|
|
|
If an enterprise account (user or group) has associated database rules is then recycled (deleted and created with the same name), it may look like the old database rules still apply to the new account. However, as CA Access Control authorization is based on SID, these rules no longer apply and you need to create new rules for the new group. Before you can create the new rules, you have to resolve recycled accounts.
To resolve recycled enterprise accounts open a command prompt and run the following commands:
secons -checkSID -users secons -checkSID -groups
CA Access Control works through all the enterprise user accounts it has (XUSER records) and then all the group accounts (XGROUP records) and identifies accounts with an SID that differs from the SID of the enterprise account. It renames these accounts in CA Access Control using the following naming convention: SID (accountName)
You can now create the new rules for the recycled account.
Note: Recycled user accounts are resolved in this way when the user logs in or tries to access a resource. We recommend that when you create an enterprise account, run the secons -checkSID command as a scheduled task.
Example: A Recycled Group Account
Company ABCD has a group called interns in its enterprise store. The group has nine members and they are working on productA. The administrator makes the group known to CA Access Control and assigns it with access permissions to the files group members need to access, as follows:
nxg interns owner(msmith) auth file c:\products\productA\materials\* xgid(interns) access(all) auth file c:\HR\interns\* xgid(interns) access(read)
When the interns complete their tenure with ABCD, the enterprise store administrator deletes the group. Three months later, a new group of interns with six members is created in the enterprise store, with the same name. The old rules in the CA Access Control database still exist so it seems like the new interns group inherited the permissions of the old group. However, these rules apply to the old interns group and the CA Access Control administrator needs to create new rules for the new group.
To do this, the administrator has to identify and resolve the recycled interns account, as follows:
secons -checkSID -groups interns
This renames the XGROUP resource, and any access rules references to it, to "SID (domain\interns)". Now, the administrator can create new rules for the new interns group that works on productB:
nxg interns owner(msmith) auth file c:\products\productB\materials\* xgid(interns) access(all) auth file c:\HR\interns\* xgid(interns) access(read)
Note: For more information on the secons utility, see the Reference Guide.
| Copyright © 2012 CA. All rights reserved. |
|