Previous Topic: Improving PerformanceNext Topic: How Does GAC Work?


Using Global Access Check

The Global Access Check feature (GAC) lets you access protected, frequently opened files-whose access rules are unlikely to change-much faster than otherwise possible.

GAC allows a CA ControlMinder administrator to cache rules for read, write, chown, chmod, rename, unlink, utimes, chattr, link, chdir, create, and all, so that appropriate access to files is granted without passing control to seosd. The default is all. Execute requests, however, are not eligible for GAC because they could pose a security loophole.

Without GAC, CA ControlMinder runs thorough security checks whenever a user or program attempts to access protected files. Frequently accessed files need repeated in‑depth checks to confirm access permissions.

GAC allows an administrator for CA ControlMinder to take for granted that certain frequently accessed protected files require shorter security checks. An administrator for CA ControlMinder can select files suitable for a shorter check. Before CA ControlMinder allows a shorter security check, the file must first undergo a full security check based on the set rule. The rule itself consists of a generic file name and a list of accesses. Rules are cached according to users.

Selecting certain files for a shorter check is reliable because, with the GAC feature in place, if a change is actually made to rules regarding the protected files, the shorter security check table is flushed, and an initial full security check is instituted.

Note: GAC restrictions mean that this feature works for every user except root.

More information:

GAC Restrictions