|
|
|
When CA Access Control is stopped, access rights to the database files are determined by native Windows permissions. Permissions are inherited from the parent directory in which CA Access Control is installed. Because of this inheritance, when CA Access Control is stopped the default access to the database files is read.
To protect CA Access Control when it is stopped, you can change the Windows permissions for the database files to suit your enterprise requirements. Before you change the permissions, consider the following:
The CA Access Control authorization engine inherits privileges from the NT AUTHORITY\System user. If this user cannot access the database, the engine does not have sufficient native privileges to update the database.
Users who need read and write access include users who back up, restore, or upgrade CA Access Control.
For example, to use the config environment to change CA Access Control registry entries when CA Access Control is stopped, you must have sufficient Windows privileges to change the registry.
Only CA Access Control administrators (users with the ADMIN attribute or with sub administration privileges) can use selang to maintain the database when CA Access Control is stopped. If the CA Access Control administrators cannot access the database when CA Access Control is stopped, no user can perform offline database maintenance and a deadlock may occur.
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |