Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
51525354555657585960
Safeguard System Security
Security Management Guide522283-008
3-3
Privileged User Roles
Privileged User Roles
From your security policy, determine the responsibilities of the security staff and other
privileged users. For example, determine who is responsible for adding users to the
system, who should secure certain types of objects, and who should control the
Safeguard configuration. Special security privileges such as these can be granted
through OBJECTTYPE authorization and membership in Safeguard security groups.
Adding Users
If a member of each administrative group is responsible for adding users within the
group, you might want to use the traditional approach of having a group manager for
each administrative group.
Otherwise, use OBJECTTYPE USER to specify who can add users, aliases, and file-
sharing groups to the system. For example, your policy might allow only the security
administrator and two alternate members of that group to perform those functions. You
need to create an OBJECTTYPE USER access control list containing these three
members. The following command specifies an OBJECTTYPE USER access control
list with each member having CREATE authority:
2> SAFECOM ADD OBJECTTYPE USER, ACCESS &
2> (sec.sue, sec.bob, sec.al) C
After this record is created, only SEC.SUE, SEC.BOB, and SEC.AL have the authority
to add users, user aliases, and file-sharing groups (create new user, alias, and group
records). Group managers can no longer add users to the system. If you want some
group managers to have the ability to add users, you must add them to the
OBJECTTYPE USER access control list. This action allows those group managers to
add users to any group, not just to their own administrative group.
The super ID retains the authority to add users unless explicitly denied on the
OBJECTTYPE USER access control list with the DENY keyword. See the description
of DENY in Safeguard Access Control Lists on page 3-12.
Securing Objects
You also need to determine who should be responsible for securing objects. Perhaps
you need only a limited set of users to be able to secure devices and disk volumes. If
so, put these users on the access control list for the appropriate OBJECTTYPE, in this
case OBJECTTYPE DEVICE and OBJECTTYPE VOLUME. By default, all super group
members can secure volumes and devices if you do not create these OBJECTTYPE
records.
For example, the following commands, entered through SAFECOM, grant two users
the authority to secure devices and disk volumes:
=ADD OBJECTTYPE DEVICE, ACCESS (sec.lyle, sec.eric) C
=ADD OBJECTTYPE VOLUME, ACCESS (sec.lyle, sec.eric) C