SQL/MP Installation and Management Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

Planning Database Security and Recovery

HP NonStop SQL/MP Installation and Management Guide—523353-004

4-9

Safeguard Security Product

specifies the users and user groups who can or cannot access the object. If an access

control list does not specify access permission for a particular user, the Safeguard

product rejects that user’s access attempt.

The Safeguard product has these general attributes:

•

The Safeguard product can restrict the creation of tables, views, indexes,

collations, and catalogs on volumes and subvolumes for which it maintains a

user-authentication record.

•

The Safeguard product can protect the creation of SQL processes and the

execution and purging of SQL program files.

•

Safeguard access lists cannot be created for individual SQL object names,

although names of SQL tables, views, indexes, collations, and programs are disk

file names.

•

The Safeguard product works with the Guardian security system to enforce the

security controls established by system managers, security administrators, and

other users.

A Safeguard user-authentication record represents each user, and the owner of the

record controls the security attributes for that user.

Before a volume is protected by the Safeguard product, anyone with access to the

system can create objects on that disk volume.

To use Safeguard authorization control for creating SQL tables, views, or indexes, you

must add the disk volumes or subvolumes on which these objects will reside to the

Safeguard protection scheme. Every table for which you want a different access

control list should reside on a different subvolume. For a partitioned table or index, you

must secure each volume containing a partition of the object individually, providing the

same Safeguard protection for each partition.

To set up a volume, subvolume, or process under Safeguard protection, you must

invoke SAFECOM, the command interpreter for the Safeguard product. Then you can

alter the access for the volume, subvolume, or process, as in this example:

SAFECOM

= ASSUME VOLUME;

= ALTER $DATA,ACCESS \*.GROUP1.USERID C;

= ALTER $DATA,ACCESS \*.GROUP2.* C; ****

= ASSUME SUBVOLUME;

= ALTER $DATA.PERSNL , ACCESS \*.GROUP1.USERID (C, P);

= ALTER $DATA.SALES , ACCESS \*.GROUP2.* (C, P) ;

= ALTER $DATA.INVENT , ACCESS \*.GROUP2.* (C, P) ;

= ALTER $DATA.DPROGS , ACCESS (\*.GROUP1.*, \*.GROUP2.*) (C, E, P)

= ASSUME PROCESS ;

= SET OWNER 100,255 ;

= SET ACCESS 100,255 (R, W, E, P, C); 200.* DENY (E, P);

= EXIT;