Manualshelf

Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
71727374757677787980
Safeguard System Security
Security Management Guide 522283-021
3 - 12
Securing Objects
File-sharing group names and numbers can appear on a Safeguard access control list
and can be used in the OSS environment to specify group IDs for file permission
codes. For more information on security implications regarding file-sharing groups, see
File-Sharing Groups on page 6-2.
For more information on file-sharing groups, see the Safeguard Administrator’s Manual
and the Safeguard Reference Manual.
Securing Objects
When you secure an object with the SAFECOM ADD command, the Safeguard
software creates an authorization record for that object. The authorization record
contains several security attributes, including the ACCESS attribute, which is used to
define an access control list.
Safeguard Access Control Lists
An access control list specifies access authorities associated with a particular object
(such as a disk file). Access control lists allow you to specify access to a greater level
of detail than Guardian security strings allow. For example, with an access control list,
you can grant access to one or two members of a group without having to grant access
to the entire group.
Consider the following points when creating access control lists:
You can specify authorities for an individual user, a user group, or all users.
Consequently, an individual user’s authorities can be determined by more than one
entry. For example, one entry can grant EXECUTE authority to an entire group,
while another entry can grant READ and WRITE authority to an individual member
of the group.
You must specify all authorities required for a given action in one access control
list entry. For example, a user needs both READ and WRITE authorities to edit a
disk file. If only READ authority is granted to every member of a group, and only
WRITE authority is granted to an individual user in the group, the user cannot edit
the file because READ and WRITE authorities do not appear in the same entry.
If you add authorities for an individual user, a new entry is not created. The existing
entry for that user is updated.
Use DENY to explicitly deny a user certain authorities. DENY is useful when you
want to deny access to a few members of a group while granting access to the
remainder of the group. Also, you can use DENY to deny access to the super ID.
Normally, the super ID has all access authorities unless explicitly denied.
A denial always takes precedence over a grant. For example, if a user is granted
WRITE authority in one entry and denied WRITE authority in another entry, the
user is denied WRITE authority.