XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

191

192

193

194

195

196

197

198

199

200

XYGATE

Access Control Reference Manual

Appendix C: The ACACL File

XYPRO Technology Corporation 165 Proprietary and Confidential

C21: CHANGEUSER_FROM and CHANGEUSER_TO

The CHANGEUSER_FROM and CHANGEUSER_TO keyword pair are used to specify

a list of users that can switch from the source userid to the destination userid without

specifying a password for the destination userid. This operation is enabled by using

the VULIB library which is supplied with XAC. The VULIB is attached to a copy of the

object code program, usually TACL, using the XAC macro XAC_LIB_INSTALL. After

the new object file is created, it can be specified in an ACACL Command Entry with

these keywords to specify users who may change userids.

Important! This enhancement is a very powerful tool but can be a potential security

issue. It permits selected TACL users to logon to certain authorized userids without

passwords. Care should be taken when implementing this feature.

Syntax:

CHANGEUSER_FROM <wildcard-userid-list>

CHANGEUSER_TO <wildcard-userid-list>

Example:

COMMAND MASTER-TACL

DESCRIPTION "TACL to let TECH.* logon to other ids"

OBJECT $SYSTEM.SYSNN.TACLVU

USER GROUP,USER

ACL 12,* TECH.*

BLANKPASSWORD

NULLNULLSTOP

NULLNULLNOCMDESC

TIMEOUT 300

OPENSBYOBJECTS \*.$*.*.*

CHANGEUSER_FROM TECH.*

CHANGEUSER_TO SUPER.*

CHANGEUSER_FROM 12,*

CHANGEUSER_TO 12,255

To build the TACLVU object file, the XAC_LIB_INSTALL macro is used, where XAC

represents the macro name assigned to XYGATEAC when installed.

Example:

23> FUP DUP $SYSTEM.SYS07.TACL, $SYSTEM.SYS07.TACLVU, SAVEALL

24> XAC_LIB_INSTALL $SYSTEM.SYS07.TACLVU 1

In order to understand just what XAC provides with CHANGEUSER_FROM/

CHANGEUSER_TO capability, you have to understand what NonStop Kernel

provides. If you logon to *,255 using the correct NonStop Kernel password and then

cross-logon (that is, “log down” without a password) to another userid, the NonStop

Kernel operating system makes it appear that you used a correct password. This

means that you can only

change (log down) once from the *,255 userids that you

accessed via a correct NonStop Kernel password.