Security Management Guide (G06.24+, H06.03+)
Safeguard System Security
Security Management Guide—522283-008
3-12
Safeguard Access Control Lists
Safeguard Access Control Lists
An access control list specifies access authorities associated with a particular object
(such as a disk file). Access control lists allow you to specify access to a greater level
of detail than Guardian security strings allow. For example, with an access control list,
you can grant access to one or two members of a group without having to grant access
to the entire group.
Consider the following points when creating access control lists:
•
You can specify authorities for an individual user, a user group, or all users.
Consequently, an individual user’s authorities can be determined by more than one
entry. For example, one entry can grant EXECUTE authority to an entire group,
while another entry can grant READ and WRITE authority to an individual member
of the group.
•
You must specify all authorities required for a given action in one access control list
entry. For example, a user needs both READ and WRITE authorities to edit a disk
file. If only READ authority is granted to every member of a group, and only WRITE
authority is granted to an individual user in the group, the user cannot edit the file
because READ and WRITE authorities do not appear in the same entry.
•
If you add authorities for an individual user, a new entry is not created. The existing
entry for that user is updated.
•
Use DENY to explicitly deny a user certain authorities. DENY is useful when you
want to deny access to a few members of a group while granting access to the
remainder of the group. Also, you can use DENY to deny access to the super ID.
Normally, the super ID has all access authorities unless explicitly denied.
•
A denial always takes precedence over a grant. For example, if a user is granted
WRITE authority in one entry and denied WRITE authority in another entry, the
user is denied WRITE authority.
•
If you grant users network access to an object, only users with matching remote
passwords are actually granted access. When you use the network form of a user
ID, the user is also given access at the local level.
•
To grant a user all valid ACCESS authorities for a given object, use an asterisk (*)
instead of specifying each individual authority. However, be careful not to grant a
user more authorities than intended. Be aware of all the valid authorities for the
object you are securing.
User aliases cannot appear on an access control list. When a user is logged on as an
alias, access decisions are based on the underlying user ID associated with that alias.
Note. An asterisk does not cause CREATE authority to be granted for disk files because
CREATE authority applies only to disk files that have the PERSISTENT attribute ON. For more
information about the PERSISTENT attribute, see the Safeguard Administrator’s Manual.