Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide 522283-021
3 - 7
Controlling User Access
Controlling User Access
When a user ID is added through SAFECOM, the user ID is defined by a Safeguard
user authentication record. The following subsection describes how to add users
through SAFECOM and how to control user access through the attributes of the user
authentication record.
Many of a user’s privileges are determined by object authorization records rather than
by the user authentication record. For example, a user’s ability to run a program can be
determined by the access control list on the program file or the process name the
program runs under. For more information on these aspects of user privilege, see
Securing Objects on page 3-12.
Adding Users to a System
When the Safeguard software is installed on a system with an existing user
community, it takes over the existing user ID file. The next time each user logs on, the
user record is expanded to include Safeguard attributes.
Add new users with the ADD USER command. Always specify passwords when
adding users. Be sure to tell users to change their passwords immediately after logging
on for the first time. You can set a Safeguard configuration attribute to require users to
change their passwords at regular intervals.
In addition, by using the PASSWORD-EXPIRES attribute, you can add a user with a
password that is already expired. You can then grant the user a grace period during
which to change the expired password.
User Expiration
Use the USER-EXPIRES attribute for contractors and temporary employees. For
example, if you hire a contract programmer whose contract expires on October 19,
1996, issue a command similar to this when adding the user ID:
3> SAFECOM ADD USER prog.donna, 10,200, PASSWORD vroom, &
3> USER-EXPIRES Oct 19 1996
Requiring Password Changes
You can use the PASSWORD-MUST-CHANGE attribute to require users to change
their passwords periodically. You can specify different periods for each user. The
following SAFECOM command specifies a password period for PROG.DONNA:
=ALTER USER prog.donna, PASSWORD-MUST-CHANGE 30 DAYS
The PASSWORD-MUST-CHANGE attribute interacts with the global
PASSWORD-MAY-CHANGE attribute. The PASSWORD-MAY-CHANGE attribute
specifies the number of days prior to expiration that users can change their passwords.
For more information about the interaction between these two attributes, see the
Safeguard Administrator’s Manual.