XYGATE Access Control Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

251

252

253

254

255

256

257

258

259

260

XYGATE

Access Control Reference Manual

Appendix C: The ACACL File

XYPRO Technology Corporation 227 Proprietary and Confidential

UAGROUP Example:

UAGROUP SAFEGUARD-PRIVLOGON

DESCRIPTION "Safeguard Privlogon feature"

FROM_USER $EVERYONE-NET

TO_USER $EVERYONE

REQUESTOR $SYSTEM.XYGATEAC.XYGATEAC

SAFEGUARD_PRIVLOGON ON

AUDIT_ACCESS_PASS OFF

AUDIT_ACCESS_FAIL ON

The default value of USER_SWITCH is SWITCH, which does not change the previous

functionality of XYGATEAC. The value of this keyword can be overridden by the

USER_SWITCH keyword in the ACACL Command entry. This keyword can be used in

the ACCONF or in individual COMMANDs in the ACACL file. The value set in the

ACACL Command entry will always override the value set in the ACCONF file.

C92: VERIFYUSER

This keyword is used in conjunction with a list of userids. If the user is named on the

list, then the user must enter the userid password before execution of the OBJECT

program begins. If an incorrect password is entered, a log message is written to the

DETAIL audit log file(s) with a status of ‘V’ in the COMMAND-STATUS field.

Syntax:

VERIFYUSER <userid-list>

Example:

COMMAND SAFECOM-255

DESCRIPTION "SAFECOM AS SUPER.SUPER"

OBJECT $SYSTEM.SYSNN.SAFECOM

USER 255,255

ACL SECURITY.* SYSTEM.*

BLANKPASSWORD

VERIFYUSER SYSTEM.*

When this ACACL Command Entry is executed by someone in the SYSTEM group,

the following prompt will appear:

$SYSTEM.MYSUBVOL 3> XAC SAFECOM-255

\MYNODE 255,122 Password:

When the user enters the password for the invoker’s userid, execution will continue.

Please note that VERIFYUSER cannot be used with START_LOGGED_OFF.

Note: When the XAC session is started on a node different from the user’s original

node, such as by using the SYSTEM command, the password for the userid on

the node where XAC session started will be required.

Note: VERIFYUSER validates the userid and password when the password is

entered. This means that a frozen or expired userid or password will result in

PASSWORDTIMEOUT replying that the password is invalid.