Manualshelf

SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
101102103104105106107108109110
PARTIALSSHCOMACCESSGROUP<n>
This parameter set allows granting limited administrative SSHCOM command privileges to users that have the
configured group as PRIMARY-GROUP in the Safeguard USER configuration. Admin groups with limited SSHCOM
access are defined via the parameter set PARTIALSSHCOMACCESSGROUP<n> where <n> is a number between 1
and 99.
Limited administrative SSHCOM access includes viewing and altering USER records, i.e. execution of daemon mode
commands INFO USER and ALTER USER. All USER attributes can be modified except the most critical ones, which
are ALLOWED-AUTHENTICATIONS and SYSTEM-USER. These fields can only be modified by users with full
SSHCOM access.
Additional restrictions apply depending on the setting of parameter LIFECYCLEPOLICYPUBLICUSERKEY
: Users
with partial SSHCOM access can specify the LIVE-DATE and EXPIRE-DATE when adding or altering a user’s public
key only if
LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE.
Parameter Syntax
PARTIALSSHCOMACCESSGROUP<j> <group>
Arguments
<group>
A Guardian group name. All members of the group will have partial SSHCOM access.
Default
By default, none of the parameters are set, i.e. only users with full SSHCOM access can execute privileged commands.
Example
PARTIALSSHCOMACCESSGROUP1 admin
PARTIALSSHCOMACCESSGROUP2 super
Considerations
Some of the privileged commands in SSHCOM are critical to the security of the system. Therefore granting
access to other user accounts than super.super must be carefully considered.
The parameters must be set contiguously, i.e. if one parameter PARTIALSSHCOMACCESSGROUP<p>
is not
defined the checking of PARTIALSSHCOMACCESSGROUP<n> parameters stops.
This parameter set is valid whether a thawed OBJECTTYPE USER record exists in Safeguard or not. But if a
user is configured with C access in the OBJECTTYPE USER record as well as included in the parameter set
PARTIALSSHCOMACCESSGROUP<n>, then the user has full SSHCOM access.
If a user is included in parameter sets PARTIALSSHCOMACCESSGROUP<n> as well as sets
FULLSSHCOMACCESSUSER<i> or FULLSSHCOMACCESSGROUP<j>
, then the user has full SSHCOM
access.
See also
PARTIALSSHCOMACCESSUSER<i>, FULLSSHCOMACCESSUSER<i>
,
FULLSSHCOMACCESSGROUP<j>, LIFECYCLEPOLICYPUBLICUSERKEY
See table in “SSHCOM Access Summary” in section "SSHCOM Command Reference".
PARTIALSSHCOMACCESSUSER<k>
This parameter set allows granting limited administrative SSHCOM command privileges to configured users. Admin
users with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSUSER<k> where
<k> is a number between 1 and 99.
HP NonStop SSH Reference Manual Configuring and Running SSH2 101