SSH Reference Manual

Limited administrative SSHCOM access includes viewing and altering USER records, i.e. execution of daemon mode

commands INFO USER and ALTER USER. All USER attributes can be modified but the most critical ones, which are

ALLOWED-AUTHENTICATIONS and SYSTEM-USER, can only be modified by users with full SSHCOM access.

Additional restrictions apply depending on the setting of parameter LIFECYCLEPOLICYPUBLICUSERKEY

: Users

with partial SSHCOM access can specify the LIVE-DATE and EXPIRE-DATE when adding or altering a user’s public

key only if

LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE.

Parameter Syntax

PARTIALSSHCOMACCESSUSER<k> <group>.<user>

Arguments

The Guardian logon name of the account that will have partial SSHCOM access. Logon ids and alias names are

not supported.

Default

By default, none of the parameters are set, i.e. only users with full SSHCOM access can execute privileged commands.

Example

PARTIALSSHCOMACCESSUSER1 admin.joe

PARTIALSSHCOMACCESSUSER2 admin.jim

PARTIALSSHCOMACCESSUSER3 super.jane

Considerations

• Some of the privileged commands in SSHCOM are critical to the security of the system. Therefore granting

access to other user accounts than super.super must be carefully considered.

• The parameters must be set contiguously, i.e. if one parameter PARTIALSSHCOMACCESSUSER<k> is not

defined the checking of PARTIALSSHCOMACCESSUSER<i>

parameters stops.

• This parameter set is valid whether a thawed OBJECTTYPE USER record exists in Safeguard or not. But if a

user is configured with C access in the OBJECTTYPE USER record as well as mentioned in the parameter set

PARTIALSSHCOMACCESSUSER<k>, then the user has full SSHCOM access.

• If a user is included in parameter sets PARTIALSSHCOMACCESSGROUP<n>

as well as sets

FULLSSHCOMACCESSUSER<i> or FULLSSHCOMACCESSGROUP<j>, then the user has full SSHCOM

access.