HP3000-L Archives

July 2001, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Setup security within an account?
From:
Gilles Schipper <[log in to unmask]>
Reply To:
Gilles Schipper <[log in to unmask]>
Date:
Fri, 6 Jul 2001 22:41:24 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (109 lines) 
As suggested, it is quite possible to associate a user with a home group
and thus avoid a logon script to sheppard that user to the appropriate group.

However, it is also possible to do this while at the same time avoiding the
use of group passwords - which need to be regularly modified if they are to
retain their usefulness.

The solution is to utilize the rarely-used, but exceptionally useful user
attribute known as GL, or group librarian.

By giving each user in an account GL capability, and defining that user's
home group access rights appropriately, it is possible to provide the
proper group access security and at the same time avoiding the need for
difficult-to-maintain group passwords.

The magic of GL  is that a user is considered to have the attribute if two
conditions are satisfied:

1. The user has the attribute. The account manager can very easily add it
to a user by issuing:
ALTUSER USER;CAP=+GL


2. The user MUST be logged on to his/her HOME group.

So, to restrict any access to all files in a user's home group to the user
(and, of course, the account manager), one must simply give that user GL
capability, and specify that user's home group access attributes as follows:

ALTGROUP GROUP;ACCESS=(R,L,W,A,X,S:GL)

This way, one can easily and effectively define proper group security
without the requirement to maintain group passwords.

The only situation that I can think of that demands group passwords is one
where the simple act of logging on to a non-home group is to be
restricted.  This could be due to time-sharing or classroom settings
wherein a student is billed according to connect time and/or cpu time -
which is measured by MPE at the group level.


At 10:51 AM 2001-07-06, Johnson, Tracy wrote:
>I don't know about the feasibility of the first part of Russ'
>paragraph.  But the last sentence is totally unnecessary.
>
>You can force a user into a specific logon groups at time
>of user creation, or by altering the user afterward with
>the ;HOME parameter of the NEWUSER or ALTUSER command.
>
>Therefore, a log on script is not required.
>
>Groups can be passworded.  The elegant part of an MPE
>passworded group is that it does not ask for a group
>password if it is a user's home group.
>
>If a person wants to change group or log on to a group
>other than their home group.  They must know the group
>password.
>
>Maintenance is then minor.  Which user knows which group
>passwords then becomes a Management/HR problem, not a
>computer problem.
>
>"Dick, what were you doing in Jane's group?  Did she give
>you her group password?"  "Uhhh, no."  "How did you find it?
>Why didn't you just ask her to RELEASE the files?  You know
>company policy on the matter, here's your Pink Slip, HR has
>your severance check."
>
>The above is a harsh example, but feasible within the confines
>of MPE.
>
>Add MPEX.  The AM of an Account (and SM) will not be asked
>for a group password either, if doing a CHGROUP in MPEX.
>
>Tracy Johnson
>MSI Schaevitz Sensors
>
>Russ Smith said,
>
>Carl,
>
>Here's a really ugly idea.  Maintenance would be a pain, but how about a
>script that checks a file that lists the userid and the groups to which they
>have access (or to which they are denied) and sets a variable determining
>whether or not the group specified in a CHGROUP command is acceptable.  Set
>a UDC to replace CHGROUP and apply the test before allowing the move.  Set
>all your groups to ACCESS=(R,L,X,A,S,W=GU,AL).  You will have to add
>something to your logon script to force people into specific groups at
>logon.  It's not pretty, but it should work.
>
>Hope this gives you some ideas,
>Rs~
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

---------------------------------------------------------------------------
Gilles Schipper
GSA Inc.
HP System Administration Specialists
300 John Street, Box 87651   Thornhill, ON Canada L3T 7R4
Voice: 905.889.3000     Fax: 905.889.3001
Internet:  [log in to unmask]
---------------------------------------------------------------------------

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2