XYGATE Access Control Reference Manual
XYGATE
®
Access Control Reference Manual
Appendix C: The ACACL File
XYPRO Technology Corporation 155 Proprietary and Confidential
C10: ALLOW_CHECK_ALIASES
The keyword ALLOW_CHECK_ALIASES changes the order in which
ALLOWCMD/DENYCMD and command ALIAS entries are evaluated. Without this
keyword, XAC behaves as it always has. ALIAS entries are evaluated before
ALLOWCMD/DENYCMD evaluation because it is assumed that the security
administrator has set up the command ALIAS entries specifically for the environment.
When the ALLOW_CHECK_ALIASES keyword is set, ALOWCMD and DENYCMD
processing will be applied to the command that results after the command ALIAS
conversion occurs.
Example:
COMMAND TEST-ALLOW-CHECK-ALIAS
USER SUPER.SUPER
OBJECT $SYSTEM.SYSNN.TACL
ACL SECURITY.ADMIN
ALIAS "OBEY" ">OBEY"
ALIAS "O " ">OBEY"
DENYCMD RE:"([Oo][Pp])
Without ALLOW_CHECK_ALIASES, this command will map OBEY $OPS.X.Y to
>OBEY $OPS.X.Y and allow its execution.
With ALLOW_CHECK_ALIASES, this command will map OBEY $OPS.X.Y to
>OBEY $OPS.X.Y, then apply the DENYCMD expression to it, find that it includes OP
and deny it.
C11: ALLOWDENY_ALL_PROCESSES
This keyword extends the ALLOWCMD/DENYCMD checking to any process that
communicates with XAC, not just the initial OBJECT program the XYGATEAC process
was configured to start. For instance, if the initially executed ACACL Command Entry
contained the DENYCMD "ABORT" and the initial OBJECT was SCF, then the SCF
ABORT command would be prohibited. If the user then started PATHCOM via SCF’s
run command, the PATHCOM ABORT command would likewise be prohibited.
Example:
COMMAND CMI-255
DESCRIPTION "CMI as SUPER.SUPER, no ABORT"
USER 255,255
OBJECT $SYSTEM.SYSTEM.CMI
ACL $OPER
OPENSBYOBJECTS $*.*.*
DENYCMD "ABORT"
ALLOWCMD "*"
ALLOWDENY_ALL_PROCESSES