XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

XYGATE

Access Control Reference Manual

Appendix C: The ACACL File

XYPRO Technology Corporation 221 Proprietary and Confidential

• If you need the USER in an XAC command to be an alias, you must use SWITCH,

LOGON, or SAFEGUARD_PRIVLOGON. If you choose SWITCH and enter an

alias as the USER, then the command will actually run as the alias’ underlying

userid.

• If your site uses Safeguard FILE-SHARING GROUPS, you must use LOGON,

PRIVLOGON or SAFEGUARD_PRIVLOGON.

• If the userid/alias that is the argument to the USER keyword in an XAC command

is FROZEN, then all methods except for SAFEGUARD_PRIVLOGON can logon to

a frozen or expired user.

• If your company security policy requires that the PASSWORD-REQUIRED

parameter be ON in Safeguard, then you must use SWITCH, PRIVLOGON or

SAFEGUARD_PRIVLOGON.

In Example 1 below, because USER_SWITCH is set to LOGON, XYGATEAC will start

the TACL with the CAID and PAID equal to the userid underlying the alias ops-mgr,

and the LOGIN NAME shown with the WHO command will be set to ops-mgr.

Example 1:

COMMAND S470OBJ-AS-ALIAS

USER ALIAS:"ops-mgr"

OBJECT $SYSTEM.SYSNN.TACL

ACL $OPS

OBEY $WORK.SBATCH.RUNS470

USER_SWITCH LOGON

If you need File-sharing and must have PASSWORD-REQUIRED ON, you must use

PRIVLOGON or SAFEGUARD_PRIVLOGON, but you cannot use an alias as the

USER argument if you choose PRIVLOGON.

1. SWITCH

When USER_SWITCH is set to SWITCH, XYGATEAC performs in the same manner it

always has, which does not support file sharing groups. The USER_SWITCH keyword

does not require PASSWORD-REQUIRED to be set to OFF in Safeguard. The USER

keyword in the ACACL entry can be set to a userid or a Safeguard alias, but if an alias

is specified, in actuality the userid underlying the Safeguard alias will be used.

Environment Requirements / Created Process Attributes SWITCH

Safeguard setting PASSWORD-REQUIRED must be off? NO

XAC USER argument in ACACL can be an alias. If an alias is

specified, the underlying userid will be used

YES

FILE-SHARING groups supported NO

XAC created process has LOGONNAME of creating process YES

XAC Object must have PRIV-LOGON ON Diskfile attribute NO