XYGATE User Authentication Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

301

302

303

304

305

306

307

308

309

310

XYGATE

User Authentication

™

Reference Manual

Appendix B: The UAACL File

XYPRO Technology Corporation 281 Proprietary and Confidential

Example 4 below will prevent anyone from using su to become SUPER,SUPER,

SEC.ADMIN, or APP1.OWNER.nm The combination of Examples 3 and 4 allow you to

completely control who can use su to become a privileged ID. Note that the

UAGROUP shown in Example 3 must precede the UAGROUP shown in Example 4.

Example 4: How to prevent users from using su

DESCRIPTION "These users are NOT GRANTED to su to protected userids"

RESULT_DENIED

!Selection Criteria:

FROM_USER $EVERYONE

TO_USER SUPER.SUPER SEC.ADMIN APP1.OWNER

REQUESTOR /bin/su

Overriding Safeguard’s PASSWORD-REQUIRED ON for Specific Programs

Some programs, such as XYGATEHE, XSH and Direct Connect, must be able to log

down to other users. If you have the Safeguard Global value PASSWORD-REQUIRED

set to ON, you can override that value with XUA rules to allow just these programs to

log down to the required IDs.

Use the REQUESTOR keyword to specify the correct object file. Use the

IGNORE_PASSWORD_REQUIRED keyword to tell XUA to ignore the REQUESTOR

program’s request for a password when it attempts to log on as another userid. Use

the PASSWORD_REQUIRED keyword to tell XUA that it should not require the

specified FROM_USER(s) running the REQUESTOR to enter a password when

logging onto the specified TO_USER(s).

Example 5 below allows XHE to logon as the user invoking the FTP session after

Safeguard has authenticated him. This is how the XYGATEHE server controls FTP

sessions.

Example 5: How to Override Safeguard’s PASSWORD-REQUIRED ON for XHE

UAGROUP XYGATEHE

IGNORE_PASSWORD_REQUIRED ON !REQUESTING PROGRAM'S PASSWORD

PASSWORD_REQUIRED OFF !Override SAFEGUARD's global value

RESULT_GRANTED

!Selection Criteria:

FROM_USER $ EVERYONE

TO_USER $EVERYONE

REQUESTOR $SYSTEM.XYGATEHE.XYGATEHE

Example 6 below allows Direct Connect to logon to any userid from any userid as long

as the Direct Connect object file is the requestor.

Example 6: How to Override Safeguard’s PASSWORD-REQUIRED ON for Direct Connect

UAGROUP XYGATEHE

IGNORE_PASSWORD_REQUIRED ON !REQUESTING PROGRAM'S PASSWORD

PASSWORD_REQUIRED OFF !Override SAFEGUARD's global value

RESULT_GRANTED

!Selection Criteria:

FROM_USER $ EVERYONE

TO_USER $EVERYONE

REQUESTOR $<Direct connect object filename>