XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

191

192

193

194

195

196

197

198

199

200

XYGATE

Access Control Reference Manual

Appendix C: The ACACL File

XYPRO Technology Corporation 166 Proprietary and Confidential

The VULIB library essentially extends the NSK intrinsic *.255 Userid privilege of cross-

logon within the group without a password to any XAC authorized userid. However, the

feature is more powerful with XAC because what the authorized userid gets is access

to the destination userid(s) with a full audit trail (if configured). It is more convenient

because having once used this feature to logon to a userid, you do not

then lose your

security for cross-logons. You can continue to log freely from userid to userid among

your initial userid (a member of the CHANGEUSER_FROM list) and the list of

authorized userids on the “paired” (the next following) CHANGEUSER_TO list. It is far

more flexible than starting separate XAC-audited TACLs assigned to the desired

userids because this is done within one single TACL session, which means the

complete context with respect to TACL history, macros loaded, key assignments and

so on is retained.

Note: CHANGEUSER_FROM is Expand Network userid aware and will assume local

user if the \<nodename>.GROUP.USER is not used. Do not use

the Network

form of a userid in the CHANGEUSER_TO list as it will be confusing from a

documentation point of view. All CHANGEUSER_TO userids are local node

only.

In the case of an XAC ACACL Command Entry with CHANGEUSER pairs, if the userid

that you logon to is on one of the CHANGEUSER_FROM “privileged” lists, you will be

able to log to those userids listed in the CHANGEUSER_TO list and your original

userid freely, over and over again. With XAC, if you log to a *,255 userid with the aid of

the CHANGEUSER_TO list, your original userid will be remembered and will remain

what it was and not change to the *,255 userid to which the XAC CHANGEUSER _TO

list gave you access. This will mean that you can continue to log from userid to userid

as authorized by the XAC ACACL Command Entry.

Sample Usage:

Assuming that your XAC ACACL Entry looks like:

COMMAND MASTER-TACL

DESCRIPTION "TACL to let TECH.* logon to other ids"

OBJECT $SYSTEM.SYSNN.TACLVU

ACL 12,* TECH.*

BLANKPASSWORD

NULLNULLSTOP

NULLNULLNOCMDESC

TIMEOUT 300

OPENSBYOBJECTS \*.$*.*.*

CHANGEUSER_FROM TECH.*

CHANGEUSER_TO SUPER.*

CHANGEUSER_FROM 12,*

CHANGEUSER_TO 12,255

Your initial logon is to TECH.RALPH.

2. You logon as SUPER.OPER without using a password.

3. You finish your work as SUPER.OPER and log back into TECH.RALPH.