Previous Topic: alias Command—Define selang AliasesNext Topic: authorize- Command—Remove Access Authorities from a Resource


authorize Command—Set Access Authorities on a Resource

Valid in the AC environment

Use the authorize command to change accessors' access authorities to a resource.

This command modifies an access control list associated with a resource. It changes only one entry in an access control list at a time.

When an accessor attempts to access a resource, CA ControlMinder checks the appropriate access control lists to determine the access authority. These access control lists include those that are in the resource record, and can also include access control lists in resource group records. If an accessor is denied access authority in any NACL that covers the resource, the authority is denied, even if the authority is granted in another ACL.

The owner of a resource always has all access authorities to the resource. If you want to change the access authority of the user who is the owner, change the resource to have a different owner, for example, the user nobody.

Note: This command also exists in the Windows environment, but operates differently there.

To use the authorize command, you need sufficient authority, which means that one or more of the following must be true:

The authorize command has different forms for different sets of classes. These sets are:

This command has the following format for the TCP class:

{authorize|auth} TCP tcpServiceName \
[{access|deniedaccess}(accessType)] \
{[ghost(ghostName [,ghostName]...)] | \
[host(hostName [,hostName]...)] | \
[hostnet(hostNetName [,hostNetName]...)] | \
[hostnp(hostNamePattern [,hostNamePattern]...)]} \
[{gid|uid|xgid|xuid}(accessor [,accessor]...])] ... 

This command has the following format for the HOST, GHOST, HOSTNET, and HOSTNP classes:

{authorize|auth} {HOST|GHOST|HOSTNET|HOSTNP} stationName
[{access|deniedaccess}(accessType)] \
service({serviceName|serviceNumber|serviceNumberRange}) \
{ gid | uid | xgid | xuid}(accessor [,accessor...]) ... 

This command has the following format for all other classes:

{authorize|auth} className resourceName \
[{access|deniedaccess}(accessType)] \
[calendar(calendarName)] \
[{unix|nt}]\
[via (pgm ( program [,program]...))] \
{ gid | uid | xgid | xuid}(accessor [,accessor...]) ... 
access (accessType)

Defines the access authority entry in the resource ACL access control list. This ACL specifies which access authorities are granted to accessors.

accessType

Defines the access type in the resource ACL, for example, read or write.

Note: If you omit both the access(accessType) and the deniedaccess(accessType) options to the authorize command, CA ControlMinder assigns the access that is specified by the implicit access property of the record in the UACC class for the class of resource (for example in the UACC file record if the resource is a file).

calendar(calendarName)

Specifies the calendar to use for determining access authority.

className

Defines the class to which resourceName belongs.

deniedaccess(accessType)

Changes the access authority in the resource NACL. The NACL specifies which access types are denied to accessors.

accessType

Specifies the access type to be denied, for example, read, or write.

gid (accessor [,accessor...])

Defines one or more internal groups for whom you want to set the access authority.

ghost(ghostName [,ghostName]...)

Defines one or more group hosts for which you want to set access authority to the TCP/IP service.

host(hostName [,hostName]...)

Defines one or more hosts for which you want to set access authority to the TCP/IP service.

hostnet(hostNetName [,hostNetName]...)

Defines one or more HOSTNET records for which you want to set access authority to the TCP/IP service.

hostnp(hostNamePattern [,hostNamePattern]...)

Defines one or more HOSTNP records for which you want to set access authority to the TCP/IP service.

nt

Specifies whether to add values to the system ACLs in Windows.

Valid for the FILE class only.

resourceName

Defines the resource record whose access control list is being modified.

service(serviceName|serviceNumber|serviceNumberRange)

Defines the services the local host is permitted to provide to the remote host or hosts.

serviceNumber |serviceNumberRange

Defines the service number or range.

Specify a range as two integers separated by a -(hyphen), for example, 1-99.

Limits: An integer in the range 0 to 65535.

stationName

Specifies the record name within the indicated class, as follows:

For hosts that cannot be resolved, specify the IP address range in IPv4 format.

tcpServiceName

Specifies the CA ControlMinder TCP service record whose access authority you are setting.

uid (accessor [,accessor...])

Defines one or more internal users for whom you want to set the access authority.

You can use * to represent all internal users.

unix

Specifies whether to add values to the system ACLs in UNIX.

Valid only on UNIX environments that support ACLs, and only for records in the FILE class.

via(pgm(programName [,programName]...))

Defines one or more programs for conditional program access. The via parameter specifies an entry in the PACL of the resource. programName specifies a program that can access the resource. programName can contain wildcard characters. If a program matches several entries in a PACL, the entry with the longest non-wildcard match takes precedence.

If programName specifies a program or shell script that is not defined in the PROGRAM class, CA ControlMinder automatically creates a PROGRAM record to protect it.

xgid (accessor [,accessor...])

Defines one or more enterprise groups for whom you want to set the access authority.

xuid (accessor [,accessor...])

Defines one or more enterprise users for whom you want to set the access authority.

Example: Authorize Angela to Read a File

The following selang command authorizes enterprise user Angela to read the file protected by the FILE resource /projects/secrets:

auth FILE /projects/secrets xuid(Angela) access(read)

Example: Authorize Only Angela to Read a File

The following selang commands authorize enterprise user Angela, but nobody else, to read the file protected by the FILE resource /projects/secrets:

auth FILE /projects/secrets xuid(Angela) access(read)
auth FILE /projects/secrets defaccess (none)
chres FILE /projects/secrets owner(nobody)

Note: On UNIX, if you want read privileges to control whether users can perform operations that obtain information about the file (such as ls -l), set the STAT_intercept configuration setting to 1. For more information, see the Reference Guide.

Example: Authorize All Users in a Group to Log in to a Terminal

The following selang command authorizes all members of the enterprise group RESEARCH to log in to the terminal protected by the TERMINAL resource tty10:

auth TERMINAL tty10 xgid(RESEARCH) access(read)

Example: Authorize Joe to Back up Files

The following selang command authorizes enterprise user Joe to back up the files protected by the GFILE resource secret_files:

auth GFILE secret_files xuid(Joe) \
via(pgm(/bin/backup)) access(read)

For a Windows endpoint, an equivalent command is as follows:

auth GFILE secret_files xuid(Joe) \
via(pgm(C:\WINDOWS\system32\ntbackup.exe)) access(read)

These commands only have an effect if the Joe's access authority is not determined by the ACL or NACL of the resource.

More information:

chres Command—Modify Resource Records

ch[x]usr Command—Change User Properties

authorize- Command—Remove Access Authorities from a Resource

authorize Command—Set Accessors' Authority to Access Windows Resources

authorize- Command—Remove Accessors' Authority to Access Windows Resources

ch[x]grp Command—Change Group Properties