Previous Topic: Using Global Access CheckNext Topic: Implementing GAC


How Does GAC Work?

CA ControlMinder monitors access to specified files and builds a table of permitted accesses during execution time. These are the files you specify in advance in order to set up GAC rules.

Whenever CA ControlMinder concludes that a user should be granted a certain level of access to a certain file, it checks whether the following two additional conditions are met:

Note: File rules define permissions for access to files.

If these conditions are met, CA ControlMinder generates a UID‑file rule‑access triplet and stores it in a table composed of such triplets. This table is examined before any database access rule interpretation takes place. Whenever a user attempts to access a file, this table is consulted as a filtering mechanism.

The table is best described as a do-not‑call‑me table because it contains a list of file masks that, once recognized, no longer need to undergo access permission checks. It is also described as an always‑grant table because access is always granted to files specified within its list of file masks.

Whenever a user attempts to access a file, the table is consulted. If the file matches one of the triplets found in the table, the appropriate access is granted without passing control to seosd. This bypasses the access rules analysis. Subsequently, all access to files that match this pattern is granted, based on the triplet stored in the table, without consulting the access rule database.

Whenever a new access rule is added to the database, the entire table is flushed, and the learning process starts from the beginning.

More information:

Setting Up GAC Rules