Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide 522283-021
3 - 6
Controlling the Super ID
the file. If the file needs to be purged, however, the owner of the Safeguard record
(preferably not the super ID) can add PURGE authority to the record.
Establishing Privileged User IDs
By default, only the super ID can add or delete super-group user IDs (user IDs of the
form 255,n) and group-manager IDs (user IDs of the form n,255). The operating
system grants specific abilities to these IDs.
However, with the OBJECTTYPE USER command, you can specify a set of trusted
users that are allowed to add users IDs, including super-group IDs and group-manager
IDs, to the system.
Controlling Backups With Safeguard Access Control Lists
To back up a file through BACKUP, a user must have READ access to that file. To
back up the entire system, the user must have READ access to all files.
You might want to create a special backup ID that is used only for backups. Give the
ID read-only access to all files and give the password to a trusted user responsible for
backups.
Rather than creating or modifying access control lists for every file on the system, you
might want to grant READ access to all volumes on the system. Then the Safeguard
CHECK-VOLUME configuration attribute must be turned on to activate checking at the
VOLUME level. For more information about configuring the Safeguard software, see
the Safeguard Administrator’s Manual.
Controlling Other Privileged Users
Take the following measures to control other privileged users:
Keep the size of the super group as small as possible. Instead, grant the
operations staff only the authorities they need. Use OBJECTTYPE access control
lists on objects to control super-group authorities.
Establish a procedure for removing privileged user IDs upon termination. If the
privileged ID has network access, notify the other nodes.
Freeze privileged users during vacations or other periods of absence. Use the
FREEZE USER command.
Note. The super ID should be reserved for emergencies and nonroutine situations. When an
emergency arises, you might need the super ID to be as unrestricted as possible. Through
SYSGEN, you can make the super ID undeniable. Then the Safeguard software ignores
explicit denials of access authorities for the super ID. For information on how to specify an
undeniable super ID, see the Safeguard Administrator’s Manual.