Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide522283-008
3-5
Controlling the Super ID
Initially, only a super-group user can create either security group. However, after the
record for a group is created, only the security group OWNER (and any members with
OWNER authority) can control the record.
For more information about security groups, see the Safeguard Administrator’s Manual
and the Safeguard Reference Manual.
Controlling the Super ID
In addition to the measures described in Section 2, Guardian System Security,
Safeguard features allow you to further reduce your reliance on the super ID for routine
activities.
Stopping Processes
Without the Safeguard software, stopping a process requires that the user be logged
on as the owner of the process, the group manager of the owner, or the super ID.
With the Safeguard software, you can selectively grant the ability to stop processes
(both NAMED and UNNAMED) to a trusted set of users.
Purge Protection
In the standard security system, the only protection against a file owner accidentally
purging the file is to secure the file with the Guardian security string “xxx-” (where x is
any security setting such as N or O). This string specifies that the super ID is required
to purge the file.
Safeguard access control lists provide another approach to purge protection. By not
granting PURGE authority to the owner of a file, the owner cannot accidentally purge
the file. If the file needs to be purged, however, the owner of the Safeguard record
(preferably not the super ID) can add PURGE authority to the record.
Establishing Privileged User IDs
By default, only the super ID can add or delete super-group user IDs (user IDs of the
form 255,n) and group-manager IDs (user IDs of the form n,255). The operating
system grants specific abilities to these IDs.
However, with the OBJECTTYPE USER command, you can specify a set of trusted
users that are allowed to add users IDs, including super-group IDs and group-manager
IDs, to the system.
Note. The SECURITY-OSS-ADMINISTRATOR security group is supported only on systems
running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs.