs). For such environments, the task of group assignment is simplified.
When a user creates a file in the OSS environment, the group permissions in the file
security string refer to the primary group defined in the user authentication record for
that user. By default, the PRIMARY-GROUP attribute in the user authentication record
is set to the user’s administrative group unless another group is specified in a
SAFECOM ALTER USER command for that user.
File-Sharing Groups
File-sharing groups are supported only through the Safeguard software. A file-sharing
group cannot be used for managing user authentication records. Its purpose is to
designate arbitrary groups of users who can share files, especially in the OSS
environment. A file-sharing group is defined with the ADD GROUP command.
Members, who are existing users, are added to and removed from a file-sharing group
with ADD GROUP and ALTER GROUP commands.
With SAFECOM GROUP commands, you can make a user a member of multiple
groups for file-sharing purposes although that user can have only one administrative
group. A single user or user alias can be made a member of up to 32 groups. The
names of all groups to which a user belongs are retained in the user’s group list.
With these commands, you can also add a user to other administrative groups solely
for file-sharing purposes. This approach allows larger groups of users to share files
because you can expand an administrative group beyond the 256 members to which it
is limited for user administration. File-sharing groups can be particularly useful in the
OSS environment.
File-sharing group names and numbers can appear on a Safeguard access control list
and can be used in the OSS environment to specify group IDs for file permission
codes. In addition, the Guardian G and C file security codes recognize all groups in a
user’s group list. The Safeguard software also recognizes a user’s group list when it