Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
71727374757677787980
Safeguard System Security
Security Management Guide522283-008
3-16
Setting CLEARONPURGE Through SAFECOM
Subvolumes shared by user groups
Advantages of Subvolume Security
Whether you secure subvolumes depends on your security policy. You can use
subvolume security to supplement disk-file security.
Subvolume security offers several advantages:
There are fewer authorization records to manage. Because many files on a
subvolume might need the same protection scheme, you can protect them all with
one access control list on a subvolume. You can protect files that need special
protection with their own disk-file authorization records.
Subvolume authorization records ensure that all files on the subvolume are
protected to some degree (with proper Safeguard configuration settings).
Because individual departments can keep their files confined to a few subvolumes,
you can more easily tailor the security of the files to the needs of the department.
The Safeguard software must be properly configured to recognize subvolume
authorization records. In particular, the CHECK-SUBVOLUME attribute must be set to
ON. However, a few other configuration attributes also affect how subvolume
authorization records are handled. Consider the following configuration settings:
DIRECTION-DISKFILE FILENAME FIRST
COMBINATION-DISKFILE FIRST-ACL
CHECK-VOLUME OFF
CHECK-SUBVOLUME ON
CHECK-FILENAME ON
With these settings, the Safeguard software first checks for a disk-file authorization
record. If one exists, it is used to determine access. If no disk-file authorization record
exists, Safeguard checks for a subvolume authorization record. If one exists, the
subvolume record is used to determine access. If no authorization records exist,
Guardian security is used.
Setting CLEARONPURGE Through SAFECOM
You can set CLEARONPURGE for individual files with the ALTER DISKFILE
command. To specify CLEARONPURGE for disk files that do not have Safeguard
authorization records, use FUP to set CLEARONPURGE. To set CLEARONPURGE for
all files on the system, use the Safeguard global configuration attribute
CLEARONPURGE-DISKFILE. However, setting CLEARONPURGE for all files might
have an adverse effect system performance.
Note. The Safeguard software checks for CREATE authority on VOLUME and SUBVOLUME
records regardless of the CHECK-VOLUME and CHECK-SUBVOLUME configuration settings.