If the requirement can be that a user can edit files ONLY in his/her HOME
group, then it's a simple thing to accomplish.
And, it can be accomplished WITHOUT the use of group passwords. Group
passwords are a royal pain because they require regular modification for
them to remain useful.
To restrict a user from accessing any file other than one residing in
her/his home group, simply specify group access as follows:
altgroup group1;access=(r,l,x:any;w,a,s:gl)
This example permits all files in GROUP1 to be Read, Locked, or eXecuted by
any user (subject to account access restrictions) but Written, Appended, or
Saved by only GL users.
A GL user must satisfy 2 requirements:
1. must have GL capability, and
2. must be logged in to HOME group.
So, a user logged in to any group other than home group would not enjoy
access rights associated with a GL-capable user for the duration of that logon.
There are probably a zillion redundant group passwords in the HP3000 world
that could be eliminated with the judicious use of GL capability
At 04:31 PM 2000-05-05 -0400, Anthony Gionta wrote:
>Suppose you wanted to restrict file access such that a user may only edit
>files
>in one specific group and no others. How would you configure this?
>
>Of course, you could secure groups that were not home to the user with
>passwords, but this would require some additional legwork as it pertains to
>apps and users that needed access to these passworded groups.
>
>Assigning access to GU would not ensure that these users attempt to access
>files outside of their own group.
>
>This seems like there sould be a simple solution, but short of employing 3rd
>party security, I cannot see how to do this?
>
>Can anyone suggest a simple solution without it requiring a lot of additional
>security admin?
>
>Regards,
> Anthony Gionta
---------------------------------------------------------------------------
Gilles Schipper
GSA Inc.
HP3000 & HP9000 System Administration Specialists
300 John Street, Box 87651 Thornhill, ON Canada L3T 7R4
Voice: 905.889.3000 Fax: 905.889.3001
Internet: [log in to unmask]
---------------------------------------------------------------------------
|