Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Concerns for the System Administration Team

Security Management Guide—522283-008

7-3

Multiple User Names for One Person

evaluates an access control list entry that specifies all members of a particular group.

For example, the entry 141,* on an access control list grants access to all members

of group 141, including users who are file-sharing members of the group.

A user’s group list is checked only when an access decision is based on the evaluation

of a Guardian security string, a Safeguard access control list, an OSS file permission

code or an OSS access control list.

Making a user a file-sharing member of the super group does not automatically allow

that user to assume the privileges of super-group membership. A user’s group list is

checked only when an access decision is based on the evaluation of a Guardian

security string, a Safeguard access control list, or an OSS file permission code.

Therefore, a file-sharing member of the super group is granted group privileges only in

these instances, not when the privilege is based on a check of the specific user ID.

For example, by default, the authority to use the SAFECOM ADD DEVICE command is

restricted to super-group members–that is, users whose administrative group is group

number 255. File-sharing members of the super group are not granted this authority

because it is not based on the evaluation of an access control list. However, if an

OBJECTTYPE DEVICE protection record is created, the authority to use the ADD

DEVICE command is based on the evaluation of the OBJECTTYPE DEVICE access

control list. Users given CREATE authority on that access control list can use the ADD

DEVICE command.

Assume that the following SAFECOM command is issued to create an OBJECTTYPE

DEVICE record that grants CREATE authority to all super-group members:

=SAFECOM ADD OBJECTTYPE DEVICE 255,* C

After this record is created, all members of the super group, including file-sharing

members, can use the ADD DEVICE command because the authority to do so is

based on the evaluation of the OBJECTTYPE DEVICE access control list.

It is generally not advisable to add file-sharing members to the super group.

Multiple User Names for One Person

Sometimes a user needs to assume more than one role in relation to the system. For

example, a user might be both a system operator and a quality-assurance tester. This

individual needs to access the files required for each role.

You could give such a user separate user IDs for each role. For example, if Robin

plays both parts, you could give Robin two user names: SUPER.ROBIN and

QATEST.ROBIN.

Because multiple user IDs can potentially weaken system security, issue them only if

absolutely necessary. In deciding whether to assign multiple user IDs, consider these

points:

•

When people have many user IDs, the corresponding passwords tend to be either

the same or written down. These users are reluctant to change passwords