XYGATE Access Control Reference Manual
XYGATE
®
Access Control Reference Manual
Chapter 2. Configuring XAC
XYPRO Technology Corporation 36 Proprietary and Confidential
2.6.2 –A Option
The -A option will cause the ancestor chain to be searched for the most recent process
in the ancestor chain that was authenticated by the entry of a password during logon.
This is used with nested XAC sessions where the userid authentication has to be
against the original user’s logon rather than the userid of any XYGATEAC session that
the user might be using at the moment.
Syntax:
XAC -A <ACACL Command Name>
Example:
XAC -A MEDIACOM-OPER4
In this example, a user logs on with the user’s own userid, PROG.USER.
PROG.USER is on the ACL userid list for MEDIACOM-OPER4 and also for
TACL-SUPER-OPER.
The TACL started when the TACL-SUPER-OPER is executed runs under the userid
SUPER.OPER. SUPER.OPER, however, is not
on the MEDIACOM-OPER4 list. The
following are examples from the ACACL entries for MEDIACOM-OPER4 and
TACL-SUPER-OPER:
COMMAND TACL-SUPER-OPER COMMAND MEDIACOM-OPER4
USER SUPER.OPER USER SUPER.OPER
OBJECT $SYSTEM.SYSNN.TACL OBJECT $SYSTEM.SYSTEM.MEDIACOM
ACL PROG.* ACL PROG.*
As shown in the above excerpts, MEDIACOM-OPER4 cannot be executed by
someone using the userid SUPER.OPER using the command XAC
TACL-SUPER-OPER. If the ancestor chain is:
• Most recent: TACL running as SUPER.OPER (not authenticated via password
entry).
• TACL running as PROG.USER (authenticated via password entry).
• Safeguard logon process running as SUPER.SUPER (not authenticated) then,
without the -A option, XAC will look at the most recent ancestor entry, the TACL
running as SUPER.OPER. SUPER.OPER cannot execute MEDIACOM-OPER4,
so a security error will be returned.
• With the -A option, XAC will look at the TACL running as PROG.USER, which was
authenticated via password entry at logon. PROG.USER is permitted to execute
MEDIACOM-OPER4, so XAC will start the process as PROG.USER.