Manualshelf

SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
71727374757677787980
DAEMONMODEOWNERPOLICY
Defines security granularity for daemon mode USER records in the SSH2 database based on the OWNER field of the
configured SSH user. Access to the daemon mode USER records in the SSH2 database will be granted in the same
fashion as for PARTIALSSHCOMACCESSUSER/ PARTIALSSHCOMACCESSGROUP
which is defined as partial
access.
Access granted due to settings of FULLSSHCOMACCESSUSER/ FULLSSHCOMACCESSGROUP and
PARTIALSSHCOMACCESSUSER/ PARTIALSSHCOMACCESSGROUP parameters and Safeguard OBJECTTYPE
USER record are independent of the OWNER field. i.e. partial/full access granted via
PARTIALSSHCOMACCESSUSER/ PARTIALSSHCOMACCESSGROUP and FULLSSHCOMACCESSUSER/
FULLSSHCOMACCESSGROUP parameters and Safeguard OBJECTTYPE USER record is not affected by this policy.
Parameter Syntax
DAEMONMODEOWNERPOLICY LOGINNAME | GUARDIANNAME | BOTH | NONE
Arguments
LOGINNAME
The login name value (which can be a guardian name or alias) of the guardian user that started the SSHCOM
session will be compared to the OWNER field value (guardian name or alias) of the configured SSH user. This
guardian user will have partial access to all the configured SSH user records and will be able to do SSHCOM
INFO USER or SSHCOM ALTER USER commands on these records if a match was found using the login
name value.
GUARDIANNAME
The guardian name of the login name value (which can be a guardian name or alias) of the guardian user that
started the SSHCOM session will be compared to the OWNER field value (guardian name or alias) of the
configured SSH user. This guardian user will have partial access to all the configured SSH user records and will
be able to do SSHCOM INFO USER or SSHCOM ALTER USER commands on these records if a match was
found using the guardian name of the login name value.
BOTH
The login name value (which can be a guardian name or alias) or guardian name of the login name value of the
guardian user that started the SSHCOM session will be compared to the OWNER field value (guardian name or
alias) of the configured SSH user. This guardian user will have partial access to all the configured SSH user
records and will be able to do SSHCOM INFO USER or SSHCOM ALTER USER commands on these records
if a match was found using the login name or guardian name of the login name values.
NONE
The OWNER field value of the configured SSH user will NOT be evaluated.
Considerations
The DAEMONMODEOWNERPOLICY allows the same access rights to the daemon mode USER records as
given by PARTIALSSHCOMACCESSUSER/ PARTIALSSHCOMACCESSGROUP
.
The DAEMONMODEOWNERPOLICY is only applicable when issuing SSHCOM INFO USER or SSHCOM
ALTER USER commands in daemon mode.
The logged in guardian user who started the SSHCOM session and is a group manager of the OWNER field
value automatically has partial access rights to the daemon mode USER records.
If DAEMONMODEOWNERPOLICY NONE was not specified, group managers, eg. <groupname>.manager,
will always be treated as DAEMONMODEOWNERPOLICY BOTH regardless if LOGINNAME or
GAURDIANNAME was specified.
If SUPER.SUPER is denied full SSHCOM access via an OBJECTTYPE USER “DENY C” entry, the user
SUPER.SUPER can still be configured as the owner of a USER record and would get partial access rights.
74 Configuring and Running SSH2 HP NonStop SSH Reference Manual